Edit tour

Windows Analysis Report
Shipping Document.exe

Overview

General Information

Sample name:	Shipping Document.exe
Analysis ID:	1587574
MD5:	71208e7bc9d008f3986544d2a15d560e
SHA1:	9697fba394b19c4414035a5f0c4915346e18b7d3
SHA256:	7a531101bc8522d52f45933945d6b8728ad7b7f3c9aaefd2d18742f8ec4000cb
Tags:	exeuser-James_inthe_box
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Shipping Document.exe (PID: 4436 cmdline: "C:\Users\user\Desktop\Shipping Document.exe" MD5: 71208E7BC9D008F3986544D2A15D560E)

powershell.exe (PID: 7044 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5848 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2792 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 6528 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

chkdsk.exe (PID: 3608 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

chkdsk.exe (PID: 3908 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

cmd.exe (PID: 4508 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

zhvapfBrgjZdoS.exe (PID: 6548 cmdline: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe MD5: 71208E7BC9D008F3986544D2A15D560E)

schtasks.exe (PID: 5356 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 1016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6ca9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d5d8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb417:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x162ff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa360:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa5ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x160fd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15be9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x161ff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16377:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xafe2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14e64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbcdb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c33f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d342:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19261:$sqlite3step: 68 34 1C 7B E1 0x19374:$sqlite3step: 68 34 1C 7B E1 0x19290:$sqlite3text: 68 38 2A 90 C5 0x193b5:$sqlite3text: 68 38 2A 90 C5 0x192a3:$sqlite3blob: 68 53 D8 7F 8C 0x193cb:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6ac1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d3f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb22f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16117:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa178:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa3e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15f15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15a01:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16017:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1618f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14c7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbaf3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c157:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d15a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19079:$sqlite3step: 68 34 1C 7B E1 0x1918c:$sqlite3step: 68 34 1C 7B E1 0x190a8:$sqlite3text: 68 38 2A 90 C5 0x191cd:$sqlite3text: 68 38 2A 90 C5 0x190bb:$sqlite3blob: 68 53 D8 7F 8C 0x191e3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2233597678.00000000030B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2189945825.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x82139:$a1: 3C 30 50 4F 53 54 74 09 40 0xaf559:$a1: 3C 30 50 4F 53 54 74 09 40 0x98a68:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc5e88:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x868a7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb3cc7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x9178f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbebaf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x857f0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85a5a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb2c10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb2e7a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9158d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbe9ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x91079:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbe499:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9168f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbeaaf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x91807:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbec27:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x86472:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb3892:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x902f4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbd714:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8716b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb458b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x977cf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xc4bef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x987d2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x946f1:$sqlite3step: 68 34 1C 7B E1 0x94804:$sqlite3step: 68 34 1C 7B E1 0xc1b11:$sqlite3step: 68 34 1C 7B E1 0xc1c24:$sqlite3step: 68 34 1C 7B E1 0x94720:$sqlite3text: 68 38 2A 90 C5 0x94845:$sqlite3text: 68 38 2A 90 C5 0xc1b40:$sqlite3text: 68 38 2A 90 C5 0xc1c65:$sqlite3text: 68 38 2A 90 C5 0x94733:$sqlite3blob: 68 53 D8 7F 8C 0x9485b:$sqlite3blob: 68 53 D8 7F 8C 0xc1b53:$sqlite3blob: 68 53 D8 7F 8C 0xc1c7b:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.3414384840.0000000011117000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xaf2:$a2: pass 0xaf8:$a3: email 0xaff:$a4: login 0xb06:$a5: signin 0xb17:$a6: persistent 0xcea:$r1: C:\Users\user\AppData\Roaming\498QTRD9\498log.ini
00000000.00000002.2197068426.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2188564119.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Shipping Document.exe PID: 4436	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Shipping Document.exe PID: 4436	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6876:$a1: 3C 30 50 4F 53 54 74 09 40 0x4a232:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: MSBuild.exe PID: 6528	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x695d9:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x23b2a:$s2: ~ Shell I 0xaaf2e:$s2: ~ Shell I 0xf7c1d:$s2: ~ Shell I
Process Memory Space: zhvapfBrgjZdoS.exe PID: 6548	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: zhvapfBrgjZdoS.exe PID: 6548	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x32574:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 3608	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x161b71:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 3908	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1230:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ab907:$a1: 3C 30 50 4F 53 54 74 09 40 0x1afd55:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 48 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.MSBuild.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.MSBuild.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.Shipping Document.exe.283da34.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Document.exe.6ba0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.zhvapfBrgjZdoS.exe.314dab4.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Document.exe.6ba0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.MSBuild.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.MSBuild.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
11.2.zhvapfBrgjZdoS.exe.30bd63c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Document.exe.27ad5bc.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.zhvapfBrgjZdoS.exe.314dab4.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Shipping Document.exe.283da34.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 4436, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", ProcessId: 7044, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe, ParentImage: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe, ParentProcessId: 6548, ParentProcessName: zhvapfBrgjZdoS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp", ProcessId: 5356, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 4436, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp", ProcessId: 2792, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 4436, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe", ProcessId: 7044, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipping Document.exe", ParentImage: C:\Users\user\Desktop\Shipping Document.exe, ParentProcessId: 4436, ParentProcessName: Shipping Document.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp", ProcessId: 2792, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.voyagu.info/a03d/www.ndogaming.online	Avira URL Cloud: Label: malware
Source: http://www.asglobalaz.shop/a03d/www.duxrib.xyz	Avira URL Cloud: Label: malware
Source: http://www.asglobalaz.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.orld-visa-center.online/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otorcycle-loans-19502.bond/a03d/	Avira URL Cloud: Label: malware
Source: www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.cebepu.info/a03d/www.asglobalaz.shop	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/www.rumpchiefofstaff.store	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ndogaming.online/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/www.lsaadmart.store	Avira URL Cloud: Label: malware
Source: http://www.agiararoma.net/a03d/www.romatografia.online	Avira URL Cloud: Label: malware
Source: http://www.agiararoma.net/a03d/	Avira URL Cloud: Label: malware
Source: http://www.rumpchiefofstaff.store/a03d/www.ategorie-polecane-831.buzz	Avira URL Cloud: Label: malware
Source: http://www.orld-visa-center.online/a03d/www.otorcycle-loans-19502.bond	Avira URL Cloud: Label: malware
Source: http://www.romatografia.online/a03d/	Avira URL Cloud: Label: malware
Source: http://www.rumpchiefofstaff.store/a03d/	Avira URL Cloud: Label: malware
Source: http://www.voyagu.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.0090.pizza/a03d/www.agiararoma.net	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.0090.pizza	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.0090.pizza/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otorcycle-loans-19502.bond/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.ategorie-polecane-831.buzz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.lsaadmart.store/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ndogaming.online/a03d/www.atidiri.fun	Avira URL Cloud: Label: malware
Source: http://www.cebepu.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.lsaadmart.store/a03d/www.si.art	Avira URL Cloud: Label: malware
Source: http://www.si.art/a03d/www.orld-visa-center.online	Avira URL Cloud: Label: malware
Source: http://www.si.art/a03d/	Avira URL Cloud: Label: malware
Source: http://www.romatografia.online/a03d/www.cebepu.info	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: Shipping Document.exe	Virustotal: Detection: 27%			Perma Link
Source: Shipping Document.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Shipping Document.exe

Joe Sandbox ML: detected

Source: Shipping Document.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Shipping Document.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: chkdsk.pdbGCTL source: MSBuild.exe, 00000009.00000002.2243069229.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2243861666.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2246439402.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2248933170.0000000000790000.00000040.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3396987813.0000000000790000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: MSBuild.exe, 00000009.00000002.2243069229.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2243861666.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2246439402.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2248933170.0000000000790000.00000040.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3396987813.0000000000790000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2243645519.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2246255273.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.00000000052BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.0000000005120000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005C3E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005AA0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2242975299.0000000005741000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2246046060.00000000058F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2243645519.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2246255273.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.00000000052BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.0000000005120000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005C3E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005AA0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2242975299.0000000005741000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2246046060.00000000058F9000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4x nop then pop ebx

9_2_00407B1E

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.enelog.xyz/a03d/

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.134
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.voyagu.info
Source: global traffic	DNS traffic detected: DNS query: www.ndogaming.online
Source: global traffic	DNS traffic detected: DNS query: www.atidiri.fun
Source: global traffic	DNS traffic detected: DNS query: www.lsaadmart.store
Source: global traffic	DNS traffic detected: DNS query: www.si.art
Source: global traffic	DNS traffic detected: DNS query: www.orld-visa-center.online

Source: explorer.exe, 0000000A.00000000.2188855626.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000000.2188855626.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.2188855626.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: http://docs.livestreamer.io/install.html
Source: Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: http://docs.livestreamer.io/players.html#Supported
Source: Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: http://docs.livestreamer.io/plugin_matrix.html#Supported
Source: explorer.exe, 0000000A.00000000.2188855626.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000002.3403944711.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000000.2186218040.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2186237981.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3398217196.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Shipping Document.exe, 00000000.00000002.2188564119.0000000002701000.00000004.00000800.00020000.00000000.sdmp, zhvapfBrgjZdoS.exe, 0000000B.00000002.2233597678.0000000003011000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performExamEnquiryWithoutAuthForGZ?categoryCode=
Source: Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performRecruitedEnquiryWithoutAuth?categoryCode=
Source: zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: http://wap.wirelessgz.cn/myExamWeb/wap/school/gaokao/myUniversity
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0090.pizza
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0090.pizza/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0090.pizza/a03d/www.agiararoma.net
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.0090.pizzaReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.net
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.net/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.net/a03d/www.romatografia.online
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.netReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asglobalaz.shop
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asglobalaz.shop/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asglobalaz.shop/a03d/www.duxrib.xyz
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asglobalaz.shopReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ategorie-polecane-831.buzz
Source: explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ategorie-polecane-831.buzz/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ategorie-polecane-831.buzzReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/www.lsaadmart.store
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.funReferer:
Source: explorer.exe, 0000000A.00000000.2200492280.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980752799.000000000C40D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.info
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.info/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.info/a03d/www.asglobalaz.shop
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.infoReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.rumpchiefofstaff.store
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.0090.pizza
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.store
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.store/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.store/a03d/www.si.art
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.storeReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.online
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.online/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.online/a03d/www.atidiri.fun
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.onlineReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orld-visa-center.online
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orld-visa-center.online/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orld-visa-center.online/a03d/www.otorcycle-loans-19502.bond
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orld-visa-center.onlineReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otorcycle-loans-19502.bond
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otorcycle-loans-19502.bond/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otorcycle-loans-19502.bond/a03d/www.enelog.xyz
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otorcycle-loans-19502.bondReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.online
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.online/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.online/a03d/www.cebepu.info
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.onlineReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumpchiefofstaff.store
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumpchiefofstaff.store/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumpchiefofstaff.store/a03d/www.ategorie-polecane-831.buzz
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumpchiefofstaff.storeReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.si.art
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.si.art/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.si.art/a03d/www.orld-visa-center.online
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.si.artReferer:
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.info
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.info/a03d/
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.info/a03d/www.ndogaming.online
Source: explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.infoReferer:
Source: explorer.exe, 0000000A.00000000.2200492280.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.3403944711.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000002.3403944711.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000002.3403944711.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 0000000A.00000003.3076558891.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: https://github.com/chrippa/livestreamer/
Source: Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	String found in binary or memory: https://github.com/thebiffman/livestreamer-sharp-ui
Source: explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 0000000A.00000003.3076558891.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 0000000A.00000002.3409779558.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000003.3075912538.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979220756.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2192491891.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 0000000A.00000003.3076558891.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.3414384840.0000000011117000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Shipping Document.exe PID: 4436, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 6528, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: zhvapfBrgjZdoS.exe PID: 6548, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 3608, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 3908, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Shipping Document.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A320 NtCreateFile,	9_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A3D0 NtReadFile,	9_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A450 NtClose,	9_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A500 NtAllocateVirtualMemory,	9_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A31B NtCreateFile,	9_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A44B NtClose,	9_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A4FF NtAllocateVirtualMemory,	9_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82AD0 NtReadFile,LdrInitializeThunk,	9_2_00F82AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_00F82BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82B60 NtClose,LdrInitializeThunk,	9_2_00F82B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_00F82CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_00F82C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_00F82DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82DD0 NtDelayExecution,LdrInitializeThunk,	9_2_00F82DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_00F82D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_00F82D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_00F82EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_00F82E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82FE0 NtCreateFile,LdrInitializeThunk,	9_2_00F82FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82FB0 NtResumeThread,LdrInitializeThunk,	9_2_00F82FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82F90 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_00F82F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82F30 NtCreateSection,LdrInitializeThunk,	9_2_00F82F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F84340 NtSetContextThread,	9_2_00F84340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F84650 NtSuspendThread,	9_2_00F84650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82AF0 NtWriteFile,	9_2_00F82AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82AB0 NtWaitForSingleObject,	9_2_00F82AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82BE0 NtQueryValueKey,	9_2_00F82BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82BA0 NtEnumerateValueKey,	9_2_00F82BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82B80 NtQueryInformationFile,	9_2_00F82B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82CF0 NtOpenProcess,	9_2_00F82CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82CC0 NtQueryVirtualMemory,	9_2_00F82CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82C60 NtCreateKey,	9_2_00F82C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82C00 NtQueryInformationProcess,	9_2_00F82C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82DB0 NtEnumerateKey,	9_2_00F82DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82D00 NtSetInformationFile,	9_2_00F82D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82EE0 NtQueueApcThread,	9_2_00F82EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82E30 NtWriteVirtualMemory,	9_2_00F82E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82FA0 NtQuerySection,	9_2_00F82FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82F60 NtCreateProcessEx,	9_2_00F82F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F83090 NtSetValueKey,	9_2_00F83090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F83010 NtOpenDirectoryObject,	9_2_00F83010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F835C0 NtCreateMutant,	9_2_00F835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F839B0 NtGetContextThread,	9_2_00F839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F83D70 NtOpenThread,	9_2_00F83D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F83D10 NtOpenProcessToken,	9_2_00F83D10
Source: C:\Windows\explorer.exe	Code function: 10_2_11100E12 NtProtectVirtualMemory,	10_2_11100E12
Source: C:\Windows\explorer.exe	Code function: 10_2_110FF232 NtCreateFile,	10_2_110FF232
Source: C:\Windows\explorer.exe	Code function: 10_2_11100E0A NtProtectVirtualMemory,	10_2_11100E0A

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_00C34204	0_2_00C34204
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_00C37B08	0_2_00C37B08
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06BD869C	0_2_06BD869C
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06BD85DC	0_2_06BD85DC
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06C02528	0_2_06C02528
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06C0E638	0_2_06C0E638
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06C03F10	0_2_06C03F10
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06C0F848	0_2_06C0F848
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD7628	0_2_06DD7628
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD9148	0_2_06DD9148
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD7E98	0_2_06DD7E98
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD7EA8	0_2_06DD7EA8
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD9AF8	0_2_06DD9AF8
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD9AE8	0_2_06DD9AE8
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD7A70	0_2_06DD7A70
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06DD7A61	0_2_06DD7A61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041EAC3	9_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041E524	9_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D580	9_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00409E50	9_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00409E0A	9_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041EFDF	9_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010041A2	9_2_010041A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010101AA	9_2_010101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010081CC	9_2_010081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8158	9_2_00FD8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA118	9_2_00FEA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40100	9_2_00F40100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD02C0	9_2_00FD02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100A352	9_2_0100A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010103E6	9_2_010103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E3F0	9_2_00F5E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE4F6	9_2_00FFE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01010591	9_2_01010591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF4420	9_2_00FF4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002446	9_2_01002446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50535	9_2_00F50535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6C6E0	9_2_00F6C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4C7C0	9_2_00F4C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F74750	9_2_00F74750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E8F0	9_2_00F7E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F368B8	9_2_00F368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A9A6	9_2_0101A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F52840	9_2_00F52840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5A840	9_2_00F5A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F66962	9_2_00F66962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100AB40	9_2_0100AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01006BD7	9_2_01006BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40CF2	9_2_00F40CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0CB5	9_2_00FF0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50C00	9_2_00F50C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4ADE0	9_2_00F4ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F68DBF	9_2_00F68DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FECD1F	9_2_00FECD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5AD00	9_2_00F5AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F62E90	9_2_00F62E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50E59	9_2_00F50E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5CFE0	9_2_00F5CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EE26	9_2_0100EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F42FC8	9_2_00F42FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCEFA0	9_2_00FCEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100CE93	9_2_0100CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC4F40	9_2_00FC4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F70F30	9_2_00F70F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2F30	9_2_00FF2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F92F28	9_2_00F92F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EEDB	9_2_0100EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFF0CC	9_2_00FFF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F570C0	9_2_00F570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101B16B	9_2_0101B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5B1B0	9_2_00F5B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3F172	9_2_00F3F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F8516C	9_2_00F8516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100F0E0	9_2_0100F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010070E9	9_2_010070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF12ED	9_2_00FF12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100132D	9_2_0100132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6B2C0	9_2_00F6B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F552A0	9_2_00F552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F9739A	9_2_00F9739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3D34C	9_2_00F3D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01007571	9_2_01007571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F41460	9_2_00F41460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010195C3	9_2_010195C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100F43F	9_2_0100F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FED5B0	9_2_00FED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100F7B0	9_2_0100F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F95630	9_2_00F95630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010016CC	9_2_010016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F538E0	9_2_00F538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBD800	9_2_00FBD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F59950	9_2_00F59950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6B950	9_2_00F6B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE5910	9_2_00FE5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFDAC6	9_2_00FFDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEDAAC	9_2_00FEDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F95AA0	9_2_00F95AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF1AA3	9_2_00FF1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100FB76	9_2_0100FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC3A6C	9_2_00FC3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F8DBF9	9_2_00F8DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC5BF0	9_2_00FC5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01007A46	9_2_01007A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100FA49	9_2_0100FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6FB80	9_2_00F6FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01001D5A	9_2_01001D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01007D73	9_2_01007D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC9C32	9_2_00FC9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6FDC0	9_2_00F6FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F53D40	9_2_00F53D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100FCF2	9_2_0100FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100FF09	9_2_0100FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F59EB0	9_2_00F59EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100FFB1	9_2_0100FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F13FD2	9_2_00F13FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F13FD5	9_2_00F13FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F51F92	9_2_00F51F92
Source: C:\Windows\explorer.exe	Code function: 10_2_0E38F232	10_2_0E38F232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E389B30	10_2_0E389B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E389B32	10_2_0E389B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E38E036	10_2_0E38E036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E385082	10_2_0E385082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E38C912	10_2_0E38C912
Source: C:\Windows\explorer.exe	Code function: 10_2_0E386D02	10_2_0E386D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3925CD	10_2_0E3925CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE96232	10_2_0EE96232
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE90B30	10_2_0EE90B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE90B32	10_2_0EE90B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE8C082	10_2_0EE8C082
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE95036	10_2_0EE95036
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE995CD	10_2_0EE995CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE8DD02	10_2_0EE8DD02
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE93912	10_2_0EE93912
Source: C:\Windows\explorer.exe	Code function: 10_2_110FF232	10_2_110FF232
Source: C:\Windows\explorer.exe	Code function: 10_2_110F6D02	10_2_110F6D02
Source: C:\Windows\explorer.exe	Code function: 10_2_110FC912	10_2_110FC912
Source: C:\Windows\explorer.exe	Code function: 10_2_110F9B32	10_2_110F9B32
Source: C:\Windows\explorer.exe	Code function: 10_2_110F9B30	10_2_110F9B30
Source: C:\Windows\explorer.exe	Code function: 10_2_111025CD	10_2_111025CD
Source: C:\Windows\explorer.exe	Code function: 10_2_110FE036	10_2_110FE036
Source: C:\Windows\explorer.exe	Code function: 10_2_110F5082	10_2_110F5082
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_01294204	11_2_01294204
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_01297B08	11_2_01297B08
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_02FA0040	11_2_02FA0040
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_02FA0A00	11_2_02FA0A00
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_02FA09F2	11_2_02FA09F2
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072B869C	11_2_072B869C
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072B85DC	11_2_072B85DC
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072E2528	11_2_072E2528
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072E3F10	11_2_072E3F10
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072EE638	11_2_072EE638
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072E251A	11_2_072E251A
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072EF848	11_2_072EF848
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07527638	11_2_07527638
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07529148	11_2_07529148
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07527E98	11_2_07527E98
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07527EA8	11_2_07527EA8
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07527A70	11_2_07527A70
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07527A61	11_2_07527A61
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07529AF8	11_2_07529AF8
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_07529AE8	11_2_07529AE8
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_0752F870	11_2_0752F870

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00F97E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00FCF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00F85130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00F3B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00FBEA12 appears 86 times

Source: Shipping Document.exe, 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000002.2197734491.00000000086D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000002.2196034919.00000000069EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameschtasks.e vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000002.2196034919.00000000069EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowel vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000000.2141910843.00000000003A4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWXNE.exe@ vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000002.2189945825.00000000036E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000002.2197068426.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000002.2188564119.00000000027A8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Shipping Document.exe
Source: Shipping Document.exe, 00000000.00000002.2187124768.00000000009FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Shipping Document.exe
Source: Shipping Document.exe	Binary or memory string: OriginalFilenameWXNE.exe@ vs Shipping Document.exe

Source: Shipping Document.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.3414384840.0000000011117000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Shipping Document.exe PID: 4436, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 6528, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: zhvapfBrgjZdoS.exe PID: 6548, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 3608, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 3908, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Shipping Document.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: zhvapfBrgjZdoS.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: *.sln
Source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/15@6/0

Source: C:\Users\user\Desktop\Shipping Document.exe

File created: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Mutant created: \Sessions\1\BaseNamedObjects\BcitYQn
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:340:120:WilError_03

Source: C:\Users\user\Desktop\Shipping Document.exe

File created: C:\Users\user\AppData\Local\Temp\tmp26D7.tmp

Jump to behavior

Source: Shipping Document.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Shipping Document.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\Shipping Document.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Shipping Document.exe	Virustotal: Detection: 27%
Source: Shipping Document.exe	ReversingLabs: Detection: 42%

Source: Shipping Document.exe

String found in binary or memory: ]http://docs.livestreamer.io/plugin_matrix.html#Supported pluginsQhttp://docs.livestreamer.io/players.html#Supported playersQhttp://docs.livestreamer.io/install.html

Source: C:\Users\user\Desktop\Shipping Document.exe

File read: C:\Users\user\Desktop\Shipping Document.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Document.exe "C:\Users\user\Desktop\Shipping Document.exe"
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\Shipping Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Shipping Document.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Shipping Document.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Shipping Document.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: chkdsk.pdbGCTL source: MSBuild.exe, 00000009.00000002.2243069229.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2243861666.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2246439402.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2248933170.0000000000790000.00000040.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3396987813.0000000000790000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: MSBuild.exe, 00000009.00000002.2243069229.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2243861666.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2246439402.0000000000DC8000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2248933170.0000000000790000.00000040.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3396987813.0000000000790000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.3413653945.00000000107AF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3397459635.0000000005408000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3399342763.0000000005FEF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2243645519.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2246255273.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.00000000052BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.0000000005120000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005C3E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005AA0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2242975299.0000000005741000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2246046060.00000000058F9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2243645519.0000000004DC5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.2246255273.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.00000000052BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.2249614282.0000000005120000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005C3E000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.3398638658.0000000005AA0000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2242975299.0000000005741000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2246046060.00000000058F9000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06BD14B0 push eax; iretd	0_2_06BD14B1
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06BD1568 pushfd ; iretd	0_2_06BD1571
Source: C:\Users\user\Desktop\Shipping Document.exe	Code function: 0_2_06C0B178 push eax; ret	0_2_06C0B179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041E1FC pushfd ; retf	9_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_004172AE push ebp; retf	9_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D475 push eax; ret	9_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D4C2 push eax; ret	9_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D4CB push eax; ret	9_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D52C push eax; ret	9_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D580 push edx; ret	9_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F1225F pushad ; ret	9_2_00F127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F127FA pushad ; ret	9_2_00F127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F1283D push eax; iretd	9_2_00F12858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F409AD push ecx; mov dword ptr [esp], ecx	9_2_00F409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F11344 push eax; iretd	9_2_00F11369
Source: C:\Windows\explorer.exe	Code function: 10_2_0E392B1E push esp; retn 0000h	10_2_0E392B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E392B02 push esp; retn 0000h	10_2_0E392B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E3929B5 push esp; retn 0000h	10_2_0E392AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE99B02 push esp; retn 0000h	10_2_0EE99B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE99B1E push esp; retn 0000h	10_2_0EE99B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0EE999B5 push esp; retn 0000h	10_2_0EE99AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_11102B1E push esp; retn 0000h	10_2_11102B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_11102B02 push esp; retn 0000h	10_2_11102B03
Source: C:\Windows\explorer.exe	Code function: 10_2_111029B5 push esp; retn 0000h	10_2_11102AE7
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_053BB7E2 push esp; iretd	11_2_053BB7E9
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072B1568 pushfd ; iretd	11_2_072B1571
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072B14B0 push eax; iretd	11_2_072B14B1
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Code function: 11_2_072EB178 push eax; ret	11_2_072EB179

Source: Shipping Document.exe	Static PE information: section name: .text entropy: 7.705751675338919
Source: zhvapfBrgjZdoS.exe.0.dr	Static PE information: section name: .text entropy: 7.705751675338919

Source: C:\Users\user\Desktop\Shipping Document.exe

File created: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Shipping Document.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Shipping Document.exe PID: 4436, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: zhvapfBrgjZdoS.exe PID: 6548, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\chkdsk.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 5269904 second address: 526990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 709904 second address: 70990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 5269B6E second address: 5269B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 709B6E second address: 709B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: 46C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: 8850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: 9850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: 9A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: AA50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: 2FD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: 8A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: 9A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: 9C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: AC20000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Users\user\Desktop\Shipping Document.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5291	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7307	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 837	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1802	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8144	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 875	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 3839
Source: C:\Windows\SysWOW64\chkdsk.exe	Window / User API: threadDelayed 6131

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API coverage: 1.6 %

Source: C:\Users\user\Desktop\Shipping Document.exe TID: 2348	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2144	Thread sleep count: 7307 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6516	Thread sleep count: 837 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4372	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4904	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1488	Thread sleep count: 1802 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1488	Thread sleep time: -3604000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1488	Thread sleep count: 8144 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1488	Thread sleep time: -16288000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe TID: 5636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 2052	Thread sleep count: 3839 > 30
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 2052	Thread sleep time: -7678000s >= -30000s
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 2052	Thread sleep count: 6131 > 30
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 2052	Thread sleep time: -12262000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Shipping Document.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000002.3403944711.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 0000000A.00000000.2192491891.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: Shipping Document.exe, 00000000.00000002.2196034919.00000000069C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000003.2979220756.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 0000000A.00000000.2188855626.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000000A.00000000.2171105547.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2188855626.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.2171105547.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000003.2979220756.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 0000000A.00000000.2171105547.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000003.2979220756.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000A.00000000.2171105547.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Shipping Document.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_0040ACE0 LdrLoadDll,

9_2_0040ACE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3C0F0 mov eax, dword ptr fs:[00000030h]	9_2_00F3C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F820F0 mov ecx, dword ptr fs:[00000030h]	9_2_00F820F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_00F3A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01000115 mov eax, dword ptr fs:[00000030h]	9_2_01000115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC60E0 mov eax, dword ptr fs:[00000030h]	9_2_00FC60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F480E9 mov eax, dword ptr fs:[00000030h]	9_2_00F480E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC20DE mov eax, dword ptr fs:[00000030h]	9_2_00FC20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F380A0 mov eax, dword ptr fs:[00000030h]	9_2_00F380A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD80A8 mov eax, dword ptr fs:[00000030h]	9_2_00FD80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014164 mov eax, dword ptr fs:[00000030h]	9_2_01014164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014164 mov eax, dword ptr fs:[00000030h]	9_2_01014164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4208A mov eax, dword ptr fs:[00000030h]	9_2_00F4208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6C073 mov eax, dword ptr fs:[00000030h]	9_2_00F6C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F42050 mov eax, dword ptr fs:[00000030h]	9_2_00F42050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6050 mov eax, dword ptr fs:[00000030h]	9_2_00FC6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010061C3 mov eax, dword ptr fs:[00000030h]	9_2_010061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010061C3 mov eax, dword ptr fs:[00000030h]	9_2_010061C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6030 mov eax, dword ptr fs:[00000030h]	9_2_00FD6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3A020 mov eax, dword ptr fs:[00000030h]	9_2_00F3A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3C020 mov eax, dword ptr fs:[00000030h]	9_2_00F3C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E016 mov eax, dword ptr fs:[00000030h]	9_2_00F5E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E016 mov eax, dword ptr fs:[00000030h]	9_2_00F5E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E016 mov eax, dword ptr fs:[00000030h]	9_2_00F5E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E016 mov eax, dword ptr fs:[00000030h]	9_2_00F5E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010161E5 mov eax, dword ptr fs:[00000030h]	9_2_010161E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC4000 mov ecx, dword ptr fs:[00000030h]	9_2_00FC4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2000 mov eax, dword ptr fs:[00000030h]	9_2_00FE2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F701F8 mov eax, dword ptr fs:[00000030h]	9_2_00F701F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]	9_2_00FBE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]	9_2_00FBE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE1D0 mov ecx, dword ptr fs:[00000030h]	9_2_00FBE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]	9_2_00FBE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE1D0 mov eax, dword ptr fs:[00000030h]	9_2_00FBE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC019F mov eax, dword ptr fs:[00000030h]	9_2_00FC019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC019F mov eax, dword ptr fs:[00000030h]	9_2_00FC019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC019F mov eax, dword ptr fs:[00000030h]	9_2_00FC019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC019F mov eax, dword ptr fs:[00000030h]	9_2_00FC019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3A197 mov eax, dword ptr fs:[00000030h]	9_2_00F3A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3A197 mov eax, dword ptr fs:[00000030h]	9_2_00F3A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3A197 mov eax, dword ptr fs:[00000030h]	9_2_00F3A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFC188 mov eax, dword ptr fs:[00000030h]	9_2_00FFC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFC188 mov eax, dword ptr fs:[00000030h]	9_2_00FFC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F80185 mov eax, dword ptr fs:[00000030h]	9_2_00F80185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4180 mov eax, dword ptr fs:[00000030h]	9_2_00FE4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4180 mov eax, dword ptr fs:[00000030h]	9_2_00FE4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46154 mov eax, dword ptr fs:[00000030h]	9_2_00F46154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46154 mov eax, dword ptr fs:[00000030h]	9_2_00F46154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3C156 mov eax, dword ptr fs:[00000030h]	9_2_00F3C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8158 mov eax, dword ptr fs:[00000030h]	9_2_00FD8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010060B8 mov eax, dword ptr fs:[00000030h]	9_2_010060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010060B8 mov ecx, dword ptr fs:[00000030h]	9_2_010060B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD4144 mov eax, dword ptr fs:[00000030h]	9_2_00FD4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD4144 mov eax, dword ptr fs:[00000030h]	9_2_00FD4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD4144 mov ecx, dword ptr fs:[00000030h]	9_2_00FD4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD4144 mov eax, dword ptr fs:[00000030h]	9_2_00FD4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD4144 mov eax, dword ptr fs:[00000030h]	9_2_00FD4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F70124 mov eax, dword ptr fs:[00000030h]	9_2_00F70124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA118 mov ecx, dword ptr fs:[00000030h]	9_2_00FEA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA118 mov eax, dword ptr fs:[00000030h]	9_2_00FEA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA118 mov eax, dword ptr fs:[00000030h]	9_2_00FEA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA118 mov eax, dword ptr fs:[00000030h]	9_2_00FEA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov eax, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov ecx, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov eax, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov eax, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov ecx, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov eax, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov eax, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov ecx, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov eax, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE10E mov ecx, dword ptr fs:[00000030h]	9_2_00FEE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F502E1 mov eax, dword ptr fs:[00000030h]	9_2_00F502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F502E1 mov eax, dword ptr fs:[00000030h]	9_2_00F502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F502E1 mov eax, dword ptr fs:[00000030h]	9_2_00F502E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018324 mov eax, dword ptr fs:[00000030h]	9_2_01018324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018324 mov ecx, dword ptr fs:[00000030h]	9_2_01018324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018324 mov eax, dword ptr fs:[00000030h]	9_2_01018324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018324 mov eax, dword ptr fs:[00000030h]	9_2_01018324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]	9_2_00F4A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]	9_2_00F4A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]	9_2_00F4A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]	9_2_00F4A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A2C3 mov eax, dword ptr fs:[00000030h]	9_2_00F4A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101634F mov eax, dword ptr fs:[00000030h]	9_2_0101634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100A352 mov eax, dword ptr fs:[00000030h]	9_2_0100A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD62A0 mov eax, dword ptr fs:[00000030h]	9_2_00FD62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD62A0 mov ecx, dword ptr fs:[00000030h]	9_2_00FD62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD62A0 mov eax, dword ptr fs:[00000030h]	9_2_00FD62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD62A0 mov eax, dword ptr fs:[00000030h]	9_2_00FD62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD62A0 mov eax, dword ptr fs:[00000030h]	9_2_00FD62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD62A0 mov eax, dword ptr fs:[00000030h]	9_2_00FD62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E284 mov eax, dword ptr fs:[00000030h]	9_2_00F7E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E284 mov eax, dword ptr fs:[00000030h]	9_2_00F7E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC0283 mov eax, dword ptr fs:[00000030h]	9_2_00FC0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC0283 mov eax, dword ptr fs:[00000030h]	9_2_00FC0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC0283 mov eax, dword ptr fs:[00000030h]	9_2_00FC0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0274 mov eax, dword ptr fs:[00000030h]	9_2_00FF0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F44260 mov eax, dword ptr fs:[00000030h]	9_2_00F44260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F44260 mov eax, dword ptr fs:[00000030h]	9_2_00F44260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F44260 mov eax, dword ptr fs:[00000030h]	9_2_00F44260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3826B mov eax, dword ptr fs:[00000030h]	9_2_00F3826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3A250 mov eax, dword ptr fs:[00000030h]	9_2_00F3A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46259 mov eax, dword ptr fs:[00000030h]	9_2_00F46259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFA250 mov eax, dword ptr fs:[00000030h]	9_2_00FFA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFA250 mov eax, dword ptr fs:[00000030h]	9_2_00FFA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC8243 mov eax, dword ptr fs:[00000030h]	9_2_00FC8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC8243 mov ecx, dword ptr fs:[00000030h]	9_2_00FC8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3823B mov eax, dword ptr fs:[00000030h]	9_2_00F3823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]	9_2_00F5E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]	9_2_00F5E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E3F0 mov eax, dword ptr fs:[00000030h]	9_2_00F5E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F763FF mov eax, dword ptr fs:[00000030h]	9_2_00F763FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F503E9 mov eax, dword ptr fs:[00000030h]	9_2_00F503E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE3DB mov eax, dword ptr fs:[00000030h]	9_2_00FEE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE3DB mov eax, dword ptr fs:[00000030h]	9_2_00FEE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE3DB mov ecx, dword ptr fs:[00000030h]	9_2_00FEE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEE3DB mov eax, dword ptr fs:[00000030h]	9_2_00FEE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE43D4 mov eax, dword ptr fs:[00000030h]	9_2_00FE43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE43D4 mov eax, dword ptr fs:[00000030h]	9_2_00FE43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFC3CD mov eax, dword ptr fs:[00000030h]	9_2_00FFC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A3C0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F483C0 mov eax, dword ptr fs:[00000030h]	9_2_00F483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F483C0 mov eax, dword ptr fs:[00000030h]	9_2_00F483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F483C0 mov eax, dword ptr fs:[00000030h]	9_2_00F483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F483C0 mov eax, dword ptr fs:[00000030h]	9_2_00F483C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC63C0 mov eax, dword ptr fs:[00000030h]	9_2_00FC63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101625D mov eax, dword ptr fs:[00000030h]	9_2_0101625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F38397 mov eax, dword ptr fs:[00000030h]	9_2_00F38397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F38397 mov eax, dword ptr fs:[00000030h]	9_2_00F38397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F38397 mov eax, dword ptr fs:[00000030h]	9_2_00F38397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6438F mov eax, dword ptr fs:[00000030h]	9_2_00F6438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6438F mov eax, dword ptr fs:[00000030h]	9_2_00F6438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3E388 mov eax, dword ptr fs:[00000030h]	9_2_00F3E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3E388 mov eax, dword ptr fs:[00000030h]	9_2_00F3E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3E388 mov eax, dword ptr fs:[00000030h]	9_2_00F3E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE437C mov eax, dword ptr fs:[00000030h]	9_2_00FE437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC035C mov eax, dword ptr fs:[00000030h]	9_2_00FC035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC035C mov eax, dword ptr fs:[00000030h]	9_2_00FC035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC035C mov eax, dword ptr fs:[00000030h]	9_2_00FC035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC035C mov ecx, dword ptr fs:[00000030h]	9_2_00FC035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC035C mov eax, dword ptr fs:[00000030h]	9_2_00FC035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC035C mov eax, dword ptr fs:[00000030h]	9_2_00FC035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8350 mov ecx, dword ptr fs:[00000030h]	9_2_00FE8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC2349 mov eax, dword ptr fs:[00000030h]	9_2_00FC2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010162D6 mov eax, dword ptr fs:[00000030h]	9_2_010162D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3C310 mov ecx, dword ptr fs:[00000030h]	9_2_00F3C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F60310 mov ecx, dword ptr fs:[00000030h]	9_2_00F60310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A30B mov eax, dword ptr fs:[00000030h]	9_2_00F7A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A30B mov eax, dword ptr fs:[00000030h]	9_2_00F7A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A30B mov eax, dword ptr fs:[00000030h]	9_2_00F7A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014500 mov eax, dword ptr fs:[00000030h]	9_2_01014500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014500 mov eax, dword ptr fs:[00000030h]	9_2_01014500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014500 mov eax, dword ptr fs:[00000030h]	9_2_01014500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014500 mov eax, dword ptr fs:[00000030h]	9_2_01014500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014500 mov eax, dword ptr fs:[00000030h]	9_2_01014500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014500 mov eax, dword ptr fs:[00000030h]	9_2_01014500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014500 mov eax, dword ptr fs:[00000030h]	9_2_01014500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F404E5 mov ecx, dword ptr fs:[00000030h]	9_2_00F404E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F744B0 mov ecx, dword ptr fs:[00000030h]	9_2_00F744B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCA4B0 mov eax, dword ptr fs:[00000030h]	9_2_00FCA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F464AB mov eax, dword ptr fs:[00000030h]	9_2_00F464AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFA49A mov eax, dword ptr fs:[00000030h]	9_2_00FFA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6A470 mov eax, dword ptr fs:[00000030h]	9_2_00F6A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6A470 mov eax, dword ptr fs:[00000030h]	9_2_00F6A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6A470 mov eax, dword ptr fs:[00000030h]	9_2_00F6A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCC460 mov ecx, dword ptr fs:[00000030h]	9_2_00FCC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFA456 mov eax, dword ptr fs:[00000030h]	9_2_00FFA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6245A mov eax, dword ptr fs:[00000030h]	9_2_00F6245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3645D mov eax, dword ptr fs:[00000030h]	9_2_00F3645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E443 mov eax, dword ptr fs:[00000030h]	9_2_00F7E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A430 mov eax, dword ptr fs:[00000030h]	9_2_00F7A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3E420 mov eax, dword ptr fs:[00000030h]	9_2_00F3E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3E420 mov eax, dword ptr fs:[00000030h]	9_2_00F3E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3E420 mov eax, dword ptr fs:[00000030h]	9_2_00F3E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3C427 mov eax, dword ptr fs:[00000030h]	9_2_00F3C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6420 mov eax, dword ptr fs:[00000030h]	9_2_00FC6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6420 mov eax, dword ptr fs:[00000030h]	9_2_00FC6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6420 mov eax, dword ptr fs:[00000030h]	9_2_00FC6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6420 mov eax, dword ptr fs:[00000030h]	9_2_00FC6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6420 mov eax, dword ptr fs:[00000030h]	9_2_00FC6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6420 mov eax, dword ptr fs:[00000030h]	9_2_00FC6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC6420 mov eax, dword ptr fs:[00000030h]	9_2_00FC6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F78402 mov eax, dword ptr fs:[00000030h]	9_2_00F78402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F78402 mov eax, dword ptr fs:[00000030h]	9_2_00F78402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F78402 mov eax, dword ptr fs:[00000030h]	9_2_00F78402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E5E7 mov eax, dword ptr fs:[00000030h]	9_2_00F6E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F425E0 mov eax, dword ptr fs:[00000030h]	9_2_00F425E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C5ED mov eax, dword ptr fs:[00000030h]	9_2_00F7C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C5ED mov eax, dword ptr fs:[00000030h]	9_2_00F7C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F465D0 mov eax, dword ptr fs:[00000030h]	9_2_00F465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A5D0 mov eax, dword ptr fs:[00000030h]	9_2_00F7A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A5D0 mov eax, dword ptr fs:[00000030h]	9_2_00F7A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E5CF mov eax, dword ptr fs:[00000030h]	9_2_00F7E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E5CF mov eax, dword ptr fs:[00000030h]	9_2_00F7E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F645B1 mov eax, dword ptr fs:[00000030h]	9_2_00F645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F645B1 mov eax, dword ptr fs:[00000030h]	9_2_00F645B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC05A7 mov eax, dword ptr fs:[00000030h]	9_2_00FC05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC05A7 mov eax, dword ptr fs:[00000030h]	9_2_00FC05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC05A7 mov eax, dword ptr fs:[00000030h]	9_2_00FC05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7E59C mov eax, dword ptr fs:[00000030h]	9_2_00F7E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F42582 mov eax, dword ptr fs:[00000030h]	9_2_00F42582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F42582 mov ecx, dword ptr fs:[00000030h]	9_2_00F42582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F74588 mov eax, dword ptr fs:[00000030h]	9_2_00F74588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7656A mov eax, dword ptr fs:[00000030h]	9_2_00F7656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7656A mov eax, dword ptr fs:[00000030h]	9_2_00F7656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7656A mov eax, dword ptr fs:[00000030h]	9_2_00F7656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48550 mov eax, dword ptr fs:[00000030h]	9_2_00F48550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48550 mov eax, dword ptr fs:[00000030h]	9_2_00F48550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50535 mov eax, dword ptr fs:[00000030h]	9_2_00F50535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50535 mov eax, dword ptr fs:[00000030h]	9_2_00F50535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50535 mov eax, dword ptr fs:[00000030h]	9_2_00F50535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50535 mov eax, dword ptr fs:[00000030h]	9_2_00F50535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50535 mov eax, dword ptr fs:[00000030h]	9_2_00F50535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50535 mov eax, dword ptr fs:[00000030h]	9_2_00F50535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E53E mov eax, dword ptr fs:[00000030h]	9_2_00F6E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E53E mov eax, dword ptr fs:[00000030h]	9_2_00F6E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E53E mov eax, dword ptr fs:[00000030h]	9_2_00F6E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E53E mov eax, dword ptr fs:[00000030h]	9_2_00F6E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E53E mov eax, dword ptr fs:[00000030h]	9_2_00F6E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6500 mov eax, dword ptr fs:[00000030h]	9_2_00FD6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]	9_2_00FBE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]	9_2_00FBE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]	9_2_00FBE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE6F2 mov eax, dword ptr fs:[00000030h]	9_2_00FBE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC06F1 mov eax, dword ptr fs:[00000030h]	9_2_00FC06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC06F1 mov eax, dword ptr fs:[00000030h]	9_2_00FC06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_00F7A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A6C7 mov eax, dword ptr fs:[00000030h]	9_2_00F7A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F766B0 mov eax, dword ptr fs:[00000030h]	9_2_00F766B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C6A6 mov eax, dword ptr fs:[00000030h]	9_2_00F7C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F44690 mov eax, dword ptr fs:[00000030h]	9_2_00F44690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F44690 mov eax, dword ptr fs:[00000030h]	9_2_00F44690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F72674 mov eax, dword ptr fs:[00000030h]	9_2_00F72674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A660 mov eax, dword ptr fs:[00000030h]	9_2_00F7A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A660 mov eax, dword ptr fs:[00000030h]	9_2_00F7A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5C640 mov eax, dword ptr fs:[00000030h]	9_2_00F5C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5E627 mov eax, dword ptr fs:[00000030h]	9_2_00F5E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F76620 mov eax, dword ptr fs:[00000030h]	9_2_00F76620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F78620 mov eax, dword ptr fs:[00000030h]	9_2_00F78620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4262C mov eax, dword ptr fs:[00000030h]	9_2_00F4262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82619 mov eax, dword ptr fs:[00000030h]	9_2_00F82619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE609 mov eax, dword ptr fs:[00000030h]	9_2_00FBE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5260B mov eax, dword ptr fs:[00000030h]	9_2_00F5260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5260B mov eax, dword ptr fs:[00000030h]	9_2_00F5260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5260B mov eax, dword ptr fs:[00000030h]	9_2_00F5260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5260B mov eax, dword ptr fs:[00000030h]	9_2_00F5260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5260B mov eax, dword ptr fs:[00000030h]	9_2_00F5260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5260B mov eax, dword ptr fs:[00000030h]	9_2_00F5260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F5260B mov eax, dword ptr fs:[00000030h]	9_2_00F5260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F447FB mov eax, dword ptr fs:[00000030h]	9_2_00F447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F447FB mov eax, dword ptr fs:[00000030h]	9_2_00F447FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F627ED mov eax, dword ptr fs:[00000030h]	9_2_00F627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F627ED mov eax, dword ptr fs:[00000030h]	9_2_00F627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F627ED mov eax, dword ptr fs:[00000030h]	9_2_00F627ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCE7E1 mov eax, dword ptr fs:[00000030h]	9_2_00FCE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4C7C0 mov eax, dword ptr fs:[00000030h]	9_2_00F4C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC07C3 mov eax, dword ptr fs:[00000030h]	9_2_00FC07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F407AF mov eax, dword ptr fs:[00000030h]	9_2_00F407AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF47A0 mov eax, dword ptr fs:[00000030h]	9_2_00FF47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100866E mov eax, dword ptr fs:[00000030h]	9_2_0100866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100866E mov eax, dword ptr fs:[00000030h]	9_2_0100866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE678E mov eax, dword ptr fs:[00000030h]	9_2_00FE678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48770 mov eax, dword ptr fs:[00000030h]	9_2_00F48770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50770 mov eax, dword ptr fs:[00000030h]	9_2_00F50770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCE75D mov eax, dword ptr fs:[00000030h]	9_2_00FCE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40750 mov eax, dword ptr fs:[00000030h]	9_2_00F40750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82750 mov eax, dword ptr fs:[00000030h]	9_2_00F82750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F82750 mov eax, dword ptr fs:[00000030h]	9_2_00F82750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC4755 mov eax, dword ptr fs:[00000030h]	9_2_00FC4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7674D mov esi, dword ptr fs:[00000030h]	9_2_00F7674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7674D mov eax, dword ptr fs:[00000030h]	9_2_00F7674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7674D mov eax, dword ptr fs:[00000030h]	9_2_00F7674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7273C mov eax, dword ptr fs:[00000030h]	9_2_00F7273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7273C mov ecx, dword ptr fs:[00000030h]	9_2_00F7273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7273C mov eax, dword ptr fs:[00000030h]	9_2_00F7273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBC730 mov eax, dword ptr fs:[00000030h]	9_2_00FBC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C720 mov eax, dword ptr fs:[00000030h]	9_2_00F7C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C720 mov eax, dword ptr fs:[00000030h]	9_2_00F7C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40710 mov eax, dword ptr fs:[00000030h]	9_2_00F40710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F70710 mov eax, dword ptr fs:[00000030h]	9_2_00F70710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C700 mov eax, dword ptr fs:[00000030h]	9_2_00F7C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C8F9 mov eax, dword ptr fs:[00000030h]	9_2_00F7C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7C8F9 mov eax, dword ptr fs:[00000030h]	9_2_00F7C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6E8C0 mov eax, dword ptr fs:[00000030h]	9_2_00F6E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014940 mov eax, dword ptr fs:[00000030h]	9_2_01014940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCC89D mov eax, dword ptr fs:[00000030h]	9_2_00FCC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40887 mov eax, dword ptr fs:[00000030h]	9_2_00F40887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6870 mov eax, dword ptr fs:[00000030h]	9_2_00FD6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6870 mov eax, dword ptr fs:[00000030h]	9_2_00FD6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCE872 mov eax, dword ptr fs:[00000030h]	9_2_00FCE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCE872 mov eax, dword ptr fs:[00000030h]	9_2_00FCE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F70854 mov eax, dword ptr fs:[00000030h]	9_2_00F70854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F44859 mov eax, dword ptr fs:[00000030h]	9_2_00F44859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F44859 mov eax, dword ptr fs:[00000030h]	9_2_00F44859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F52840 mov ecx, dword ptr fs:[00000030h]	9_2_00F52840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F62835 mov eax, dword ptr fs:[00000030h]	9_2_00F62835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F62835 mov eax, dword ptr fs:[00000030h]	9_2_00F62835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F62835 mov eax, dword ptr fs:[00000030h]	9_2_00F62835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F62835 mov ecx, dword ptr fs:[00000030h]	9_2_00F62835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F62835 mov eax, dword ptr fs:[00000030h]	9_2_00F62835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F62835 mov eax, dword ptr fs:[00000030h]	9_2_00F62835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE483A mov eax, dword ptr fs:[00000030h]	9_2_00FE483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE483A mov eax, dword ptr fs:[00000030h]	9_2_00FE483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7A830 mov eax, dword ptr fs:[00000030h]	9_2_00F7A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100A9D3 mov eax, dword ptr fs:[00000030h]	9_2_0100A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCC810 mov eax, dword ptr fs:[00000030h]	9_2_00FCC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F729F9 mov eax, dword ptr fs:[00000030h]	9_2_00F729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F729F9 mov eax, dword ptr fs:[00000030h]	9_2_00F729F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCE9E0 mov eax, dword ptr fs:[00000030h]	9_2_00FCE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4A9D0 mov eax, dword ptr fs:[00000030h]	9_2_00F4A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F749D0 mov eax, dword ptr fs:[00000030h]	9_2_00F749D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD69C0 mov eax, dword ptr fs:[00000030h]	9_2_00FD69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC89B3 mov esi, dword ptr fs:[00000030h]	9_2_00FC89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC89B3 mov eax, dword ptr fs:[00000030h]	9_2_00FC89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC89B3 mov eax, dword ptr fs:[00000030h]	9_2_00FC89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F529A0 mov eax, dword ptr fs:[00000030h]	9_2_00F529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F409AD mov eax, dword ptr fs:[00000030h]	9_2_00F409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F409AD mov eax, dword ptr fs:[00000030h]	9_2_00F409AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCC97C mov eax, dword ptr fs:[00000030h]	9_2_00FCC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4978 mov eax, dword ptr fs:[00000030h]	9_2_00FE4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4978 mov eax, dword ptr fs:[00000030h]	9_2_00FE4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F66962 mov eax, dword ptr fs:[00000030h]	9_2_00F66962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F66962 mov eax, dword ptr fs:[00000030h]	9_2_00F66962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F66962 mov eax, dword ptr fs:[00000030h]	9_2_00F66962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F8096E mov eax, dword ptr fs:[00000030h]	9_2_00F8096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F8096E mov edx, dword ptr fs:[00000030h]	9_2_00F8096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F8096E mov eax, dword ptr fs:[00000030h]	9_2_00F8096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC0946 mov eax, dword ptr fs:[00000030h]	9_2_00FC0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010108C0 mov eax, dword ptr fs:[00000030h]	9_2_010108C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FC892A mov eax, dword ptr fs:[00000030h]	9_2_00FC892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD892B mov eax, dword ptr fs:[00000030h]	9_2_00FD892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100A8E4 mov eax, dword ptr fs:[00000030h]	9_2_0100A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F38918 mov eax, dword ptr fs:[00000030h]	9_2_00F38918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F38918 mov eax, dword ptr fs:[00000030h]	9_2_00F38918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCC912 mov eax, dword ptr fs:[00000030h]	9_2_00FCC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE908 mov eax, dword ptr fs:[00000030h]	9_2_00FBE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBE908 mov eax, dword ptr fs:[00000030h]	9_2_00FBE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014B00 mov eax, dword ptr fs:[00000030h]	9_2_01014B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7AAEE mov eax, dword ptr fs:[00000030h]	9_2_00F7AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7AAEE mov eax, dword ptr fs:[00000030h]	9_2_00F7AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40AD0 mov eax, dword ptr fs:[00000030h]	9_2_00F40AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F74AD0 mov eax, dword ptr fs:[00000030h]	9_2_00F74AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F74AD0 mov eax, dword ptr fs:[00000030h]	9_2_00F74AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01008B28 mov eax, dword ptr fs:[00000030h]	9_2_01008B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01008B28 mov eax, dword ptr fs:[00000030h]	9_2_01008B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F96ACC mov eax, dword ptr fs:[00000030h]	9_2_00F96ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F96ACC mov eax, dword ptr fs:[00000030h]	9_2_00F96ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F96ACC mov eax, dword ptr fs:[00000030h]	9_2_00F96ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100AB40 mov eax, dword ptr fs:[00000030h]	9_2_0100AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48AA0 mov eax, dword ptr fs:[00000030h]	9_2_00F48AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48AA0 mov eax, dword ptr fs:[00000030h]	9_2_00F48AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012B57 mov eax, dword ptr fs:[00000030h]	9_2_01012B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012B57 mov eax, dword ptr fs:[00000030h]	9_2_01012B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012B57 mov eax, dword ptr fs:[00000030h]	9_2_01012B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012B57 mov eax, dword ptr fs:[00000030h]	9_2_01012B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F96AA4 mov eax, dword ptr fs:[00000030h]	9_2_00F96AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F78A90 mov edx, dword ptr fs:[00000030h]	9_2_00F78A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F4EA80 mov eax, dword ptr fs:[00000030h]	9_2_00F4EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBCA72 mov eax, dword ptr fs:[00000030h]	9_2_00FBCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FBCA72 mov eax, dword ptr fs:[00000030h]	9_2_00FBCA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7CA6F mov eax, dword ptr fs:[00000030h]	9_2_00F7CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7CA6F mov eax, dword ptr fs:[00000030h]	9_2_00F7CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7CA6F mov eax, dword ptr fs:[00000030h]	9_2_00F7CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA60 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46A50 mov eax, dword ptr fs:[00000030h]	9_2_00F46A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46A50 mov eax, dword ptr fs:[00000030h]	9_2_00F46A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46A50 mov eax, dword ptr fs:[00000030h]	9_2_00F46A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46A50 mov eax, dword ptr fs:[00000030h]	9_2_00F46A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46A50 mov eax, dword ptr fs:[00000030h]	9_2_00F46A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46A50 mov eax, dword ptr fs:[00000030h]	9_2_00F46A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F46A50 mov eax, dword ptr fs:[00000030h]	9_2_00F46A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50A5B mov eax, dword ptr fs:[00000030h]	9_2_00F50A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50A5B mov eax, dword ptr fs:[00000030h]	9_2_00F50A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F64A35 mov eax, dword ptr fs:[00000030h]	9_2_00F64A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F64A35 mov eax, dword ptr fs:[00000030h]	9_2_00F64A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7CA38 mov eax, dword ptr fs:[00000030h]	9_2_00F7CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F7CA24 mov eax, dword ptr fs:[00000030h]	9_2_00F7CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6EA2E mov eax, dword ptr fs:[00000030h]	9_2_00F6EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCCA11 mov eax, dword ptr fs:[00000030h]	9_2_00FCCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48BF0 mov eax, dword ptr fs:[00000030h]	9_2_00F48BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48BF0 mov eax, dword ptr fs:[00000030h]	9_2_00F48BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F48BF0 mov eax, dword ptr fs:[00000030h]	9_2_00F48BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6EBFC mov eax, dword ptr fs:[00000030h]	9_2_00F6EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FCCBF0 mov eax, dword ptr fs:[00000030h]	9_2_00FCCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEBD0 mov eax, dword ptr fs:[00000030h]	9_2_00FEEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40BCD mov eax, dword ptr fs:[00000030h]	9_2_00F40BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40BCD mov eax, dword ptr fs:[00000030h]	9_2_00F40BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F40BCD mov eax, dword ptr fs:[00000030h]	9_2_00F40BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F60BCB mov eax, dword ptr fs:[00000030h]	9_2_00F60BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F60BCB mov eax, dword ptr fs:[00000030h]	9_2_00F60BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F60BCB mov eax, dword ptr fs:[00000030h]	9_2_00F60BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50BBE mov eax, dword ptr fs:[00000030h]	9_2_00F50BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F50BBE mov eax, dword ptr fs:[00000030h]	9_2_00F50BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF4BB0 mov eax, dword ptr fs:[00000030h]	9_2_00FF4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF4BB0 mov eax, dword ptr fs:[00000030h]	9_2_00FF4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014A80 mov eax, dword ptr fs:[00000030h]	9_2_01014A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F3CB7E mov eax, dword ptr fs:[00000030h]	9_2_00F3CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F38B50 mov eax, dword ptr fs:[00000030h]	9_2_00F38B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEB50 mov eax, dword ptr fs:[00000030h]	9_2_00FEEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF4B4B mov eax, dword ptr fs:[00000030h]	9_2_00FF4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF4B4B mov eax, dword ptr fs:[00000030h]	9_2_00FF4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8B42 mov eax, dword ptr fs:[00000030h]	9_2_00FE8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6B40 mov eax, dword ptr fs:[00000030h]	9_2_00FD6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6B40 mov eax, dword ptr fs:[00000030h]	9_2_00FD6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6EB20 mov eax, dword ptr fs:[00000030h]	9_2_00F6EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00F6EB20 mov eax, dword ptr fs:[00000030h]	9_2_00F6EB20

Source: C:\Users\user\Desktop\Shipping Document.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe"
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Shipping Document.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x119A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x119A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0xEAA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0xEAA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Shipping Document.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 4004
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 790000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 790000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Shipping Document.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 71A008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 9C0008	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: explorer.exe, 0000000A.00000000.2172667809.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3397986867.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 0000000A.00000000.2172667809.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3397986867.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3400678917.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2172667809.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3397986867.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2171105547.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3397255038.0000000000D60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 0000000A.00000000.2172667809.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3397986867.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.2192491891.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075331156.00000000098C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\Shipping Document.exe	Queries volume information: C:\Users\user\Desktop\Shipping Document.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Queries volume information: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Shipping Document.exe.283da34.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.6ba0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.zhvapfBrgjZdoS.exe.314dab4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.6ba0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.zhvapfBrgjZdoS.exe.30bd63c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.27ad5bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.zhvapfBrgjZdoS.exe.314dab4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.283da34.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2233597678.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2197068426.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2188564119.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Shipping Document.exe.283da34.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.6ba0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.zhvapfBrgjZdoS.exe.314dab4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.6ba0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.zhvapfBrgjZdoS.exe.30bd63c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.27ad5bc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.zhvapfBrgjZdoS.exe.314dab4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Shipping Document.exe.283da34.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2233597678.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189945825.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2197068426.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2188564119.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	712 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	1 DLL Side-Loading	712 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	212 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Shipping Document.exe	28%	Virustotal		Browse
Shipping Document.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
Shipping Document.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe	42%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos

Source	Detection	Scanner	Label
http://www.voyagu.infoReferer:	0%	Avira URL Cloud	safe
http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performRecruitedEnquiryWithoutAuth?categoryCode=	0%	Avira URL Cloud	safe
http://www.ategorie-polecane-831.buzzReferer:	0%	Avira URL Cloud	safe
http://www.si.artReferer:	0%	Avira URL Cloud	safe
http://www.voyagu.info/a03d/www.ndogaming.online	100%	Avira URL Cloud	malware
http://www.cebepu.info	0%	Avira URL Cloud	safe
http://www.asglobalaz.shop/a03d/www.duxrib.xyz	100%	Avira URL Cloud	malware
http://www.asglobalaz.shop/a03d/	100%	Avira URL Cloud	malware
http://www.orld-visa-center.online/a03d/	100%	Avira URL Cloud	malware
http://wap.wirelessgz.cn/myExamWeb/wap/school/gaokao/myUniversity	0%	Avira URL Cloud	safe
http://www.otorcycle-loans-19502.bond/a03d/	100%	Avira URL Cloud	malware
www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.lsaadmart.store	0%	Avira URL Cloud	safe
http://www.rumpchiefofstaff.storeReferer:	0%	Avira URL Cloud	safe
http://www.ndogaming.online	0%	Avira URL Cloud	safe
http://www.cebepu.info/a03d/www.asglobalaz.shop	100%	Avira URL Cloud	malware
http://www.duxrib.xyz/a03d/www.rumpchiefofstaff.store	100%	Avira URL Cloud	malware
http://www.atidiri.fun/a03d/	100%	Avira URL Cloud	malware
http://www.ategorie-polecane-831.buzz	0%	Avira URL Cloud	safe
http://www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.ndogaming.online/a03d/	100%	Avira URL Cloud	malware
http://www.0090.pizza	0%	Avira URL Cloud	safe
http://www.atidiri.fun/a03d/www.lsaadmart.store	100%	Avira URL Cloud	malware
http://www.atidiri.fun	0%	Avira URL Cloud	safe
http://www.asglobalaz.shop	0%	Avira URL Cloud	safe
http://www.asglobalaz.shopReferer:	0%	Avira URL Cloud	safe
http://www.agiararoma.netReferer:	0%	Avira URL Cloud	safe
http://www.agiararoma.net/a03d/www.romatografia.online	100%	Avira URL Cloud	malware
http://www.agiararoma.net/a03d/	100%	Avira URL Cloud	malware
http://www.si.art	0%	Avira URL Cloud	safe
http://www.rumpchiefofstaff.store/a03d/www.ategorie-polecane-831.buzz	100%	Avira URL Cloud	malware
http://www.orld-visa-center.online/a03d/www.otorcycle-loans-19502.bond	100%	Avira URL Cloud	malware
http://www.romatografia.online/a03d/	100%	Avira URL Cloud	malware
http://www.rumpchiefofstaff.store	0%	Avira URL Cloud	safe
http://www.voyagu.info	0%	Avira URL Cloud	safe
http://www.rumpchiefofstaff.store/a03d/	100%	Avira URL Cloud	malware
http://www.lsaadmart.storeReferer:	0%	Avira URL Cloud	safe
http://www.voyagu.info/a03d/	100%	Avira URL Cloud	malware
http://docs.livestreamer.io/players.html#Supported	0%	Avira URL Cloud	safe
http://docs.livestreamer.io/plugin_matrix.html#Supported	0%	Avira URL Cloud	safe
http://www.ndogaming.onlineReferer:	0%	Avira URL Cloud	safe
http://www.agiararoma.net	0%	Avira URL Cloud	safe
http://www.otorcycle-loans-19502.bond	0%	Avira URL Cloud	safe
http://www.0090.pizza/a03d/www.agiararoma.net	100%	Avira URL Cloud	malware
http://www.enelog.xyzReferer:	0%	Avira URL Cloud	safe
http://www.enelog.xyz/a03d/www.0090.pizza	100%	Avira URL Cloud	malware
http://www.atidiri.funReferer:	0%	Avira URL Cloud	safe
http://www.duxrib.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.0090.pizza/a03d/	100%	Avira URL Cloud	malware
http://www.otorcycle-loans-19502.bond/a03d/www.enelog.xyz	100%	Avira URL Cloud	malware
http://www.orld-visa-center.online	0%	Avira URL Cloud	safe
http://www.ategorie-polecane-831.buzz/a03d/	100%	Avira URL Cloud	malware
http://docs.livestreamer.io/install.html	0%	Avira URL Cloud	safe
http://www.cebepu.infoReferer:	0%	Avira URL Cloud	safe
http://www.otorcycle-loans-19502.bondReferer:	0%	Avira URL Cloud	safe
http://www.lsaadmart.store/a03d/	100%	Avira URL Cloud	malware
http://www.ndogaming.online/a03d/www.atidiri.fun	100%	Avira URL Cloud	malware
http://www.enelog.xyz	0%	Avira URL Cloud	safe
http://www.cebepu.info/a03d/	100%	Avira URL Cloud	malware
http://www.romatografia.onlineReferer:	0%	Avira URL Cloud	safe
http://www.lsaadmart.store/a03d/www.si.art	100%	Avira URL Cloud	malware
http://www.si.art/a03d/www.orld-visa-center.online	100%	Avira URL Cloud	malware
http://www.si.art/a03d/	100%	Avira URL Cloud	malware
http://www.romatografia.online	0%	Avira URL Cloud	safe
http://www.romatografia.online/a03d/www.cebepu.info	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
www.ndogaming.online	unknown	unknown	true	unknown
www.orld-visa-center.online	unknown	unknown	true	unknown
www.atidiri.fun	unknown	unknown	true	unknown
www.si.art	unknown	unknown	true	unknown
www.voyagu.info	unknown	unknown	true	unknown
www.lsaadmart.store	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.enelog.xyz/a03d/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.asglobalaz.shop/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.orld-visa-center.online/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.voyagu.info/a03d/www.ndogaming.online	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.voyagu.infoReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ategorie-polecane-831.buzzReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asglobalaz.shop/a03d/www.duxrib.xyz	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.cebepu.info	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://wap.5184.com/NCEE_WAP/controller/examEnquiry/performRecruitedEnquiryWithoutAuth?categoryCode=	Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.si.artReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://wap.wirelessgz.cn/myExamWeb/wap/school/gaokao/myUniversity	zhvapfBrgjZdoS.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.otorcycle-loans-19502.bond/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000002.3403944711.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.comM	explorer.exe, 0000000A.00000003.3076558891.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lsaadmart.store	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.duxrib.xyzReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ndogaming.online	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rumpchiefofstaff.storeReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.cebepu.info/a03d/www.asglobalaz.shop	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.duxrib.xyz/a03d/www.rumpchiefofstaff.store	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.atidiri.fun/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/e	explorer.exe, 0000000A.00000003.3075912538.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979220756.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2192491891.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3403944711.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Shipping Document.exe, 00000000.00000002.2188564119.0000000002701000.00000004.00000800.00020000.00000000.sdmp, zhvapfBrgjZdoS.exe, 0000000B.00000002.2233597678.0000000003011000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.ategorie-polecane-831.buzz	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ndogaming.online/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 0000000A.00000000.2200492280.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980752799.000000000C40D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.0090.pizza	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.atidiri.fun	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asglobalaz.shop	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.atidiri.fun/a03d/www.lsaadmart.store	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.orld-visa-center.online/a03d/www.otorcycle-loans-19502.bond	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://github.com/chrippa/livestreamer/	Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	false		high
http://www.asglobalaz.shopReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.agiararoma.net/a03d/www.romatografia.online	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.agiararoma.netReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agiararoma.net/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.si.art	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rumpchiefofstaff.store/a03d/www.ategorie-polecane-831.buzz	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.romatografia.online/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000000.2200492280.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.come	explorer.exe, 0000000A.00000003.3076558891.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.livestreamer.io/players.html#Supported	Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.rumpchiefofstaff.store	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.livestreamer.io/plugin_matrix.html#Supported	Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000002.3403944711.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.rumpchiefofstaff.store/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.voyagu.info	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.voyagu.info/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/I	explorer.exe, 0000000A.00000002.3403944711.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2188855626.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lsaadmart.storeReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ndogaming.onlineReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agiararoma.net	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.otorcycle-loans-19502.bond	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000000A.00000000.2186218040.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2186237981.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.3398217196.00000000028A0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.0090.pizza/a03d/www.agiararoma.net	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyzReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyz/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyz/a03d/www.0090.pizza	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.atidiri.funReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.0090.pizza/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.orld-visa-center.online	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.otorcycle-loans-19502.bond/a03d/www.enelog.xyz	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ategorie-polecane-831.buzz/a03d/	explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://docs.livestreamer.io/install.html	Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.cebepu.infoReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lsaadmart.store/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com-	explorer.exe, 0000000A.00000003.3076558891.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3409779558.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ndogaming.online/a03d/www.atidiri.fun	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.otorcycle-loans-19502.bondReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/thebiffman/livestreamer-sharp-ui	Shipping Document.exe, zhvapfBrgjZdoS.exe.0.dr	false		high
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.enelog.xyz	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.romatografia.onlineReferer:	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cebepu.info/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://powerpoint.office.comEMd	explorer.exe, 0000000A.00000002.3409779558.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2200492280.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lsaadmart.store/a03d/www.si.art	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.si.art/a03d/	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.si.art/a03d/www.orld-visa-center.online	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.romatografia.online	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.romatografia.online/a03d/www.cebepu.info	explorer.exe, 0000000A.00000003.2980567357.000000000C41D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3411579990.000000000C420000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979651670.000000000C3E8000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 0000000A.00000002.3401025196.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076227928.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2185099482.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587574
Start date and time:	2025-01-10 15:02:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Shipping Document.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@26/15@6/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 154 Number of non-executed functions: 311
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.115.3.253, 2.23.242.162, 20.12.23.50, 192.229.221.95, 52.165.164.15, 199.232.210.172, 199.232.214.172, 13.107.246.45
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, wns.notify.trafficmanager.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:03:42	API Interceptor	1x Sleep call for process: Shipping Document.exe modified
09:03:43	API Interceptor	36x Sleep call for process: powershell.exe modified
09:03:47	API Interceptor	1x Sleep call for process: zhvapfBrgjZdoS.exe modified
09:03:53	API Interceptor	2327301x Sleep call for process: explorer.exe modified
09:04:28	API Interceptor	2396597x Sleep call for process: chkdsk.exe modified
15:03:45	Task Scheduler	Run new task: zhvapfBrgjZdoS path: C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	1712226379134618467.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGN	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.filemail.com/d/rxythqchkhluipl?skipreg=true	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://eu.jotform.com/app/250092704521347	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.ch	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://app.planable.io/review/0OPaw36t6M_k	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	PDFONLINE.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	OTTIMAX RFQ BID1122263.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	PDFONLINE.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
bg.microsoft.map.fastly.net	3254519122657813770.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	1712226379134618467.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	7401990642713807.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	A5815BC0-FA26-4ECC-9A97-EE9DB31273CA_12272024154104847.dll	Get hash	malicious	Unknown	Browse	199.232.210.172
	382215884163542302.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	2503475573085815370.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	17772451271118687.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	1353125634235611874.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	1947415746274847548.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	10848104561916132198.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	https://marcuso-wq.github.io/home/	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	1.png	Get hash	malicious	Unknown	Browse	192.229.221.95
	atomxml.ps1	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	192.229.221.95
	Payment-Order #24560274 for 8,380 USD.exe	Get hash	malicious	XWorm	Browse	192.229.221.95
	invoice-1623385214.pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	PO#3311-20250108003.xls	Get hash	malicious	Unknown	Browse	192.229.221.95
	invoice-1623385214 pdf.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	0a0#U00a0.js	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	192.229.221.95
	3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exe	Get hash	malicious	AsyncRAT, GhostRat	Browse	192.229.221.95

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zhvapfBrgjZdoS.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:fLHxcIalLgZ2KRHWLOugEs
MD5:	916E28F9B47291FE5C88ABFD4E45CDF6
SHA1:	1B78C88B22996B285DBBC22F6A5072FA4D304F7F
SHA-256:	EF6DF1C0892F0B99815F1254F70DA395811731D0BCC1AAD902542565C3370562
SHA-512:	8FF7582B5712034B01CB3A42225986B22B68F97F0F572F4EC94A83BE5D72909C5E055B3FB17A7CD7FBE1657BA16FF79685B24F9808E85507EFF5E3360A9C65DA
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.ConfigurationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05kgjhbi.dce.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgaj0vx3.mbs.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3pv420m.tkd.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljdam2jb.w0r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz1trzsq.iru.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzpwqtho.imk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yht4xkgj.auu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yln0fgwy.l4n.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp26D7.tmp

Download File

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.104101818218535
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLbmxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTCv
MD5:	C218D117E83781850F12C53F0ED37326
SHA1:	D22E59DB236AFF34301FD5686ED3BF56B77A26C5
SHA-256:	62A3793027E07DE7657B205182ACDAA7C5C512EA3934A220192BA3A05D151CF3
SHA-512:	6F66CDC91F8B594A5527D8AE28E83224D15E516967FA88DEF22787DFF3260A35583D899C1F683532D310DBE8B802576F30D116993A611B42C897399EB1A7BCD6
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmp388A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	5.104101818218535
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLbmxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTCv
MD5:	C218D117E83781850F12C53F0ED37326
SHA1:	D22E59DB236AFF34301FD5686ED3BF56B77A26C5
SHA-256:	62A3793027E07DE7657B205182ACDAA7C5C512EA3934A220192BA3A05D151CF3
SHA-512:	6F66CDC91F8B594A5527D8AE28E83224D15E516967FA88DEF22787DFF3260A35583D899C1F683532D310DBE8B802576F30D116993A611B42C897399EB1A7BCD6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe

Download File

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	664576
Entropy (8bit):	7.696697848285607
Encrypted:	false
SSDEEP:	12288:W7Fl9Z7a0GM4Rb9So1JELBYaKMwbDqV7X5YgqOu8g20wWIh13MgS5VWu3hG9lDmf:oawLoWVrMX20xI/EWuRGfDz8ci
MD5:	71208E7BC9D008F3986544D2A15D560E
SHA1:	9697FBA394B19C4414035A5F0C4915346E18B7D3
SHA-256:	7A531101BC8522D52F45933945D6B8728AD7B7F3C9AAEFD2D18742F8EC4000CB
SHA-512:	64A2EE7B43D7A86D2B37117334A186A9C89EE557A771423FAD42DC8EF58E7AAA8716CD8BF7C6F107DDA96A575213EF7DB1F3C04ADB939858656BC73EAAD18BC1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..g..............0.............."... ...@....@.. ....................................`..................................!..O....@..T....................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......."..............@..B................."......H.......PN...Q......]...T................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3...{...."..}......{...."..}....b.s"...%.o.......(.......0..l........(.......o....o..........,...o.......0o....&..o....o..........,....(.......}......}.....+..r...pr...ps ...z.0..p...

C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Shipping Document.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.696697848285607
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	Shipping Document.exe
File size:	664'576 bytes
MD5:	71208e7bc9d008f3986544d2a15d560e
SHA1:	9697fba394b19c4414035a5f0c4915346e18b7d3
SHA256:	7a531101bc8522d52f45933945d6b8728ad7b7f3c9aaefd2d18742f8ec4000cb
SHA512:	64a2ee7b43d7a86d2b37117334a186a9c89ee557a771423fad42dc8ef58e7aaa8716cd8bf7c6f107dda96a575213ef7db1f3c04adb939858656bc73eaad18bc1
SSDEEP:	12288:W7Fl9Z7a0GM4Rb9So1JELBYaKMwbDqV7X5YgqOu8g20wWIh13MgS5VWu3hG9lDmf:oawLoWVrMX20xI/EWuRGfDz8ci
TLSH:	58E4F1A4269AD802C0D31B700872D7F8A77A5D9DA915C7038FEE7EEFBC7A7442544392
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..g..............0.............."... ...@....@.. ....................................`................................

File Icon


Icon Hash:	5c69494dac09190f

Static PE Info

General

Entrypoint:	0x4a222e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6780862D [Fri Jan 10 02:30:05 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa21dc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x1a54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa0234	0xa0400	450da389078e6f5fca7b7b4e2c5d3767	False	0.904272499024961	data	7.705751675338919	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x1a54	0x1c00	bd5ebb3dd1d4d12f8ddb51ba79cf94b1	False	0.8172433035714286	data	7.029873316213991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	7e82a44249f795aa8ce44d827cd89d68	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa40c8	0x1625	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.955194919738931
RT_GROUP_ICON	0xa5700	0x14	data	1.05
RT_VERSION	0xa5724	0x32a	data	0.4148148148148148

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:03:36.776113033 CET	49673	443	192.168.2.6	173.222.162.64
Jan 10, 2025 15:03:36.807388067 CET	49674	443	192.168.2.6	173.222.162.64
Jan 10, 2025 15:03:37.119921923 CET	49672	443	192.168.2.6	173.222.162.64
Jan 10, 2025 15:03:46.510512114 CET	49673	443	192.168.2.6	173.222.162.64
Jan 10, 2025 15:03:46.554337025 CET	49674	443	192.168.2.6	173.222.162.64
Jan 10, 2025 15:03:46.786623955 CET	49672	443	192.168.2.6	173.222.162.64
Jan 10, 2025 15:03:48.320043087 CET	443	49705	173.222.162.64	192.168.2.6
Jan 10, 2025 15:03:48.320138931 CET	49705	443	192.168.2.6	173.222.162.64
Jan 10, 2025 15:05:16.714875937 CET	49703	443	192.168.2.6	40.126.32.134
Jan 10, 2025 15:05:16.721205950 CET	443	49703	40.126.32.134	192.168.2.6
Jan 10, 2025 15:05:16.721348047 CET	49703	443	192.168.2.6	40.126.32.134
Jan 10, 2025 15:05:19.263348103 CET	49707	443	192.168.2.6	40.126.32.134
Jan 10, 2025 15:05:19.268609047 CET	443	49707	40.126.32.134	192.168.2.6
Jan 10, 2025 15:05:19.268714905 CET	49707	443	192.168.2.6	40.126.32.134

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 15:04:22.154028893 CET	52090	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:04:22.165896893 CET	53	52090	1.1.1.1	192.168.2.6
Jan 10, 2025 15:04:43.058309078 CET	55553	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:04:43.067581892 CET	53	55553	1.1.1.1	192.168.2.6
Jan 10, 2025 15:05:02.074907064 CET	54129	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:05:02.084444046 CET	53	54129	1.1.1.1	192.168.2.6
Jan 10, 2025 15:05:22.375220060 CET	62685	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:05:22.384217024 CET	53	62685	1.1.1.1	192.168.2.6
Jan 10, 2025 15:05:42.812131882 CET	57807	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:05:42.826069117 CET	53	57807	1.1.1.1	192.168.2.6
Jan 10, 2025 15:06:04.230593920 CET	54061	53	192.168.2.6	1.1.1.1
Jan 10, 2025 15:06:04.240062952 CET	53	54061	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 15:04:22.154028893 CET	192.168.2.6	1.1.1.1	0xca98	Standard query (0)	www.voyagu.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:43.058309078 CET	192.168.2.6	1.1.1.1	0xccc7	Standard query (0)	www.ndogaming.online	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:05:02.074907064 CET	192.168.2.6	1.1.1.1	0x7dab	Standard query (0)	www.atidiri.fun	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:05:22.375220060 CET	192.168.2.6	1.1.1.1	0x5968	Standard query (0)	www.lsaadmart.store	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:05:42.812131882 CET	192.168.2.6	1.1.1.1	0x5c08	Standard query (0)	www.si.art	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:06:04.230593920 CET	192.168.2.6	1.1.1.1	0xfcfa	Standard query (0)	www.orld-visa-center.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 15:03:48.470688105 CET	1.1.1.1	192.168.2.6	0x246f	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:03:48.470688105 CET	1.1.1.1	192.168.2.6	0x246f	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:57.567416906 CET	1.1.1.1	192.168.2.6	0xc9b9	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 15:03:57.567416906 CET	1.1.1.1	192.168.2.6	0xc9b9	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:58.845817089 CET	1.1.1.1	192.168.2.6	0xb7ba	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:03:58.845817089 CET	1.1.1.1	192.168.2.6	0xb7ba	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:22.165896893 CET	1.1.1.1	192.168.2.6	0xca98	Name error (3)	www.voyagu.info	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:43.067581892 CET	1.1.1.1	192.168.2.6	0xccc7	Name error (3)	www.ndogaming.online	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:58.595933914 CET	1.1.1.1	192.168.2.6	0x6ac8	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:04:58.595933914 CET	1.1.1.1	192.168.2.6	0x6ac8	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:05:02.084444046 CET	1.1.1.1	192.168.2.6	0x7dab	Name error (3)	www.atidiri.fun	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:05:22.384217024 CET	1.1.1.1	192.168.2.6	0x5968	Name error (3)	www.lsaadmart.store	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:05:42.826069117 CET	1.1.1.1	192.168.2.6	0x5c08	Name error (3)	www.si.art	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 15:06:04.240062952 CET	1.1.1.1	192.168.2.6	0xfcfa	Name error (3)	www.orld-visa-center.online	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:03:41
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\Shipping Document.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Shipping Document.exe"
Imagebase:	0x300000
File size:	664'576 bytes
MD5 hash:	71208E7BC9D008F3986544D2A15D560E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2189945825.000000000391E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2189945825.00000000036E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2189945825.0000000003704000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2197068426.0000000006BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2188564119.00000000027A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:03:42
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipping Document.exe"
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:03:42
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:03:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe"
Imagebase:	0xa60000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:03:43
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:03:43
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp26D7.tmp"
Imagebase:	0x210000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:03:43
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:03:43
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x540000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:03:44
Start date:	10/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.3414384840.0000000011117000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:03:45
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\zhvapfBrgjZdoS.exe
Imagebase:	0x9c0000
File size:	664'576 bytes
MD5 hash:	71208E7BC9D008F3986544D2A15D560E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2235749329.000000000422F000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2233597678.00000000030B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:03:46
Start date:	10/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:03:47
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zhvapfBrgjZdoS" /XML "C:\Users\user\AppData\Local\Temp\tmp388A.tmp"
Imagebase:	0x210000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:03:47
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:03:48
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x670000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:03:48
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0x790000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.2248785122.0000000000700000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:03:48
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0x790000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.3397221702.0000000005260000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.3397969565.00000000056A0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.3397893068.0000000005670000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	09:03:52
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:03:52
Start date:	10/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.3%
Total number of Nodes:	225
Total number of Limit Nodes:	15

Executed Functions

Function 06BD85DC Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197225894.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad0cc183eceaa547f48489cadc6498e23e53e1c1a402dbc05d00f17ecf36dc3
Instruction ID: 293b5ad9003693e2467639aa9057e8d214b94dbdfd8552624bb0815c8c78c756
Opcode Fuzzy Hash: 2ad0cc183eceaa547f48489cadc6498e23e53e1c1a402dbc05d00f17ecf36dc3
Instruction Fuzzy Hash: E6A20675E002598FDB14EF68C8547EDB7B2FF89300F1482A9D90AA7251EB746E85CF50

Function 06C02528 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197401336.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b4328f6e06e84f2ca005ff4ea2037302da82e8be6b03b9ea7fb3ad510227f0a
Instruction ID: 5ff4f927539c76741c8a6a9b784afbec3e406bbf821fd646109eb8da0fea2bc9
Opcode Fuzzy Hash: 6b4328f6e06e84f2ca005ff4ea2037302da82e8be6b03b9ea7fb3ad510227f0a
Instruction Fuzzy Hash: 7C325C74E00218CFEB58DFB9C8547AEBBF2AFC4300F14C16AD509AB395DA349985CB95

Function 06BD869C Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197225894.0000000006BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6bd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6475291804e984a9da23245f979af5a0b0a5afa9306dee6046751f821596929
Instruction ID: 971426d20ef70a6f2923b5917dd9c1a05ab90e8dfc53966200151b19604e5fc8
Opcode Fuzzy Hash: e6475291804e984a9da23245f979af5a0b0a5afa9306dee6046751f821596929
Instruction Fuzzy Hash: 71027275A003189FDB15DF74C8546AEBBF6FF88300F1485AAE909AB351EB309D42CB91

Function 06C03F10 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197401336.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7ee143c635e60a040dddaa119d57b34ef5006822e5a1a4a773b90211b0b36a
Instruction ID: 65740a63d67aae758de17133740093fa01fa25ca6e8cd4056af0c91f8f7e5e21
Opcode Fuzzy Hash: ae7ee143c635e60a040dddaa119d57b34ef5006822e5a1a4a773b90211b0b36a
Instruction Fuzzy Hash: 0FC14A35E00254DFEB58DFA5C88079EBBF2AF88300F14C5A9D559AB295EB30DA85CF50

Function 00C37B08 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187902050.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d7f9e4889c316dbfdeed297ee5a8901f667473b00864ba1b109fc8a18ef859
Instruction ID: 9a8f12da21d61cfc73108d809c44b2a472773bb7198b0f31897fd4d8ef3af9d2
Opcode Fuzzy Hash: d7d7f9e4889c316dbfdeed297ee5a8901f667473b00864ba1b109fc8a18ef859
Instruction Fuzzy Hash: 2AB1F6B4E01209CFDB05DFA9D894AAEBBF2FF89300F109569D819AB356DB306945CF50

Function 00C34204 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2187902050.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3d51cf496d3c87880673a8b62c3852e48d2ccd6550b6c823661ff92bfc44d8
Instruction ID: 739098affe77c3ca8d2e09fb78a1b04b23bf9ee77aed1af573dbcbd8c6514a40
Opcode Fuzzy Hash: 3a3d51cf496d3c87880673a8b62c3852e48d2ccd6550b6c823661ff92bfc44d8
Instruction Fuzzy Hash: 5CA1D4B4E00209CFDB14DFA9D894AAEBBF2FF88300F209569E819A7355DB306945CF50

Function 00C3DDB8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00C3DE36
GetCurrentThread.KERNEL32 ref: 00C3DE73
GetCurrentProcess.KERNEL32 ref: 00C3DEB0
GetCurrentThreadId.KERNEL32 ref: 00C3DF09

Memory Dump Source

Source File: 00000000.00000002.2187902050.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_Shipping Document.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5c3657efbd176d088e08cf105237d80cf76008deee46dd8fad727179c539910d
Instruction ID: 80a588a78fcfd070d8c7413b63138e99fc65cb5bb0915f47924d27bdb0a82457
Opcode Fuzzy Hash: 5c3657efbd176d088e08cf105237d80cf76008deee46dd8fad727179c539910d
Instruction Fuzzy Hash: CF5144B09013498FDB44DFAAE548B9EBBF5FF88314F208459E019A7360DB74A984CF65

Function 06C02BCF Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32(0000003B), ref: 06C02C2E
GetSystemMetrics.USER32(0000003C), ref: 06C02C68

Memory Dump Source

Source File: 00000000.00000002.2197401336.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_Shipping Document.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 656e4985f8730f70d2861bdcb0b84d4cede96482cc7d0b85ce2a296616872a83
Instruction ID: d6b31f618017a1e43105c4dac974973254a5d62328a4ef2699e4a298236078de
Opcode Fuzzy Hash: 656e4985f8730f70d2861bdcb0b84d4cede96482cc7d0b85ce2a296616872a83
Instruction Fuzzy Hash: 472187B2D003498FEB10DF99D8487DEFFF8EB48324F20845AD519A7290C7B89644CBA5

Function 06DDA66C Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DDA8AE

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 7be02850892c699e71666ad51f4c9bb0bfb62b94dc6dc0ef4be35eb81cc3c7be
Instruction ID: 032667fc8f711ce69b966a2de6a3ab9a086cbae6516d7d90d2ed65662028177a
Opcode Fuzzy Hash: 7be02850892c699e71666ad51f4c9bb0bfb62b94dc6dc0ef4be35eb81cc3c7be
Instruction Fuzzy Hash: 29918D71D00219DFEF60DF68C8407EDBBB2BF48314F188569E808A7244DB759A85CF91

Function 06DDA678 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DDA8AE

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 32b0998aac83457dc15fb23b8cd4d6b634945b7060bf3cc6c7fc565238d69890
Instruction ID: 438c62a7183f7cb65039282faa55271867e608483162870c2828113f288c006b
Opcode Fuzzy Hash: 32b0998aac83457dc15fb23b8cd4d6b634945b7060bf3cc6c7fc565238d69890
Instruction Fuzzy Hash: BA915C71D00259EFEF60DF68C841BEDBBB2BF48314F188569E808A7244DB759A85CF91

Function 00C3454C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C35DC9

Memory Dump Source

Source File: 00000000.00000002.2187902050.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_Shipping Document.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3b19be9d9e4d87e7902f5acb411c26f66019f3b772a14eedd35579bf78ad0c9d
Instruction ID: 1cdf2ec1003a00742c2deacc66c871195f1fad16ad00954c440b6e5a836b567a
Opcode Fuzzy Hash: 3b19be9d9e4d87e7902f5acb411c26f66019f3b772a14eedd35579bf78ad0c9d
Instruction Fuzzy Hash: 1441CFB0C1071DCBEB24DFA9C948B9EBBF5BF48704F20806AD408AB255DBB56945CF90

Function 00C35D0D Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00C35DC9

Memory Dump Source

Source File: 00000000.00000002.2187902050.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_Shipping Document.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: bb5f532a6ee597eaa17b8cac71f950cb0ca45f5edb254a459478b97776c76ae0
Instruction ID: f10587c36423e8137aa13eab4dd0cceaafc6175981700327e4ab9f556e63faa2
Opcode Fuzzy Hash: bb5f532a6ee597eaa17b8cac71f950cb0ca45f5edb254a459478b97776c76ae0
Instruction Fuzzy Hash: 4741DFB1C00719CBEB25CFA9C944B8EBBF5BF48704F20816AD408AB255DBB56A45CF90

Function 06C04848 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2197401336.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_Shipping Document.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 2a7447baa13e43cd66c291c7b7a7631de4391fa0c15f0302bdb01eeed0489b11
Instruction ID: ad850c15514e98d3d97aba3c5cc7a72001136978bc8c01dddd9ea44c60df8cd5
Opcode Fuzzy Hash: 2a7447baa13e43cd66c291c7b7a7631de4391fa0c15f0302bdb01eeed0489b11
Instruction Fuzzy Hash: C3317A72904389DFDB11CFA9D804AEEBFF8EF09210F14805AE654A7261C375A950DFA1

Function 06DD9FE8 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DDA080

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 37b758cbb33c5cb28d27b3be2f57392e42458dbbd0009b2eecc77b27c0ccf10a
Instruction ID: db0cd16e625ec0db989971c24b8609e84d200afb51249499c7b7406975bbbfe3
Opcode Fuzzy Hash: 37b758cbb33c5cb28d27b3be2f57392e42458dbbd0009b2eecc77b27c0ccf10a
Instruction Fuzzy Hash: 3A2137719003499FDF10DFAAC881BEEBBF5FF48310F14842AE518A7240C7B89950CBA5

Function 06DD9FF0 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DDA080

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 13f907755b5806f9e83e2c07de71346277a986556cab0266257e5f1f15bb9813
Instruction ID: e9fa616830302c04b43ed48808a81f5f188de63105ef66be25a0bead299536b0
Opcode Fuzzy Hash: 13f907755b5806f9e83e2c07de71346277a986556cab0266257e5f1f15bb9813
Instruction Fuzzy Hash: B82127719003499FDF10DFAAC885BEEBBF5FF48314F148429E918A7240C7B99954CBA5

Function 06DDA4D8 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DDA560

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3dab9cc7d39712d06626e0806f70de79ff11e5044efb2c08cfc435c3887903a3
Instruction ID: 1e821e94896b1c1fbfdc0df40cb3ac6e94fad3f51cd9cb1f7fff30864cd4980d
Opcode Fuzzy Hash: 3dab9cc7d39712d06626e0806f70de79ff11e5044efb2c08cfc435c3887903a3
Instruction Fuzzy Hash: 10210572D003499FDB10DFAAD881AEEBBF5BF48320F148429E519A7250C7789954CBA5

Function 06DD9A1A Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DD9A9E

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 42388ad5424c7a76e5b9278cef5821ef31522b8d7b9839cb33edeb94af6fefcd
Instruction ID: 75bd22560de119f8ce95d53b55c41fe3b367fcb7622ba5f968eb0cbd28dbf5fa
Opcode Fuzzy Hash: 42388ad5424c7a76e5b9278cef5821ef31522b8d7b9839cb33edeb94af6fefcd
Instruction Fuzzy Hash: 05214C72D003099FDB10DFAAC485BEEBBF4EF88324F148429D519A7240CB799944CFA5

Function 06DDA4E0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DDA560

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3532fec558d7022e21418872b88835f60be6403f33a0b7fa1b363bf19d6c9322
Instruction ID: b92a91b0d4bf83676739beb635873bbc3aceb347550d739e8f374693a7d1fff1
Opcode Fuzzy Hash: 3532fec558d7022e21418872b88835f60be6403f33a0b7fa1b363bf19d6c9322
Instruction Fuzzy Hash: 8D2114B1C003499FDF10DFAAC881AEEBBF5FF48320F14842AE519A7250C7789910CBA5

Function 06DD9A20 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DD9A9E

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 121945c2d64c26223202c10d2d91c95bc4d2de7ac028ab75e2e62ac93af732c0
Instruction ID: bd95c69c6858079ea7b0dfaec5e68ba4a8a80fb8e634ca3230d4efdaac5527a6
Opcode Fuzzy Hash: 121945c2d64c26223202c10d2d91c95bc4d2de7ac028ab75e2e62ac93af732c0
Instruction Fuzzy Hash: AE212C72D003099FDB50DFAAC485BEEBBF4EF88314F148429D519A7240D7799944CFA5

Function 00C3E000 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C3E087

Memory Dump Source

Source File: 00000000.00000002.2187902050.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_Shipping Document.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f2eb3eda6ec22e69d9d177cb9586d2f8fa9e0aff6c6425e4742a8fc37798f99a
Instruction ID: 3ce613c645c3c13da803edf2c8b983d6fdb7ef63b5afa6f85d4ac72f33fc26ec
Opcode Fuzzy Hash: f2eb3eda6ec22e69d9d177cb9586d2f8fa9e0aff6c6425e4742a8fc37798f99a
Instruction Fuzzy Hash: D721E4B5900249EFDB10CFAAD984ADEBFF4FB48320F14801AE918A3350D374A954CFA4

Function 06DD9F28 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DD9F9E

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 949448dd978d9e0d651c0699fe3ee3f45592412bc1ca9664943687eb466cdeaa
Instruction ID: fb0adf4fd3cbb567fbb1f8096e974e3b8bb10724ed4d3afbf9727014f99d67c1
Opcode Fuzzy Hash: 949448dd978d9e0d651c0699fe3ee3f45592412bc1ca9664943687eb466cdeaa
Instruction Fuzzy Hash: 281159728002499FDF20DFAAD845BDFBBF5EF88324F248419E515A7250C775A950CBA1

Function 06C02564 Relevance: 1.6, APIs: 1, Instructions: 56
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06C04862,?,?,?,?,?), ref: 06C04907

Memory Dump Source

Source File: 00000000.00000002.2197401336.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_Shipping Document.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 7351deaa848554dff118ee38368a51de6369b0031a09b23f5bc1e6171dba40eb
Instruction ID: e242a331bbedc7446c0226a3132b531473967d651bd0b38b7d894dafe11334fa
Opcode Fuzzy Hash: 7351deaa848554dff118ee38368a51de6369b0031a09b23f5bc1e6171dba40eb
Instruction Fuzzy Hash: 901129B2800349DFEB10DF9AD944BDEBFF8EB48324F14841AE614A7250C375A954DFA5

Function 06DD9F30 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DD9F9E

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9d6e2454d001f52b521bb88662125b624251c4ad93dbc3de29a1be16f1b03e24
Instruction ID: 124c79a98216afd07af7d3da3fdf9a198c7157dc00d89a8a6805d6569ed6ed7b
Opcode Fuzzy Hash: 9d6e2454d001f52b521bb88662125b624251c4ad93dbc3de29a1be16f1b03e24
Instruction Fuzzy Hash: A01156728002499FDF10DFAAC844BDEBBF5EF88324F148419E519A7250C776A910CBA0

Function 06DD9968 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DD99D2

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8d4a986b9dde54853582f55b5ca557bff1d87b05e28a1d34df6e5288e73f4054
Instruction ID: 7a1c95b87c54bebd5f8fe1e11c05aa04fba98d86b32d2e2bce45a5e06b76532a
Opcode Fuzzy Hash: 8d4a986b9dde54853582f55b5ca557bff1d87b05e28a1d34df6e5288e73f4054
Instruction Fuzzy Hash: CF1158B1D003498FDB20DFAAC8457DFFBF4AF88224F24841AD519A7240CB75A944CFA5

Function 06DD9970 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DD99D2

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 67291df1f5b64de64def768c6826eb7d244d2528fc687017b79b7869098c35c6
Instruction ID: 4bb4292a697db3cf1d4f2c4185f08a6b5443224227f8519e1b2c60cce5039af5
Opcode Fuzzy Hash: 67291df1f5b64de64def768c6826eb7d244d2528fc687017b79b7869098c35c6
Instruction Fuzzy Hash: BA113A71D003498FDB10DFAAC4457DEFBF4AF88724F24841AD519A7240CB75A944CB95

Function 06DDA208 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DDEA75

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ec69efd2b1916762271e10a1582b823e93d3208a97fcecccad5b7a4a50fcf853
Instruction ID: f325832877222fc25c814c37dbeba88a4bd58fc91f7ef7c77302103130ab05c6
Opcode Fuzzy Hash: ec69efd2b1916762271e10a1582b823e93d3208a97fcecccad5b7a4a50fcf853
Instruction Fuzzy Hash: F311E0B58003499FDB50DF9AD984BDEBBF8FB48324F10841AE518A7210C3B9A944CFA1

Function 06DDEA11 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 06DDEA75

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 2b95c3b17d5b8ca7cce7925e2bde18054e0e62a35dab8a37121633600ee33460
Instruction ID: 4dae6548e13bf5be05a2f82b9254ec3756cdc26bf76a2df12f7938e59bdf7a71
Opcode Fuzzy Hash: 2b95c3b17d5b8ca7cce7925e2bde18054e0e62a35dab8a37121633600ee33460
Instruction Fuzzy Hash: C311F2B5800349DFDB10DF9AD985BDEBBF8FB48324F20841AE518A7210C3B5A944CFA1

Function 00C3BD20 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00C3BD86

Memory Dump Source

Source File: 00000000.00000002.2187902050.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c30000_Shipping Document.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b61f3f291fd4bc6fe83818f0c3486c9ba418e592e1b8bd950d1947602b262e5e
Instruction ID: 6936b3275038648fb6d82824c2214a1c01eae4949b986a396a0de32175b2e729
Opcode Fuzzy Hash: b61f3f291fd4bc6fe83818f0c3486c9ba418e592e1b8bd950d1947602b262e5e
Instruction Fuzzy Hash: 34110FB6C003498FDB10DF9AD444BDEFBF4AF88324F10842AD528A7210C3B9A945CFA1

Function 0095D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186645407.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273db286f2317e9c1b8d15d158c4d4e21a7f0775bbb4a71d999563b06bb38dd2
Instruction ID: 0c421496b8b5ee62c1548652ab25c075a15bc6ec585e3a8eb538ef4d10be423c
Opcode Fuzzy Hash: 273db286f2317e9c1b8d15d158c4d4e21a7f0775bbb4a71d999563b06bb38dd2
Instruction Fuzzy Hash: AF213A76504204DFDB24DF15D9C0B26BF65FB94325F20C56DDD090B2A6C33AE85ACBA2

Function 0095D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186645407.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d086a3c9e744439e745b5332710788b8be968d10086c4ba00e285e2630f3b60f
Instruction ID: 65c6ebe8a680dc496e7661af9e202522f70bff5a7f296824369066f74c85d109
Opcode Fuzzy Hash: d086a3c9e744439e745b5332710788b8be968d10086c4ba00e285e2630f3b60f
Instruction Fuzzy Hash: E0214572504240EFDB25DF15D9C0B26BF65FBC8319F20C569ED090B25AC33AD85ACBA1

Function 0096D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186737342.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aadedf881d3651a45b0547401dffb7f15b3b38bd7d654843b2d555e9dcf268c8
Instruction ID: 26bd0ea67d648048039666fe334ba7fc11eec758b034e5b451913a40693340cb
Opcode Fuzzy Hash: aadedf881d3651a45b0547401dffb7f15b3b38bd7d654843b2d555e9dcf268c8
Instruction Fuzzy Hash: 322146B1A04300EFDB04DF10D9D0B26BBA5FB88314F24C96DE9294B292C37AD846CB61

Function 0096D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186737342.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 229c5060d4731720fa14b81bd6d77fe04854edf3d2e83785c9b0ae5a4839f47f
Instruction ID: 7b337aecb9fdc0e2e254a1de48aaf427e6e792da5aeb7f3d74b1d8779a97c4fa
Opcode Fuzzy Hash: 229c5060d4731720fa14b81bd6d77fe04854edf3d2e83785c9b0ae5a4839f47f
Instruction Fuzzy Hash: 3C213475A04340EFDB14DF14D9C0B26BB65FB88314F20C96DE90A0B292C37BD807CAA1

Function 0096D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186737342.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946aa2c9e169134481f0f22d0787afb16f0b56e1ab0026f43f66fd5f00962a7c
Instruction ID: c49d6939a5339a9c5cd087cc2b197376a2b2fd2dcff7053adf9fe152553b09d1
Opcode Fuzzy Hash: 946aa2c9e169134481f0f22d0787afb16f0b56e1ab0026f43f66fd5f00962a7c
Instruction Fuzzy Hash: 5C214C755093808FCB12CF24D994B15BF71AB46214F28C5EAD8498B6A7C33A980ACB62

Function 0095D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186645407.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: c85005d8ad7f4329f876574ad668a738f01b62b716921dbfd1e09d6de5d25fdb
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 3311D3B6504280DFDB15CF11D5C4B16BF72FB94324F24C6A9DC490B666C33AE85ACBA1

Function 0095D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186645407.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 2410865b603fc2de320f3516768477ffe527dab023ecfb1f63cc7f7d6f4bba75
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 7D11D376504284CFCB15CF10D5C4B16BF71FB94318F24C6A9EC490B65AC33AD85ACBA1

Function 0096D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186737342.000000000096D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0096D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_96d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 7020340e41030423ea59ad82eec3820ce43839e6d7f8354b7011b926a9684e07
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 6811DDB5A04280DFDB11CF10C5D0B15FBB1FB84314F28C6AED8594B2A6C33AD84ACB61

Function 0095D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186645407.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daa298fc8b7180a761588673c77690c75ed4348eecf7606e0fe22dfbb22b72dd
Instruction ID: 17fb0f9f7d6ed32d9afdc5001fd35a954da13d7715f045ff01d24e29fe0757ca
Opcode Fuzzy Hash: daa298fc8b7180a761588673c77690c75ed4348eecf7606e0fe22dfbb22b72dd
Instruction Fuzzy Hash: 16012BB10063409AF730DF26DD84B66BFDCDF45325F18C55AED084B292D6B99844C771

Function 0095D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186645407.000000000095D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0095D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_95d000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfc21734e0e0aa149de4b0f99cc7f5d0b7de4866493603de33332af0268cde7d
Instruction ID: d541d1d0c26cb06fc954c223a8bf74c3273b9b63373be689789d1e889c459ff5
Opcode Fuzzy Hash: cfc21734e0e0aa149de4b0f99cc7f5d0b7de4866493603de33332af0268cde7d
Instruction Fuzzy Hash: 40F0C2B2405344AAF7208E16D884B62FF9CEB95735F18C05AED080B296C2799C44CBB1

Non-executed Functions

Function 06DD7628 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107ec0609b42d415c44aa0d0fea04208f435a91dbc58db71fc554e6175ddcaf9
Instruction ID: 648b831db253d6a525f770b64c8209a5b20a73963a734bde2dcc3cef9b842c78
Opcode Fuzzy Hash: 107ec0609b42d415c44aa0d0fea04208f435a91dbc58db71fc554e6175ddcaf9
Instruction Fuzzy Hash: FAE11B74E102598FDB14DFA9C580AAEFBF2FF49304F2492A9D415AB359D730A942CF60

Function 06DD9148 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ebe5b3c4f56a7c16c87bc28fdb5060f9e02deede241553097a10a9d5c7fb720
Instruction ID: 2fff2469052d50e99110f397f2128bd972a6ecdc29549f7b0d029e603282db15
Opcode Fuzzy Hash: 5ebe5b3c4f56a7c16c87bc28fdb5060f9e02deede241553097a10a9d5c7fb720
Instruction Fuzzy Hash: 1AE13C74E002598FDB14DFA9C590AAEFBF2FF89304F248269D415AB355D731A942CF60

Function 06DD7EA8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37b2dd11281acace6ef019a0796549b4e20db727973644a0f2de3b70349367a6
Instruction ID: 2c37c1b7baa41c48938a92e05a04dcf0d7a9bf85e0d11d19fa80ec81f0bd24bc
Opcode Fuzzy Hash: 37b2dd11281acace6ef019a0796549b4e20db727973644a0f2de3b70349367a6
Instruction Fuzzy Hash: AFE11B74E002598FDB14DFA9C580AAEFBF2FF89304F248269D515AB355D730A942CFA0

Function 06DD9AF8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7390a08806ba38e65b5246e446db815e34f9187852f1f36c23cdfb26e56655
Instruction ID: 8f01364ff1b6e88e8c2ffa07eef8eecbafd8c8fde63c9dff26481419963f25fb
Opcode Fuzzy Hash: cc7390a08806ba38e65b5246e446db815e34f9187852f1f36c23cdfb26e56655
Instruction Fuzzy Hash: D4E11D74E002598FDB14DFA9C590AAEFBF2FF89304F248169D415AB359D7319942CFA0

Function 06DD7A70 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adbaf0a7a2e2f5c0f583dcc62fe8b70e4a8d7b35fe2086959dafae00c9a350c6
Instruction ID: 2843a2c65455c7ca2ac720473a0508f26969b6c403fc053ece059f72883c8560
Opcode Fuzzy Hash: adbaf0a7a2e2f5c0f583dcc62fe8b70e4a8d7b35fe2086959dafae00c9a350c6
Instruction Fuzzy Hash: 72E1F974E102598FDB14DFA9C580AAEFBF2BF89304F248269D515AB359D730AD42CF60

Function 06C0F848 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197401336.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3976aa4cc5b144bb07aa55f7f24169f22cb2484f6a451c84aee1c5b951be89a
Instruction ID: a909944a983c9231ca0e6acb165b4bc64ead8be1db3d71971daa9e60ae2ce69c
Opcode Fuzzy Hash: e3976aa4cc5b144bb07aa55f7f24169f22cb2484f6a451c84aee1c5b951be89a
Instruction Fuzzy Hash: 7A91E471D05218DFEBA4CFA6D8447EDBBB5BF4A300F10816AD829A7291DB745A85CF80

Function 06C0E638 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197401336.0000000006C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c00000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7011783dccb50879dbda00ba0ca612f53cb86d5ffdeeead9ffbf220ec48d119
Instruction ID: 3c1b27ae85364f69d7bf1873ccb5d8f2ce4c6b2ecd0efba027225002e75f7096
Opcode Fuzzy Hash: b7011783dccb50879dbda00ba0ca612f53cb86d5ffdeeead9ffbf220ec48d119
Instruction Fuzzy Hash: 97611B70A102098FE748DFAAE965699BFF3FFC8300F04D129E414AB298EF7459468F50

Function 06DD7A61 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b09cd0f80d4dafea46b65bb19e172d4e389eeba5b120c3446a4f925fa56690
Instruction ID: ec83833d0b74320a738252da401c29eb3f731688066dd12e8cfe879f623e2a1e
Opcode Fuzzy Hash: 21b09cd0f80d4dafea46b65bb19e172d4e389eeba5b120c3446a4f925fa56690
Instruction Fuzzy Hash: 8551FC74E102598FDB14DFA9C5809AEFBF2BF89304F2481AAD419AB355D7309942CFA1

Function 06DD9AE8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7779f66fe3d294304f65317f6f6ab9acead86a9d1200c176881cd762035e8c9f
Instruction ID: f251db1c7c5dcb777c9fe12746b0e790d9b754881aec1815b7765f9c3a20acab
Opcode Fuzzy Hash: 7779f66fe3d294304f65317f6f6ab9acead86a9d1200c176881cd762035e8c9f
Instruction Fuzzy Hash: BE512B70E002198FDB14DFA9C9905AEFBF2FF89304F24816AD418AB359D7319942CFA1

Function 06DD7E98 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2197470645.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6dd0000_Shipping Document.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269a1833c18f7faad6a9899a466fb937454a8fb3cee983e5bebb3a76d4ebb92e
Instruction ID: 2c00ed848140aae427eebbe9e054a2ce53e0d1b4a916011c6f5321b9380f3361
Opcode Fuzzy Hash: 269a1833c18f7faad6a9899a466fb937454a8fb3cee983e5bebb3a76d4ebb92e
Instruction Fuzzy Hash: 2A511A74E012198FDB14DFA9C9806AEFBF2BF89304F24816AD418AB355D7319D42CFA1

Analysis Process: MSBuild.exePID: 6528, Parent PID: 4436COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.8%
Total number of Nodes:	548
Total number of Limit Nodes:	72

Executed Functions

Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415

Strings

bMA, xrefs: 0041A3F2, 0041A400
!JA, xrefs: 0041A3EC, 0041A3F8
bMA, xrefs: 0041A40D, 0041A414

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95

Function 0041A31B Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e854bda4c8ffc7a545f0fa1354872165e9ca619cff1b1dff18116eccacdb2e5c
Instruction ID: 843ed695e50a36f3005de0b6640789ce179117e1bd0c38b56b8052d49bf53f0c
Opcode Fuzzy Hash: e854bda4c8ffc7a545f0fa1354872165e9ca619cff1b1dff18116eccacdb2e5c
Instruction Fuzzy Hash: 3001B2B2211108AFCB08DF99DC85EEB77A9AF8C754F158249FA0D97241C630E8518BA4

Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A4FF Relevance: 1.5, APIs: 1, Instructions: 27
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f45946b05a1dd7d052a3d9b6a11d98c611a3919fd67080911be21ade4fe0f789
Instruction ID: 017ad903feb3531cfc01750c973c23e044ee790ddf7460f9de04a0f8c24ecf1a
Opcode Fuzzy Hash: f45946b05a1dd7d052a3d9b6a11d98c611a3919fd67080911be21ade4fe0f789
Instruction Fuzzy Hash: DAF039B6204149ABCB14DF99DC84CA777A9FF88324B15865AF94997202C634E865CBA0

Function 0041A44B Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d3d262518f34281f0e577afdfc2171d9aadb620eb04ab38b03f22fa21ed5c3ce
Instruction ID: eb9f6bd40963156d82049b5c65ce28109efdb37e11e6bc60a87de4852ffb79c9
Opcode Fuzzy Hash: d3d262518f34281f0e577afdfc2171d9aadb620eb04ab38b03f22fa21ed5c3ce
Instruction Fuzzy Hash: 68E0C276200210ABD721EBA8CC44ED77B68EF44374F05459DB9989B282C230E600C7E0

Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0

Function 00F82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82ADA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4da76cf9d892bea879f9f6f9a798bf319f2add36b99dd78171643a01150901a
Instruction ID: 0a3a999c0ec8d306c2b0f083042b923fb4d545934adedd72f7b1732b0b91d56d
Opcode Fuzzy Hash: d4da76cf9d892bea879f9f6f9a798bf319f2add36b99dd78171643a01150901a
Instruction Fuzzy Hash: 93900225211400131605B5584704507004687D6391355C032F1019550DDA2589626125

Function 00F82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82BFA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b9560696ced4ec965a62be01503a61076cbb917b64907e369351a0b33eadf24
Instruction ID: 7c14024ed2ef89a6c2741be04807717f535dfc4aa9325e3d1a49f954e4b7cb9e
Opcode Fuzzy Hash: 6b9560696ced4ec965a62be01503a61076cbb917b64907e369351a0b33eadf24
Instruction Fuzzy Hash: 3390023120140812E6807158840464A000587D2341F95C026A0029654ECE198B5A77A5

Function 00F82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82B6A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 441f77228d1197e61000e0cc8c63192e2824b5d5ba03b21552eb8c4447c15d38
Instruction ID: a3efc0f309478cce6d7776b941e2c2e79bb64630ca5fcc1859ab5446641a9763
Opcode Fuzzy Hash: 441f77228d1197e61000e0cc8c63192e2824b5d5ba03b21552eb8c4447c15d38
Instruction Fuzzy Hash: 1B90026120240013560571588414616400A87E1341B55C032E1018590EC92989927129

Function 00F82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82CAA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3214b5800cc7f62179507d8b585f32b11b9517f8611765659c2aec4ef484b805
Instruction ID: 8fa83b782a88d52084fe667b60cf4cfa94d519e13fd1c9651e8344c946f06aff
Opcode Fuzzy Hash: 3214b5800cc7f62179507d8b585f32b11b9517f8611765659c2aec4ef484b805
Instruction Fuzzy Hash: 3290023120140412E60075989408646000587E1341F55D022A5028555FCA6989927135

Function 00F82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82C7A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8f6125bbfda9ff7877326b1a5227a07460be57975506bd5448640b2ce7a592c6
Instruction ID: 1b795bba94f4159031ab2cb7ac2b3153a339210e5ff17b78a2b3f16fc5a5c20e
Opcode Fuzzy Hash: 8f6125bbfda9ff7877326b1a5227a07460be57975506bd5448640b2ce7a592c6
Instruction Fuzzy Hash: 1C90023120148812E6107158C40474A000587D1341F59C422A4428658E8A9989927125

Function 00F82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82DFA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 140d1b940f640b88caab6d9876f3cca74ad7f507a8cdca40f0da607cfdf1ea36
Instruction ID: 9a0c3bd3a76b6d1e499344bbe31e52bd22553f02bb51321b60ce05f6bb2f3c61
Opcode Fuzzy Hash: 140d1b940f640b88caab6d9876f3cca74ad7f507a8cdca40f0da607cfdf1ea36
Instruction Fuzzy Hash: 3190023120140423E61171588504707000987D1381F95C423A0428558E9A5A8A53B125

Function 00F82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82DDA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cce8d4d470f396274ff64014ff4391cf3d5de8812f713d78b66203341a4a910a
Instruction ID: ec6ce89444962927fd62c6b8174f0b7136650e5abffb38309640daeedb409011
Opcode Fuzzy Hash: cce8d4d470f396274ff64014ff4391cf3d5de8812f713d78b66203341a4a910a
Instruction Fuzzy Hash: 1B900221242441626A45B1588404507400697E1381795C023A1418950D892A9957E625

Function 00F82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82D3A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f2ba4d4a784a239ade3f22f96db52b4e3ae6444c58fff9bab709faefa48c6c0
Instruction ID: 7fbe8c7429afbb294570d08b81edc02588f738e5718cc37259141fbdda040aa2
Opcode Fuzzy Hash: 5f2ba4d4a784a239ade3f22f96db52b4e3ae6444c58fff9bab709faefa48c6c0
Instruction Fuzzy Hash: E190022130140013E640715894186064005D7E2341F55D022E0418554DDD1989576226

Function 00F82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82D1A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 60ed9ade43182fa001fbfa5a5a60bc594ea61892f31e01ce253290c628a76b2c
Instruction ID: bfd17ffc50d23b40ef5dc54e758cd4915e16bcaf0e6c4707292e8240ed263ba1
Opcode Fuzzy Hash: 60ed9ade43182fa001fbfa5a5a60bc594ea61892f31e01ce253290c628a76b2c
Instruction Fuzzy Hash: AA90022921340012E6807158940860A000587D2342F95D426A0019558DCD19896A6325

Function 00F82EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82EAA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 15e234c3248aad44b323831725ae225c62c730846c8405e1fadfa83d0a8662ce
Instruction ID: 7c5a5826c17cee5d9f014094f61250637754f3a9e7e8ce44df4c683878abf7a3
Opcode Fuzzy Hash: 15e234c3248aad44b323831725ae225c62c730846c8405e1fadfa83d0a8662ce
Instruction Fuzzy Hash: 2790027120140412E64071588404746000587D1341F55C022A5068554F8A5D8ED67669

Function 00F82E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82E8A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2df81d31ba4b57fbebe33fdff8b5d28dc3039ef384d472d36b97043aedfb3d7e
Instruction ID: b555cb2c44a95a6111ef7a98cab6c6b6a9a09b5fc377f030b0696958461dfec5
Opcode Fuzzy Hash: 2df81d31ba4b57fbebe33fdff8b5d28dc3039ef384d472d36b97043aedfb3d7e
Instruction Fuzzy Hash: E790022160140512E60171588404616000A87D1381F95C033A1028555FCE298A93B135

Function 00F82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82FEA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2de60ec6806fba3d3e61103b8cac5c8354ae45971c2b04565fd989e4d0c4c93
Instruction ID: 88059bbbfae7fbf73cddfd1dd044be08e56c53d78eff3e7aaa06e891a8ce0645
Opcode Fuzzy Hash: c2de60ec6806fba3d3e61103b8cac5c8354ae45971c2b04565fd989e4d0c4c93
Instruction Fuzzy Hash: 71900221211C0052E70075688C14B07000587D1343F55C126A0158554DCD1989626525

Function 00F82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82FBA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f115d570c867fbc5c69ba4262c23c6371e47e4f189e9b61757f5fdba0bd4a681
Instruction ID: e5d4127dab1df456a6b95fff064830f30bb821681961fe6f475c335e8089b9ab
Opcode Fuzzy Hash: f115d570c867fbc5c69ba4262c23c6371e47e4f189e9b61757f5fdba0bd4a681
Instruction Fuzzy Hash: 339002216014005256407168C8449064005ABE2351755C132A099C550E895D89666669

Function 00F82F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82F9A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc655ec1928d0d55f8520bf0be681f6e2737825165b3a0d441e57c8e004352cb
Instruction ID: 27be60848499a7bf466cb164f62f2a73ed1d38a9ff9cc843d268372907a83c07
Opcode Fuzzy Hash: fc655ec1928d0d55f8520bf0be681f6e2737825165b3a0d441e57c8e004352cb
Instruction Fuzzy Hash: 0390023120180412E6007158881470B000587D1342F55C022A1168555E8A2989527575

Function 00F82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82F3A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4068484046e8d7a948058d9d528f488713d8082b88cbb4d11d9b616d08cfa4a
Instruction ID: caa31c3c7e4a47a6be6a6778f1f26d67c7269638d9a6bed7cdc96b283a4ac43b
Opcode Fuzzy Hash: a4068484046e8d7a948058d9d528f488713d8082b88cbb4d11d9b616d08cfa4a
Instruction Fuzzy Hash: F990026134140452E60071588414B060005C7E2341F55C026E1068554E8A1DCD53712A

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6

Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D

Strings

&EA, xrefs: 0041A612, 0041A61C

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0

Function 00408393 Relevance: 1.7, APIs: 1, Instructions: 179
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6510bad542e569eb83e13c0d7b9af0b646b64ee4fb77eb3f3de6adfb80fb1d36
Instruction ID: 6b7f8bb14e47255658c7646da0852285353572bc77bf5488c402d48e05627252
Opcode Fuzzy Hash: 6510bad542e569eb83e13c0d7b9af0b646b64ee4fb77eb3f3de6adfb80fb1d36
Instruction Fuzzy Hash: C861D6B0900309AFDB24DF64DD85FEB77E8EB48704F10056EF949A7281EB746941CBA9

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ac2face3a80b81d0fee9304aa7ab5d06d5dde750405c7724cc7e28b99046a3a9
Instruction ID: 716281bf38cec500bb380add113fdd5c594de8bf11c5bee183275e975ed6f696
Opcode Fuzzy Hash: ac2face3a80b81d0fee9304aa7ab5d06d5dde750405c7724cc7e28b99046a3a9
Instruction Fuzzy Hash: F801FC71A8031876EB20A6918D43FFF672C6B41F54F05412EFF04BA1C1D6F8690546F9

Function 0041A662 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: dd6e3777131719cca2a418aa5b3391d70880d811ba777f66e6b8170cca4d0c63
Instruction ID: a69ed1b6dd219986bfb2f5c6a45b3a104f2452afec348c127e88c009e551c76d
Opcode Fuzzy Hash: dd6e3777131719cca2a418aa5b3391d70880d811ba777f66e6b8170cca4d0c63
Instruction Fuzzy Hash: 791103B2201108AFDB14DF98CC85EEB77A9AF8C354F158249BA4DA7241C630E951CBA4

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA

Function 0041A623 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c9cede1a70ae172bd288e0e8bf369d21c6bb8e95861d8ebee86d7ece50247bb9
Instruction ID: 126ce3dd669e9c185ab9911fa29305926a5e12aa467f4e619f6b7b26b7caea20
Opcode Fuzzy Hash: c9cede1a70ae172bd288e0e8bf369d21c6bb8e95861d8ebee86d7ece50247bb9
Instruction Fuzzy Hash: 48F0E575200204AFD714DFA4EC45ED737A8FF44360F11465AF81857392C271EA05CFA0

Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0

Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1

Function 00F82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00F82C24

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b61f3cf6200f1af4a33e4bbd3929615671e8d8346c8f5e0be5e10e9365f1939f
Instruction ID: 9e29f36098e58cbab66a1734697e1c9bd8d2675e909f204fca5d924a9df53a8d
Opcode Fuzzy Hash: b61f3cf6200f1af4a33e4bbd3929615671e8d8346c8f5e0be5e10e9365f1939f
Instruction Fuzzy Hash: D2B09B71D015C5D5EF51F760460871B790067D1751F15C072D2034645F473CD5D1F275

Non-executed Functions

Function 00FC2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 00FC25A0
UseImpersonatedDeviceMap, xrefs: 00FC251C
DisableExceptionChainValidation, xrefs: 00FC275F
ShutdownFlags, xrefs: 00FC24A1
CFGOptions, xrefs: 00FC2967
@, xrefs: 00FC2942
TracingFlags, xrefs: 00FC2549
LdrpInitializeExecutionOptions, xrefs: 00FC317D
MaxLoaderThreads, xrefs: 00FC24EC
minkernel\ntdll\ldrinit.c, xrefs: 00FC3187
GlobalFlag, xrefs: 00FC2F3F, 00FC3059
RaiseExceptionOnPossibleDeadlock, xrefs: 00FC2579
DisableHeapLookaside, xrefs: 00FC246D
Initializing the application verifier package failed with status 0x%08lx, xrefs: 00FC3176
UnloadEventTraceDepth, xrefs: 00FC24C0
@, xrefs: 00FC2B74
GlobalFlag2, xrefs: 00FC2FC0
FrontEndHeapDebugOptions, xrefs: 00FC2489
MaxDeadActivationContexts, xrefs: 00FC2D82
MinimumStackCommitInBytes, xrefs: 00FC2BB0

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: a28e66cb5d43058f4a8e003e64970352901367480a9736f3a3578d980294e140
Instruction ID: 9e567d75716230914aae7c14a88539a6bf856803a1b605cab23a5a755382248a
Opcode Fuzzy Hash: a28e66cb5d43058f4a8e003e64970352901367480a9736f3a3578d980294e140
Instruction Fuzzy Hash: 0B92AB71A04342AFD760DF24C982F6AB7E8FB84760F04482DFA94D7291D774E944EB92

Function 00F78620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Thread identifier, xrefs: 00FB553A
Critical section debug info address, xrefs: 00FB541F, 00FB552E
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB540A, 00FB5496, 00FB5519
First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB54E2
corrupted critical section, xrefs: 00FB54C2
Address of the debug info found in the active list., xrefs: 00FB54AE, 00FB54FA
undeleted critical section in freed memory, xrefs: 00FB542B
Critical section address, xrefs: 00FB5425, 00FB54BC, 00FB5534
Critical section address., xrefs: 00FB5502
Invalid debug info address of this critical section, xrefs: 00FB54B6
Thread is in a state in which it cannot own a critical section, xrefs: 00FB5543
double initialized or corrupted critical section, xrefs: 00FB5508
8, xrefs: 00FB52E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 00FB54CE

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: a641835451a4fff54772882f4b2214e0fdcf1fd8efa1d3c0921405222305a275
Instruction ID: 59ac8b8a45c1e3c4c831c9a8f8a75194531404127740ae20c5f2da386e520040
Opcode Fuzzy Hash: a641835451a4fff54772882f4b2214e0fdcf1fd8efa1d3c0921405222305a275
Instruction Fuzzy Hash: CA81ABB1E41758AFEB20CF95D845BEEBBB5AB08B24F244019F508B7280C779AD41EB51

Function 00F729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 00FB2409
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 00FB24C0
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 00FB2624
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 00FB22E4
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 00FB2412
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 00FB2602
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 00FB25EB
RtlpResolveAssemblyStorageMapEntry, xrefs: 00FB261F
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 00FB2498
@, xrefs: 00FB259B
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 00FB2506

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 082e019aafc63b3303a2f187aede2eca5961cc5b792b9aa8235904ca86a8f13f
Instruction ID: 20fd3bdd98dad365f58f7eb5b9cbc7da666b450ce35f9edc1e9d6968f7667fdf
Opcode Fuzzy Hash: 082e019aafc63b3303a2f187aede2eca5961cc5b792b9aa8235904ca86a8f13f
Instruction Fuzzy Hash: 570260B2D002289BDB71DB14CC81BDDB7B8AB54314F0441EAE64DA7241DB35AF84EF5A

Function 00FE8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

heapType, xrefs: 00FE8BCB
services.exe, xrefs: 00FE8B96
csrss.exe, xrefs: 00FE8B80
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 00FE8BD0
SegmentHeap, xrefs: 00FE8BE9
svchost.exe, xrefs: 00FE8B68
DefaultBrowser_NOPUBLISHERID, xrefs: 00FE8D00
runtimebroker.exe, xrefs: 00FE8B73
lsass.exe, xrefs: 00FE8BA1
smss.exe, xrefs: 00FE8B8B

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 4a8b2997a50200861f097135928ad8ab0f4fe41fe17b5d9d52fcd10fd81564f7
Instruction ID: 7f7cf886162b45346146ba9f20a373ac3a609408b03743ce84df317d80f38e2a
Opcode Fuzzy Hash: 4a8b2997a50200861f097135928ad8ab0f4fe41fe17b5d9d52fcd10fd81564f7
Instruction Fuzzy Hash: 6151D3715083919BC335EF198C44BABBBE8BF843A0F24491EF85D83181EB70D945E7A2

Function 00FF0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00FF03A6, 00FF04B5, 00FF05DD, 00FF0682, 00FF06D9
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 00FF04D3
RtlReAllocateHeap, xrefs: 00FF02BF, 00FF0362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 00FF069F
About to reallocate block at %p to %Ix bytes, xrefs: 00FF03BA
Just reallocated block at %p to %Ix bytes, xrefs: 00FF05F1
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 00FF06EA
HEAP[%wZ]: , xrefs: 00FF0399, 00FF04A8, 00FF05D0, 00FF0675, 00FF06CC

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 7220b3052e1991e925bd5f94dc33b092a663d4ef34c0ba1d25569cf3ef82ce53
Instruction ID: b64594d385b9418dd989b77106dca68b901e607b2a8ba884e346e2e4c9fe69d0
Opcode Fuzzy Hash: 7220b3052e1991e925bd5f94dc33b092a663d4ef34c0ba1d25569cf3ef82ce53
Instruction Fuzzy Hash: C9D1D031900689DFCB22DF68C851ABDBBF1FF49720F088059E6459B263CB39D981EB10

Function 00FC89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

VerifierDebug, xrefs: 00FC8CA5
VerifierDlls, xrefs: 00FC8CBD
VerifierFlags, xrefs: 00FC8C50
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 00FC8A3D
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 00FC8A67
HandleTraces, xrefs: 00FC8C8F
AVRF: -*- final list of providers -*- , xrefs: 00FC8B8F

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: f2bf20de3203455af497e2d17e2d4ef89ccd4a9c865e12f3ee21ace71a8c2b07
Instruction ID: b0819d7eb16ddcc8b186dc7825fd56457ae4d641d360b4515567760ae7b13356
Opcode Fuzzy Hash: f2bf20de3203455af497e2d17e2d4ef89ccd4a9c865e12f3ee21ace71a8c2b07
Instruction Fuzzy Hash: E0914872A05712AFC321DF68DE83F5A77A8BB84760F05441DF9816B291CB78EC06E791

Function 00F4EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 00F4EB62
, xrefs: 00F4F299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 00F4EB58
T, xrefs: 00F4EB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 00F4EB6C
{, xrefs: 00FA4643

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 6b2fa83eaff73473c4cbad69f67b274537c04dbce707b999293ae98458967b60
Instruction ID: 08bbd55141d56afe252836feb142cdeec6a5cf7233e2122ede9be5b3e7216a10
Opcode Fuzzy Hash: 6b2fa83eaff73473c4cbad69f67b274537c04dbce707b999293ae98458967b60
Instruction Fuzzy Hash: 1CA24C75E056298FDB64CF18CC887A9BBB5BF85314F2442E9D80DA7250DB74AE85EF00

Function 00F763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 00FB40D8
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 00FB41FE
Delaying execution failed with status 0x%08lx, xrefs: 00FB4258
Process initialization failed with status 0x%08lx, xrefs: 00FB413A
minkernel\ntdll\ldrinit.c, xrefs: 00FB40E9, 00FB414B, 00FB420F, 00FB4269
_LdrpInitialize, xrefs: 00FB40DF, 00FB4141, 00FB4205, 00FB425F

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: f71369f2b01ee1078b8071e8dcd0ffcacf042eb32aee8b9a96c627eaa95fd2e9
Instruction ID: a87aa24b23a5bac97cb0f7008ea3d9d155c891565faaf7878bf1ecc214073adc
Opcode Fuzzy Hash: f71369f2b01ee1078b8071e8dcd0ffcacf042eb32aee8b9a96c627eaa95fd2e9
Instruction Fuzzy Hash: 7D916931E00710ABDB35EF15ED45BEA37A4BF41B24F14412AF944AB2C2D779A841FB92

Function 00F3645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

apphelp.dll, xrefs: 00F36496
Getting the shim user exports failed with status 0x%08lx, xrefs: 00F99A01
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 00F999ED
Loading the shim user DLL failed with status 0x%08lx, xrefs: 00F99A2A
LdrpInitShimEngine, xrefs: 00F999F4, 00F99A07, 00F99A30
minkernel\ntdll\ldrinit.c, xrefs: 00F99A11, 00F99A3A

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: 6da634ccf37575eee5d3ae296292c5144623c9b58cdf4b1230bdbce180736850
Instruction ID: a1c26a7fdf087e4b6e52d2b0d6ca198cdc2fd9a53050fcbab1561c32b519c5c1
Opcode Fuzzy Hash: 6da634ccf37575eee5d3ae296292c5144623c9b58cdf4b1230bdbce180736850
Instruction Fuzzy Hash: 5351D171608300ABE720DF24DC82BAB77E8FB84754F00491DF5859B1A1D778E904EB92

Function 00F7C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 00F7C6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 00FB81E5
minkernel\ntdll\ldrredirect.c, xrefs: 00FB8181, 00FB81F5
Loading import redirection DLL: '%wZ', xrefs: 00FB8170
LdrpInitializeImportRedirection, xrefs: 00FB8177, 00FB81EB
minkernel\ntdll\ldrinit.c, xrefs: 00F7C6C3

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: e35f35d2a19e9c892a9870687dd30286ce70cdcd741e4b5e152ed20d47640c44
Instruction ID: fe06095576291c647f9192054226eacc5d406c6bbd1c7a90b2a5b61877e71f76
Opcode Fuzzy Hash: e35f35d2a19e9c892a9870687dd30286ce70cdcd741e4b5e152ed20d47640c44
Instruction Fuzzy Hash: 4A310B716443159FC220EF68DD87E5A7798FFC5B10F04452CF8889B291DA28DD05EBA3

Function 00F72674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 00FB219F
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 00FB2180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 00FB21BF
SXS: %s() passed the empty activation context, xrefs: 00FB2165
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 00FB2178
RtlGetAssemblyStorageRoot, xrefs: 00FB2160, 00FB219A, 00FB21BA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: ca9a892f491cb0b2b6cad727e4e41787acabee67e789ff12a29b41e7bf0d19f4
Instruction ID: 87fa217a3a256f02c76dee81986bf3ef1dd9201d0e48017de2e7286123808e43
Opcode Fuzzy Hash: ca9a892f491cb0b2b6cad727e4e41787acabee67e789ff12a29b41e7bf0d19f4
Instruction Fuzzy Hash: AF315C36F0032177E7219A598C86FDFB778DB54B50F15405ABA0877241D270DE01FBA2

Function 00F8096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 00F82DF0: LdrInitializeThunk.NTDLL ref: 00F82DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F80D74

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 8f550626082fd000e19d6cd748258ca2265d86769ca46ff813b20e73e6a71695
Instruction ID: a6000922a38e5ec15ba7a29d783e079ebd3cb490cb49413de746b191b76c10e3
Opcode Fuzzy Hash: 8f550626082fd000e19d6cd748258ca2265d86769ca46ff813b20e73e6a71695
Instruction Fuzzy Hash: 7C426B72900715DFDB60DF64C881BEAB7F4BF04310F1485A9E999EB241EB74AA84DF60

Function 00F4A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

6, xrefs: 00F4A3F7
8, xrefs: 00F4A3E7
LdrResFallbackLangList Exit, xrefs: 00F4A3FF
LdrResFallbackLangList Enter, xrefs: 00F4A3EF

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: e8fe3d71ef1451c8713fdbcdae6aef298800eb820af5bb1a523819cafb880baf
Instruction ID: 5c4cdf5ddfef660705167e3d1c4d62905b61aa86798af2dbe0e160808eb7c9cb
Opcode Fuzzy Hash: e8fe3d71ef1451c8713fdbcdae6aef298800eb820af5bb1a523819cafb880baf
Instruction Fuzzy Hash: E6C19BB56483828FD711CF18C540B6ABBE4FF85714F04486AFC958B261E778CA49EB53

Function 00F78402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 00F78422
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 00F7855E
@, xrefs: 00F78591
minkernel\ntdll\ldrinit.c, xrefs: 00F78421

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: a64daf1557ed5163904d5f96cc728f15f3727562dd028caa4420d15aa396eb49
Instruction ID: e162fc613903edb2f025227b4825d6658bdb6a7596497005389b2b654d1b66e3
Opcode Fuzzy Hash: a64daf1557ed5163904d5f96cc728f15f3727562dd028caa4420d15aa396eb49
Instruction Fuzzy Hash: BB91BD71548340AFD721EE21CC45FABBBECBF84794F44492EFA8892041E738D945AB63

Function 00F7273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 00FB21D9, 00FB22B1
SXS: %s() passed the empty activation context, xrefs: 00FB21DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 00FB22B6
.Local, xrefs: 00F728D8

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: ed1ecf6015cdba9535cff81c6a8f08aabca43e1882387a57b5fcd56da1f01254
Instruction ID: eed8a7fd440a778388e68070f0b134abdca37a1af9f89ffa9298c99ab1e922d9
Opcode Fuzzy Hash: ed1ecf6015cdba9535cff81c6a8f08aabca43e1882387a57b5fcd56da1f01254
Instruction Fuzzy Hash: E1A1B232D00229DBDB64CF55DC84BE9B3B5BF58324F2441EAD908A7251D7309E81EF92

Function 00F74AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

RtlDeactivateActivationContext, xrefs: 00FB3425, 00FB3432, 00FB3451
SXS: %s() called with invalid flags 0x%08lx, xrefs: 00FB342A
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 00FB3437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 00FB3456

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 8ec06cbaf3ceefb47b71f8b80b9587223c4171c28552fade45dea1604912b1b9
Instruction ID: 253f6b8e65fcedda8825eaf6a59f2ccc8b36339b547835f74980c05cd69ad848
Opcode Fuzzy Hash: 8ec06cbaf3ceefb47b71f8b80b9587223c4171c28552fade45dea1604912b1b9
Instruction Fuzzy Hash: F1612A32A44B11DFC722CF19C842B66B7E5EF80B60F15852AF8599B281D734FD01EB92

Function 00F464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 00FA106B
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 00FA1028
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 00FA0FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 00FA10AE

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: c4a87a7ce2b9f86dfe0071a88e479d4216e037a016b19da629d4f8b6738e7bc0
Instruction ID: 3157dcaa84d1958e8d0417b1ddf4363efb8072917cc06c6c46ad6d9420f1029e
Opcode Fuzzy Hash: c4a87a7ce2b9f86dfe0071a88e479d4216e037a016b19da629d4f8b6738e7bc0
Instruction Fuzzy Hash: BF71BEB19043049FCB20EF14C885B9B7FA8AF96764F140468FD498B286D739D589EBD2

Function 00F6245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 00FAA998
apphelp.dll, xrefs: 00F62462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 00FAA992
minkernel\ntdll\ldrinit.c, xrefs: 00FAA9A2

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 47aa9eb3d94f28141bd8e90dba8c96ffc44e26cd6337058ccf73e1cace887619
Instruction ID: 6ebdbf637fc366511db8274f41abff015b28ca286e3bcec09f889f0e736c38d8
Opcode Fuzzy Hash: 47aa9eb3d94f28141bd8e90dba8c96ffc44e26cd6337058ccf73e1cace887619
Instruction Fuzzy Hash: 71315BB2A00201EBDB30DF59DC85A6A77B8FB89724F154019F8416F245C77D9D45E741

Function 00F529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00F53264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 00F5327D
HEAP[%wZ]: , xrefs: 00F53255

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 5efe591b216b2969d8e394107bcdac7a78dd11b8f59181a627a151d877ec8d1f
Instruction ID: 4455e36199ce4a1247b6a34a6780cc835a12e6d2bd3ccab0c9dedf420879ef35
Opcode Fuzzy Hash: 5efe591b216b2969d8e394107bcdac7a78dd11b8f59181a627a151d877ec8d1f
Instruction Fuzzy Hash: B592EE71E042489FDB25CF68C440BADBBF1FF49311F188159E949AB392D738AA49EF50

Function 00F50770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00FA50BD
(UCRBlock->Size >= *Size), xrefs: 00FA50CA
HEAP[%wZ]: , xrefs: 00FA50AE

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 8595608e587ce5e22a10a6eefd587d2deb6822b8b09dbd63fc2b0b1d6553dee5
Instruction ID: 800173e3050fc6e25cb7b58a0575150f2016bc747bfc322dfac3f5fe61f7cc95
Opcode Fuzzy Hash: 8595608e587ce5e22a10a6eefd587d2deb6822b8b09dbd63fc2b0b1d6553dee5
Instruction Fuzzy Hash: 47F1BB71A00A05DFDB25CF68C880B6AB7F5FF45711F248168E9069B382DB34ED85EB90

Function 00F66962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 00FACA51
@, xrefs: 00F66C24

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: bf4a1f0dbfbdc08c08b240851bc3d16225fb0a556ab4a17977de4feb41752f7d
Instruction ID: 38d2cfdc7d3ba0c7368d4822b724bc33b3f46a9171943a24cd14cea335d54336
Opcode Fuzzy Hash: bf4a1f0dbfbdc08c08b240851bc3d16225fb0a556ab4a17977de4feb41752f7d
Instruction Fuzzy Hash: 40C28072A0C3419FDB25CF24C881BABBBE5AF89754F14892DF989C7241D734D805EB92

Function 00F3A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

UseFilter, xrefs: 00F3A1C1
FilterFullPath, xrefs: 00F9C2E6
\??\, xrefs: 00F9C1E4

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: b180c1637dd56cc2303459c1da5eb2ecdc8e249765dae2bde453e5a4a47ec4e1
Instruction ID: 7f1c415a28137af3d927f80f4803e2c29cbd0e4f77f09b3f33aa18da686b1ad3
Opcode Fuzzy Hash: b180c1637dd56cc2303459c1da5eb2ecdc8e249765dae2bde453e5a4a47ec4e1
Instruction Fuzzy Hash: F6A15A71D016299BDF21DB64CC89BEAB7B8EF48710F1041E9E908A7250D7359E84DF90

Function 00F60BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrinit.c, xrefs: 00FAA121
LdrpCheckModule, xrefs: 00FAA117
Failed to allocated memory for shimmed module list, xrefs: 00FAA10F

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 7ca0f0f13f6c141861a092ab7218681e4ee8ce47330fcafc1c8ba36242c1bb4b
Instruction ID: 5c075d946e21bb912a752eecae1f1048f026cc6799d8b9568bef6cde6e8e1d5f
Opcode Fuzzy Hash: 7ca0f0f13f6c141861a092ab7218681e4ee8ce47330fcafc1c8ba36242c1bb4b
Instruction Fuzzy Hash: FC71D1B1E00205AFCB24DF68CD81AAEB7F4FB44714F244529E8429B251DB39AE45EB51

Function 00F50A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON

Download Yara Rule

Strings

((PHEAP_ENTRY)LastKnownEntry <= Entry), xrefs: 00FA534D
HEAP: , xrefs: 00FA5342
HEAP[%wZ]: , xrefs: 00FA5335

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
API String ID: 0-1334570610
Opcode ID: 33eb201e655602755f09ff1f5eb04d7527faad4a160ace0ec88078829aa24868
Instruction ID: 7ea77bb0531c219f5404f834223e058391dc7897640b8d88b9a01147d8a52d04
Opcode Fuzzy Hash: 33eb201e655602755f09ff1f5eb04d7527faad4a160ace0ec88078829aa24868
Instruction Fuzzy Hash: EB610571A00701EFDB28CF24C481B6ABBE2FF85715F148559E985CF282DB74E885EB91

Function 00F7C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 00FB82DE
Failed to reallocate the system dirs string !, xrefs: 00FB82D7
minkernel\ntdll\ldrinit.c, xrefs: 00FB82E8

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 4c873b3b8e682f4d50f1c8247586a3340da43293dc2cf150c4bd937b9fe6b315
Instruction ID: 08654d7418c462067a379ec21c51dcfaaa4e462c047ccab07662f73d0620c823
Opcode Fuzzy Hash: 4c873b3b8e682f4d50f1c8247586a3340da43293dc2cf150c4bd937b9fe6b315
Instruction Fuzzy Hash: FB410571544300ABC734EB24DC42B5B77ECAF49760F04492EF988D7291EB79D801EB92

Function 00FFC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 00FFC1C5
PreferredUILanguages, xrefs: 00FFC212
@, xrefs: 00FFC1F1

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: c96ffec081b8329b1364381722294e5bd54c0ca6bb53301fb3f7551c708c7644
Instruction ID: b1be994d75cfe4ca58062476d315d55f5f3af7d815ccca3f3d9f63d3d131865e
Opcode Fuzzy Hash: c96ffec081b8329b1364381722294e5bd54c0ca6bb53301fb3f7551c708c7644
Instruction Fuzzy Hash: 17416D72E0022DABDB11DAD4CD91BEEB7B8EF54710F14406AEA05B72A0D7749E44AB90

Function 00FD4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 00FD4160
LdrpResValidateFilePath Exit, xrefs: 00FD4172
@, xrefs: 00FD4225

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 695b3326841947a0f70dc239aec6c329fd2bc6e51842ecf5e70680783b5a1430
Instruction ID: df40438abec0425b524ace0e10cde953ade63d2a33d9ca3d34b66fa352b2e641
Opcode Fuzzy Hash: 695b3326841947a0f70dc239aec6c329fd2bc6e51842ecf5e70680783b5a1430
Instruction Fuzzy Hash: 22411532D043588BEB22DBE5CC45BADB7B6FF45350F28045AE901EB782D738A945EB10

Function 00FC4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 00FC488F
minkernel\ntdll\ldrredirect.c, xrefs: 00FC4899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 00FC4888

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: d880ec8cc2ec5ec53490cd0ddc812a93057b87cad737fb8490dc50354f71f319
Instruction ID: cbef9851d8f1d76b444bda1d4ee9bb888a2885f860e00eea7b1b05183f1061f7
Opcode Fuzzy Hash: d880ec8cc2ec5ec53490cd0ddc812a93057b87cad737fb8490dc50354f71f319
Instruction Fuzzy Hash: 3241B032A042529FCB21CE58DA62F667BE8BF89760F05065DEC98D7291D731FC00EB91

Function 00F50BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00FA543E
HEAP[%wZ]: , xrefs: 00FA5431
(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 00FA5449

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: e22f5ac160cb67bee1c8eee990540a54b59397d9eaafe6c78b07a7dc88853f6b
Instruction ID: 0f40753e2255b726c6c8edbb427fadd550775f6a41329c2a7690888b957ddffb
Opcode Fuzzy Hash: e22f5ac160cb67bee1c8eee990540a54b59397d9eaafe6c78b07a7dc88853f6b
Instruction Fuzzy Hash: 2C11E472315941EFD728C614C8A2B79B3A4EF85B26F258119ED06CF251DB34EC84F751

Function 00FC20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

LdrpInitializationFailure, xrefs: 00FC20FA
minkernel\ntdll\ldrinit.c, xrefs: 00FC2104
Process initialization failed with status 0x%08lx, xrefs: 00FC20F3

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: 93e0d38ad085ddc40d28bda6318c067f0b809617411e05e11babb2021402e09b
Instruction ID: 2a7923284240c63850e5eb5668e228fd38eaefff4841f2b7f0dcb9b1b5d3addb
Opcode Fuzzy Hash: 93e0d38ad085ddc40d28bda6318c067f0b809617411e05e11babb2021402e09b
Instruction Fuzzy Hash: FDF0C231A40319BBD724EA48DD57FD9376CFB41B54F540069F6407B282D6B8E940EA92

Function 00F503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FA4D8A

Strings

#%u, xrefs: 00FA4D82

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: 46a44940a2e75414523fa8f7ac7ac679e728cbf544dfb910d60141302d8e54fc
Instruction ID: 011816e10652248c50b3c1f233102a6fa875551fbc7db04e0983615c366eb588
Opcode Fuzzy Hash: 46a44940a2e75414523fa8f7ac7ac679e728cbf544dfb910d60141302d8e54fc
Instruction Fuzzy Hash: 78715DB1A0014A9FCB01DF98C981FAEB7F8EF48754F144065EA05E7251EA78EE05DB60

Function 00F4A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Enter, xrefs: 00F4AA13
LdrResSearchResource Exit, xrefs: 00F4AA25

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: 2015be9bab5c548c935f71a2c90cc0ab18c74824d3f415c99c660ff822de9b02
Instruction ID: 1e71dfa7646d3feb79f7a8b6ec773aeaf3c794a0d92a344c4c27deb59bd6636a
Opcode Fuzzy Hash: 2015be9bab5c548c935f71a2c90cc0ab18c74824d3f415c99c660ff822de9b02
Instruction Fuzzy Hash: 34E170B2E40218DFEB219E98C980BAEBBB9EF55364F14402AFD01E7251D778DD40EB51

Function 0100A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 0100A551
`, xrefs: 0100A44B

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 7ea7008e5ac5e0e598f74a957c0525356a797b2f31d26a8f15954dc7300b1b77
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 0AC18C313043429BE726CE28C841B6ABBE5BFC4314F188A2DF6D68B2D1D775D545CB51

Function 00FBE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

Legacy, xrefs: 00FBE75A
UEFI, xrefs: 00FBE751

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: bec924169a6b099303121cb926b55e7359c0252754ee447c83c91a50d9ac91af
Instruction ID: bd49bfa2cb1141b53843d57a3a748180241291fb1684fffaae904888ff8ce0cc
Opcode Fuzzy Hash: bec924169a6b099303121cb926b55e7359c0252754ee447c83c91a50d9ac91af
Instruction Fuzzy Hash: 3F614A72E006189FDB14DFA9C841BEEBBB5FB48700F204169E559EB291DA31E900EF50

Function 00FE43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

@, xrefs: 00FE4437
MUI, xrefs: 00FE4525

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 44b8cbe167561dd9029e74ef923cc8b48a319370207161dfa8fc9f4957c96a3f
Instruction ID: 2e21c936143f76335e4441df83172551d024f7b79b5ad50ae672f14b054e299b
Opcode Fuzzy Hash: 44b8cbe167561dd9029e74ef923cc8b48a319370207161dfa8fc9f4957c96a3f
Instruction Fuzzy Hash: 795145B1E0025DAFDB11DFA5CC81AEEBBB8EB48754F140529E900B7281D634AE05DBA0

Function 00F404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

kLsE, xrefs: 00F40540
TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00F4063D

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: d3f1c038cd6b8fdc961ee17751e9ef67a235d1656fa977958d8b0c7279398b9c
Instruction ID: d27c42d1eb6b541f8210f9e3856a185e7b0648f7cc5e1eeb4cfae57d0528103d
Opcode Fuzzy Hash: d3f1c038cd6b8fdc961ee17751e9ef67a235d1656fa977958d8b0c7279398b9c
Instruction Fuzzy Hash: 9C51BE729047469FC724EF64C4406A7BBE8EF84714F04883EEADA87241EB74E945DF92

Function 00F4A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 00F4A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 00F4A309

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 07e20e65593d30f2350731989c40f077464fa941f5a54d3bbd8788cff39a83e2
Instruction ID: a4999bfb603fd472fd582585132ff859a0e38a367f0ddd4086955fb5e5142e8d
Opcode Fuzzy Hash: 07e20e65593d30f2350731989c40f077464fa941f5a54d3bbd8788cff39a83e2
Instruction Fuzzy Hash: 5B419C71A44649DBDB21CF69C840B6ABBB4EF85750F2440A9EC01DB291E376DA40EB51

Function 00F7A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 00F7A5E4
Threadpool!, xrefs: 00F7A5E9

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: be89eeebeb9b61bc315b3a642e5e385f36eec5c7d8dba156cff1c0d52a8bf522
Instruction ID: 4899c2fb53e50cd2b35b395c2770369e427a864c7df05c331f427daa1dd78e55
Opcode Fuzzy Hash: be89eeebeb9b61bc315b3a642e5e385f36eec5c7d8dba156cff1c0d52a8bf522
Instruction Fuzzy Hash: DE01ADB2240B00EFD311DF14CD46B1A77E8E784B15F05893AA54CC7190E739EA04EB47

Function 00F4C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 00F4C8C3, 00F4CA40

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: fe3c85b42959d6d252686498863bdf1c1836a65365989f30259e4bcb3b568c2d
Instruction ID: fb439a69642d221f57d3b1dfc8540d7c9e1a712044e625d0272f57a18e910ffa
Opcode Fuzzy Hash: fe3c85b42959d6d252686498863bdf1c1836a65365989f30259e4bcb3b568c2d
Instruction Fuzzy Hash: 6A825C75E012188FDB64CFA9C880BADBBB1FF48720F14816AEC59AB351D7749D41EB90

Function 00FC6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 00FC65C1

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e50bb092bbaa4174643df7a19a2e6f7c03c32fb3d4031d137befefd0d994f1a3
Instruction ID: 52c2391da54ee7d4fe697db24310f3d2a71edb8d794e96bedcdcaa07d735570b
Opcode Fuzzy Hash: e50bb092bbaa4174643df7a19a2e6f7c03c32fb3d4031d137befefd0d994f1a3
Instruction Fuzzy Hash: E19164B1940219AFDB21DF94CD86FAE77B8EF04B50F240069F601EB191D775AD04EB60

Function 00FEE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 00FEE1FA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8f0533e730d8f552262d78f68b7078b14a9490094d4afec93d1aff6682eb7694
Instruction ID: 323bede1d386ade068cc5ec33cec97c75d4bebc50242313b903f94542b2ecce3
Opcode Fuzzy Hash: 8f0533e730d8f552262d78f68b7078b14a9490094d4afec93d1aff6682eb7694
Instruction Fuzzy Hash: 2291D232D00589AFDB22AFA5EC45FAFBB79EF85750F100019F500A7251EB789905EB51

Function 00F7A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 00FB67C9

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 691a546c9e853acca228d9c867aa43cccd11dd47473ac1a0ea83347b2ab30aa8
Instruction ID: 62d3978907dca023146ce99a6a211233be1e9ddca9a9c8d575a3a3bd80559be3
Opcode Fuzzy Hash: 691a546c9e853acca228d9c867aa43cccd11dd47473ac1a0ea83347b2ab30aa8
Instruction Fuzzy Hash: DE716F75E0021A9FDF28DF9AC9916EDBBB1BF48714F24812AE405E7240DB399D41EF50

Function 00FE4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 00FE4A7F

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 01bbfda2974deda2a37be3674d731775d79f6ed14b774fa38e1f77f2a441d9de
Instruction ID: bf0d86bf4e114450dc27d315b4bb997d6471f2b0c4e3658901076525d527f271
Opcode Fuzzy Hash: 01bbfda2974deda2a37be3674d731775d79f6ed14b774fa38e1f77f2a441d9de
Instruction Fuzzy Hash: 12519372D002699BCF10DF9AD840AAEB7B5AF44B20F05412EE915BB341D73CAD05EFA4

Function 00F5E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 00F5E6A4

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 6f427873c59db60fe2f6e1f0e1e9dd803227ec33060cd833be02e3371bada0ee
Instruction ID: caf829e3309aaeee2f08e845681d7bc946e2026ab1cd9719fb5a1858bd4b68b5
Opcode Fuzzy Hash: 6f427873c59db60fe2f6e1f0e1e9dd803227ec33060cd833be02e3371bada0ee
Instruction Fuzzy Hash: 9941B0729083019BD714DA74D841B6BB7E8AF8CB15F04092DFE94E7180E678DA08E797

Function 00FBC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 00FBC77F

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 68f645879b6b4df87c8e126e3c2c157c6c44c1ab25fbaf41fa5755bbbe4a38f4
Instruction ID: 8661e708b9de4ab68449a9e5c8bade42b760f2ec69533a6a0971b10039a5dae9
Opcode Fuzzy Hash: 68f645879b6b4df87c8e126e3c2c157c6c44c1ab25fbaf41fa5755bbbe4a38f4
Instruction Fuzzy Hash: 744163B1D0012CABDB21DA61CC85FDFB77CAB44714F0045A5FA08AB141DB749E899FE4

Function 00FD6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 00FD6B91

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 513d06930ebb08bd375bfb02584e7075fe003beff4e81f7a4200a0cf9ca70f34
Instruction ID: 4bd24e7c27e0000177465668f96046f74a3121452ca5e3caa4ff054335ed5a9e
Opcode Fuzzy Hash: 513d06930ebb08bd375bfb02584e7075fe003beff4e81f7a4200a0cf9ca70f34
Instruction Fuzzy Hash: 24312631A107189BDB22DB68CC50BEE77A9DF44715F18402AE980EB382DB79EC05EB50

Function 00FBCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

BinaryName, xrefs: 00FBCAA2

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 804e06751bf492ba21dc050f549d0160666074b389c75010f7fe30b8a95765fa
Instruction ID: 4c3555687dbda2e83abb17bd3c813826515a70e329d44021e3702763f2d30ed7
Opcode Fuzzy Hash: 804e06751bf492ba21dc050f549d0160666074b389c75010f7fe30b8a95765fa
Instruction Fuzzy Hash: 3031F736D00519AFDB15DB5AC856EAFB7B4EFC0760F118129E905A7291D730AE04EFE0

Function 00FC892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 00FC895E

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: 34f2ec1471551afb40288e58b3a7784bcf853f2d5caf8fb240b3bf4f79952a20
Instruction ID: dd0e600e755c8a78ae1748446a31d9abed6edc87697ec89aa70d3890a535ba19
Opcode Fuzzy Hash: 34f2ec1471551afb40288e58b3a7784bcf853f2d5caf8fb240b3bf4f79952a20
Instruction Fuzzy Hash: 04012B326002129BD7249B51DE87F7A7B69EFC2BE0F04042CF58116962CF75AC46F796

Function 00FE2000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e095adc571f87902360212e7932ce2fe74ccfc36d601c9cf16397139c48f1ce4
Instruction ID: 56c293057b9678e5350bf08f4e57f23137fcc7c6011617839f7d2ecb7db2d9fd
Opcode Fuzzy Hash: e095adc571f87902360212e7932ce2fe74ccfc36d601c9cf16397139c48f1ce4
Instruction Fuzzy Hash: 7342F572A083818FD765CF66C891B6BB7E9BF84710F18092EF98287250E734DD45EB52

Function 00FD8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3841fe7a7921ce9965df2ef6ec36f5f12ad9248410b24a55cdf4089ba396d200
Instruction ID: c277ef9a9dc2c1bf387a998885d1bcf25d3aa0030754eebfa1f524b0204434f3
Opcode Fuzzy Hash: 3841fe7a7921ce9965df2ef6ec36f5f12ad9248410b24a55cdf4089ba396d200
Instruction Fuzzy Hash: C7424B75E002198FDB24CF69C841BADB7F6BF48350F18819AE949AB342DB349D86DF50

Function 00F52840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af3025cd610cc756380b26cf622ed5a7e8cf4dbf344c18105af0d1f0dbd5721c
Instruction ID: 163844a79d9e8be7195abad47b20c5f9a35c14b6c8458bd63e9bc8ea984b1e7f
Opcode Fuzzy Hash: af3025cd610cc756380b26cf622ed5a7e8cf4dbf344c18105af0d1f0dbd5721c
Instruction Fuzzy Hash: 3E32CFB1A007558FDB24CF65C8447BEBBF6BF86314F28411DE886DB284D739A805EB50

Function 00FEA118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c2a634e5253a8c83900199e22f32900590c2d99aabbdae7ef545d3b2cc7509
Instruction ID: cfc9402898faf413bb3a510f8a01209d5a9fc857bc5daa19da74089c2ecd6936
Opcode Fuzzy Hash: c0c2a634e5253a8c83900199e22f32900590c2d99aabbdae7ef545d3b2cc7509
Instruction Fuzzy Hash: 9C22F475A046D18FDB25CF2AC090372B7F1AF45310F18849AE8968F296D735F852FB62

Function 00F46A50 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdcef16bdd66e984bf166ebd5256f6696016f02e605ed7040559c366c1aa8fd
Instruction ID: 03b60290ec8ae5b564e48034d12f79ae2bc1bef991e2030fbfe92c63d0850ccf
Opcode Fuzzy Hash: 1fdcef16bdd66e984bf166ebd5256f6696016f02e605ed7040559c366c1aa8fd
Instruction Fuzzy Hash: 95327975A00605CFDB24CF68C880BAABBF1FF8A310F258569E955EB391D734AC41EB51

Function 00F64A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 04b020695729b6725f512a4817f4407571923060da137096ba031862ae751583
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 5CF19E71E0121A9BCF15DFA9C980BAEB7F5BF49710F048129E801AB341E774EC42EB60

Function 00FD892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1d7dde807b53bc13976c515dc5ee95562c414b137cf46481d9ad7bec6166b1
Instruction ID: ef11812ce541cf9cfa7e6889b72e7a1bc2cb28fea7b94573e61ba37afa47f574
Opcode Fuzzy Hash: 6e1d7dde807b53bc13976c515dc5ee95562c414b137cf46481d9ad7bec6166b1
Instruction Fuzzy Hash: 16D1F372E006199BDB05CF59C841BFEB7F2AF84394F18816BD855E7380DB39E9069B60

Function 00F465D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f662834c7d1af7b29958680c4348525223af43e71a44db751818f9d1f5a2b1c
Instruction ID: 08735418226108c1d06760e2b59376dce29cc36a149eb961f76bcbe45a0c9322
Opcode Fuzzy Hash: 6f662834c7d1af7b29958680c4348525223af43e71a44db751818f9d1f5a2b1c
Instruction Fuzzy Hash: E8E16C71908341CFC714CF28C490A6ABBE0FF9A318F158A6DE995CB351DB31E949DB92

Function 00F38397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4cc8ed4a67eef2c9d2e47ccb721fbd3f2913ae5f2597d4d51d988180c0e1df
Instruction ID: 445f421de0d2ad0c64f366c597cee07be0c360fccc34b0ca49ddabc5a62acd5c
Opcode Fuzzy Hash: 7b4cc8ed4a67eef2c9d2e47ccb721fbd3f2913ae5f2597d4d51d988180c0e1df
Instruction Fuzzy Hash: E3D10272A00316DBDF14CF65CD81BBA77A5BF44364F244229F816DB281EB38E946EB50

Function 00FC8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: bee79d83f2aa44d41a6e5e674f0b0fedab746313d62a23a59f659da36ce1f24c
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: FAB19374E006069FDB24DB94CA46FABB7B9BF84394F14442EA90297791DE34ED06EB10

Function 00F50535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: a3f16111ac1c4cf9d86ef7fecb6772d21d295fb13ecb6a90440e72cc45dae0f7
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: E7B14A72A00645AFDB11DF68C840BBEBBF6AF85310F284165EA42D7281DB74ED45FB90

Function 00F483C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2f7798d2e3ca9784a72b1180594c3ac9e9a6bb7fe2d2e9901e5c3588fb3613
Instruction ID: c269d02597c1fbf8322bbcbb80ac31f7a60d9afe7eea843552d7b51e902bcbf5
Opcode Fuzzy Hash: 1d2f7798d2e3ca9784a72b1180594c3ac9e9a6bb7fe2d2e9901e5c3588fb3613
Instruction Fuzzy Hash: 26C169B45083418FD764CF14C484BAFBBE5BF88354F44492DE98987291DB74E909DF92

Function 00F3C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4c94047ba8576062a977e0f655b3fe9bcc6cbe6e42f9d037fb573d2024fbcc
Instruction ID: 01f58410931a85f57867935ac002f280e230807839ece7b79a10c0c8b86f5ded
Opcode Fuzzy Hash: 0c4c94047ba8576062a977e0f655b3fe9bcc6cbe6e42f9d037fb573d2024fbcc
Instruction Fuzzy Hash: D6B19170A002658BDB64DF64C890BADB3B1EF44720F1485EAE50AE7291EB34EDC5DF61

Function 00F6E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eef6443488f6b944ceac6cfc6db31f73b64b658f7c5c1c8891435b9adabcd69
Instruction ID: 1daf388458e835df53bebe555507d8a53fba0901aa553096b9c336a25f9e2eb5
Opcode Fuzzy Hash: 4eef6443488f6b944ceac6cfc6db31f73b64b658f7c5c1c8891435b9adabcd69
Instruction Fuzzy Hash: BCA14672E002189FDB21DB98CC48FAEB7B4AF01764F140125E911AB2D1D7789E44EBD1

Function 00F80185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad90bb2a046436a457953d6ac08203a5285e976cedb6bdb9ff3bff75df9a3ac0
Instruction ID: 064970f150b406813e405ee518f17ea4e11c409f13435a832cfb49683101e2d8
Opcode Fuzzy Hash: ad90bb2a046436a457953d6ac08203a5285e976cedb6bdb9ff3bff75df9a3ac0
Instruction Fuzzy Hash: 6EA10F71B006169FDB64EF65C890BEAB7B5FF54324F104029EA05D7281EF78E809EB90

Function 01014500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f1663ab216173d0ca477c844f28a1949cc73c434190d1f4a3ed792a9c0d150
Instruction ID: 2f3722d272a3c53c7217c231e88b94742c9c1096b3a5ca628d5eb6c1085dd7c9
Opcode Fuzzy Hash: c5f1663ab216173d0ca477c844f28a1949cc73c434190d1f4a3ed792a9c0d150
Instruction Fuzzy Hash: F8A1DD72A00601AFC712DF18C980B6ABBE9FF48744F050968FA85DB666C339E905CB91

Function 01012B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 478d991f06645878bd1eedcf6fc442a5de07a47836b5aa31ee5412b705ef1872
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 5FB15971E0061ADFDF59DFA8C880AADBBF5FF48300F248169E954AB358D734A941CB90

Function 00FC60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4880c274b718f8b60bd7b6d153397c099c474be1b47a0134fc7515b0013d1a1e
Instruction ID: 7f89890a7c09b1b464921260193bdb03536111954c7085257650c2f8a16b6d4b
Opcode Fuzzy Hash: 4880c274b718f8b60bd7b6d153397c099c474be1b47a0134fc7515b0013d1a1e
Instruction Fuzzy Hash: 81919071D04216AFDF15CFA8D986FAEBBB5AB48710F15416DE610EB341D738ED00ABA0

Function 00F5E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510b26d036525281457cef3b6959bf69b5be2a0a343884386fa4e2315917d488
Instruction ID: e28f4bec422447a77f16bdd834f769b94eac805d450166e4d3fe7fd59baec6a3
Opcode Fuzzy Hash: 510b26d036525281457cef3b6959bf69b5be2a0a343884386fa4e2315917d488
Instruction Fuzzy Hash: D0915876E006159BD728DB18C840B7E77A5EF85725F18406AEE05DB381E738DE09F760

Function 00F96ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb1904f9c0957dc6e369ad7f6a96acd7613eb6e0161161dd6e25c3ff542de67
Instruction ID: 5b9a52cc91896fe53a68cd413e2ad6bd7ea702a931eb1748cb4f3110b7dff66d
Opcode Fuzzy Hash: acb1904f9c0957dc6e369ad7f6a96acd7613eb6e0161161dd6e25c3ff542de67
Instruction Fuzzy Hash: C181B3B1E0061A9BEF18CF69C950ABEB7F9FB48710F10852EE455E7640E734E940DBA4

Function 0100AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 8a412ab75cdb0da09f98b55c15df74b742089cbf3b8c6afeb40ea132dd4359df
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: 27817E31B10709DFEF1ADF58C890AAEBBF2AF84310F198569D9569B385D734E901CB50

Function 00F7E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b68078d9470808ef870cffa2f6211210ccac48a52a78bf05706dfdae6b71c937
Instruction ID: 9e28c6767cdd36b441b0fb25ced0c27f56eeb33968cce439c03a28fc093aecc2
Opcode Fuzzy Hash: b68078d9470808ef870cffa2f6211210ccac48a52a78bf05706dfdae6b71c937
Instruction Fuzzy Hash: 8C818071E00609AFDB25DFA5C880BEEBBF9FF48354F10842AE559A7250D770AC05EB60

Function 00F5C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 667c2bdcf417f54e099bdbc65cdcc2d1683b3a0a8bcf1dd9165d69f5507f3b46
Instruction ID: a43db1b76a89c69ebbf6173f7e41b0d5a721716e902fa4e688a14612715d62ca
Opcode Fuzzy Hash: 667c2bdcf417f54e099bdbc65cdcc2d1683b3a0a8bcf1dd9165d69f5507f3b46
Instruction Fuzzy Hash: 4D71EDB5C00229DFCB258F58D8907BEBBB4FF59710F24411AE982AB390D7759905EBE0

Function 00FF47A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11313afd1fd88794671d868427d3236e1403664763591b6dd6d180ab8118325a
Instruction ID: cfb76eb587b3f8187316ddaf30cade293c45f90651e3a9f553e8b6fc8ab86cdc
Opcode Fuzzy Hash: 11313afd1fd88794671d868427d3236e1403664763591b6dd6d180ab8118325a
Instruction Fuzzy Hash: AE71B571D00208EFCB20DF95D945AABBBFCFF81710F10415AE654A7269C77AAE40EB54

Function 00F5260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbccd13de9c870da76284dd65bea227ae7b633582d8f2794d3395fb37c9a7d46
Instruction ID: d12d82ade27548770bd85ebed4b50b71ad025a77de1b2ef654ce1673894dd92b
Opcode Fuzzy Hash: fbccd13de9c870da76284dd65bea227ae7b633582d8f2794d3395fb37c9a7d46
Instruction Fuzzy Hash: D771C272A046418FC751DF28C880B2AB7E5FF89311F0486A9ED59CB352DB38DC49DB91

Function 00FD62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07f7ef436ffdcc2a2ec41dd5b742aa65b73e3e96533278ecc548f95f2f42190a
Instruction ID: e9264e4ef1017c315bf583c72a7c1e0a0b56096b7b3ca7b2d18822995ef9aaad
Opcode Fuzzy Hash: 07f7ef436ffdcc2a2ec41dd5b742aa65b73e3e96533278ecc548f95f2f42190a
Instruction Fuzzy Hash: 2D71FE32600A00AFDB31DF18CC45F5AB7E6EB40720F29442AE656CB3A1D779E944EB50

Function 00FC035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: 5390d7395e33dfc536c5bb6deaec1da37cd3ce4714e6aaff9f73c424aee0f146
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 17716F71A00619EFCB10DFA9CA45FEEBBB8FF48700F144569E905A7251DB34EA06DB50

Function 00F48AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1674444c952554c000b54379584e21eded964ef23dad4d62bba90f50443bf92e
Instruction ID: 28dd77b07434c7359bbdb6b3332147ff99374e358bdd9504b4f1ec194201b425
Opcode Fuzzy Hash: 1674444c952554c000b54379584e21eded964ef23dad4d62bba90f50443bf92e
Instruction Fuzzy Hash: 4681A0B2B043158FDB24CF98D584BADB7F5FF89324F194129D800AB291C7799D41EB90

Function 01018324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee25693a113e8579f5f0608ee81ce255f5fa59592c3626238f596f3e96befa1
Instruction ID: e915fef48b13391c912a448e75cdf0160b070fd71b5c29908b5ac9612fe79dea
Opcode Fuzzy Hash: 0ee25693a113e8579f5f0608ee81ce255f5fa59592c3626238f596f3e96befa1
Instruction Fuzzy Hash: C9710B71E00209AFDB15DF94CC81FEEBBB9FB04350F10815AFA51A7294D778AA05CB90

Function 00FFA250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5242c47d1e45571f85321d6c96435d48a9f0b61947dda86e8be3f67839c738e
Instruction ID: 3eb38867e22dfae64f960f208dd2984939536b5286a255a06b792bc909d5d25f
Opcode Fuzzy Hash: c5242c47d1e45571f85321d6c96435d48a9f0b61947dda86e8be3f67839c738e
Instruction Fuzzy Hash: 9F51BEB2904616AFD312DF68C884B6BB7E8EFC5750F010929BB44DB160E6B5ED0497A3

Function 00FE8350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6542686ece597a4840f2c9020b74d8643ffdda8c89dbfea67e83e6209cb89459
Instruction ID: a6ea347e349d95478edc3facf73ff82e5810796bf94faf596bff6ceb8467e610
Opcode Fuzzy Hash: 6542686ece597a4840f2c9020b74d8643ffdda8c89dbfea67e83e6209cb89459
Instruction Fuzzy Hash: FB51CF709007459FD721EF56C880AABFBF8FF94750F20461EE19A576E1CBB0A942EB50

Function 00F7E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e76f75525238e219bd09d4a4f4b5ce2d158161a110e2d8aefc2d03759185a697
Instruction ID: 8b0d54eb8b8f78462dff327f17dc6c559b715998c9195c8851151eb348ec0649
Opcode Fuzzy Hash: e76f75525238e219bd09d4a4f4b5ce2d158161a110e2d8aefc2d03759185a697
Instruction Fuzzy Hash: 4D518B72600A04DFCB21EF69C984EAAB3F9FF08794F50046AE64597261D738EE44EB51

Function 00FE4180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8f2def148061a01c8fdab39ed211a6b7790ccac6809050113550609f859d2c7
Instruction ID: e35161d684b5d53e3c55d45399ba2891bc265a9b1ce4d2f8e4355aaa372ba83c
Opcode Fuzzy Hash: b8f2def148061a01c8fdab39ed211a6b7790ccac6809050113550609f859d2c7
Instruction Fuzzy Hash: EE5189716083818FD750DF2AC881A6BB7E5BFC8718F444A2EF499C7250EB34E905EB56

Function 00F645B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: d415c5c775959ae610941c17233a30429ced1996f54e9920dbbcc18c89330c83
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: 7E519D71E0061AABCF15EF94C841BEEBBB9AF45754F14406AE901EB341D734EE44DBA0

Function 00FCE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: 626bfdbfdca6037a2bf234b107d09889ddd73c297d816f57a39215e06c8b032d
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: E151A732D0021BAFDF209A90CE87FBEB775AF40324F15466DE91267191D7389E44EB90

Function 01008B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6334aaab7dfd5cc816b6dcd3a8a305cf843be333b22c539f4b42389ed9d6c3
Instruction ID: ed885f38273f1dd1fc91fa035c73132b8ca64116796a1a0321cddbb755137017
Opcode Fuzzy Hash: bf6334aaab7dfd5cc816b6dcd3a8a305cf843be333b22c539f4b42389ed9d6c3
Instruction Fuzzy Hash: 0641B570B01A159BF66BDB2DC895F7BBBEABF90220F04C15AF995872C1DB34D801C691

Function 00FCCBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3375be1cb82a63f71c1d44a53cbeb66f482311733bd747107f94a19859345b
Instruction ID: 84cc3a7a41dec56995c80648d4016e0f23808d6d3bcedb21153568eb05256456
Opcode Fuzzy Hash: 6d3375be1cb82a63f71c1d44a53cbeb66f482311733bd747107f94a19859345b
Instruction Fuzzy Hash: 9851E371D00216DFCB20DFA5CA81E9EBBB9FF48364B114529E55AA3301D735AE41EBD0

Function 00F7A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c57e7d9c39dc9729a3a828c7b93d0466fd484f01803371ae1ad23067be15bfc
Instruction ID: 845acf54e2b2e8c3ccf2af2cbeb75ade6d6d877e2a49940fd58462b91c36ee7b
Opcode Fuzzy Hash: 3c57e7d9c39dc9729a3a828c7b93d0466fd484f01803371ae1ad23067be15bfc
Instruction Fuzzy Hash: 44412B767006009BCB24EF699C92B6E3769AB44718F05402EFD45DF242D7FE9C10AB52

Function 0100A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: a748f4d613532915f4e8d7ed6438024074882df7a7ac657fb6e2cbf9f7f367be
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 0A41B7317047169FE726CE18C980A6AB7E9FF85210F05466DEA9687281EB34ED54C790

Function 00F701F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14bd1707cdaef188a31ffbf8bd517a717896808bd4a0a51617a5523bbcadb428
Instruction ID: a905da5ab7cff00b6a91ebc82784f728404fa582d93a703139b7e520eb99d785
Opcode Fuzzy Hash: 14bd1707cdaef188a31ffbf8bd517a717896808bd4a0a51617a5523bbcadb428
Instruction Fuzzy Hash: 4C419D36D00215DBCB14DF98C840AEEB7B5AF48710F18816FE819E7251DB359D41EBA6

Function 00F6EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d3b4bd5030b5f33da9bffed8dfe6ea561891d46830ad7ab86901d797c1ebb0
Instruction ID: 08a06b4e31fedf6cdd969d992cc3f3c250a80582aa9821e487a62b7b691d8974
Opcode Fuzzy Hash: 88d3b4bd5030b5f33da9bffed8dfe6ea561891d46830ad7ab86901d797c1ebb0
Instruction Fuzzy Hash: 6741D2B26003019FDB21DF64C880A6BB7E9FF89324F104939E957C7212EB35E848EB50

Function 00F82750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: 645bd97aed678c4ae41fc61cb1940c2012a3c10cc5bd27297e144b12a64a0e6c
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: 5F513675E00219DFCB14CF99C580AAEF7B2FF85720F2881A9D855A7350D771AE82DB90

Function 00F46154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48dff09cecb42a61e5de8b52c3f2dcddf073310e09b7158ff45c086cac18600
Instruction ID: 238214e92d1894eba7462f9cb0e28c564a9b5fabf791d986e1b90fa4498aa2c6
Opcode Fuzzy Hash: f48dff09cecb42a61e5de8b52c3f2dcddf073310e09b7158ff45c086cac18600
Instruction Fuzzy Hash: 895118B1D00116EBDB25CB64CC01BE8BBB5EF06324F1442A5E915E72C2DB795E81EF41

Function 00F40BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d586b032f618dfd5eab23a269f4aca02910d70e3e4098c70dc2a06ab1cfa33
Instruction ID: bbfd7127483fe89640302ee4f67c784184137b1511e1cb95599b6644102ef92e
Opcode Fuzzy Hash: 89d586b032f618dfd5eab23a269f4aca02910d70e3e4098c70dc2a06ab1cfa33
Instruction Fuzzy Hash: 3A416171E00228DBDF21DF64CD81BEA77B4AF45750F0501A6EA08AB241DB78DE84EB91

Function 0100866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 7395f4c73ce2d37d2fd41e9917fd888dd4b702e9eceed74995d5fedaa11ccad3
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 4141A775F00215ABEB16DB99CC85AAFBBBABF88300F15806AE945A7385D670DD00CB50

Function 00F40887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3da84d3ba86d5ded010ca8d9a893d8643af866eb8ed75db0b26ce1228881dc
Instruction ID: e86bec8fef44a48f7feaec8b5e950678747c9b1898cd3ccd1fcb31345046a8cd
Opcode Fuzzy Hash: df3da84d3ba86d5ded010ca8d9a893d8643af866eb8ed75db0b26ce1228881dc
Instruction Fuzzy Hash: 1441D4716007019FE724DF24C980A26BBF9FF49314B104A6DEA4787B52EB35F849EB90

Function 00F6A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d478394233d78fac926ae134731a079aea17c4c777666a4bd846d1d26e512c86
Instruction ID: 216658ff8fb7688669db668953012b53232182b528ee1ce9808c7de1243f5c7f
Opcode Fuzzy Hash: d478394233d78fac926ae134731a079aea17c4c777666a4bd846d1d26e512c86
Instruction Fuzzy Hash: ED41AC72A40214CFCB21DF68D8957AE77B4BB09360F180196E412BB395DB39AD00EFA1

Function 00F48BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81d4be35a23007be72b62ad0b1ae04f741b03e3b64b4f9f7e633fc192f8147ce
Instruction ID: d147066bdac0649eee5f8cafe10f6adb746c2a303a98da3841dd947eed397fa5
Opcode Fuzzy Hash: 81d4be35a23007be72b62ad0b1ae04f741b03e3b64b4f9f7e633fc192f8147ce
Instruction Fuzzy Hash: 31410576E01201CFCB24DF48C881B5EBBB5FB85754F248129ED019B246DB7ED842EBA0

Function 00F38918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4708945e84261e76b31edeed7a254d5ba664b4d2a321f528f0932b85fbada7eb
Instruction ID: a78da8bc9ae66b627d878366f068091825e0edc0ce8c96f0348a8312fcaef932
Opcode Fuzzy Hash: 4708945e84261e76b31edeed7a254d5ba664b4d2a321f528f0932b85fbada7eb
Instruction Fuzzy Hash: D0419F325097169FE711DF64D941B6BB7E8EF84BA4F00092AF980D7250EB34DE05AB93

Function 00F3A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 8459817811bede284ae99fcd662b508284d524c59caaf873417639deca1b501e
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 01414C72E00211DBEF14DFA699447BAB771EF90778F25806AE9858B240D7358D40FB92

Function 00F409AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd85f280537840f3f97f0a2f53ab61e892b9fb97b1371e305e6bcf5f7b574aa0
Instruction ID: 820646aa8b574fbe88dc1ed2d9cccdc0e3f86723c82a700f4ef61e05993aaa6b
Opcode Fuzzy Hash: fd85f280537840f3f97f0a2f53ab61e892b9fb97b1371e305e6bcf5f7b574aa0
Instruction Fuzzy Hash: 01417D71A00700EFD721DF18D841B26BBE5FF44724F24892AE949CB252EB75ED42EB90

Function 00F70710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: 8e0b0af71cb6a06c3dc476d0e7c09a7a800959c2181138d95a4c2363927cb5b7
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 00413B71A00605EFCB24CF98C980AAAB7F4FF08710B20896EE55AD7691D730FA45EF51

Function 00F4262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3451bca37cc1966bad209fc1119f0a7c4b580999d9380b01a3b2f4edaacee23e
Instruction ID: 6c4f02f3eb152dffca625ebabf20d8f089806ab23bd0ad689bb4014a217983ff
Opcode Fuzzy Hash: 3451bca37cc1966bad209fc1119f0a7c4b580999d9380b01a3b2f4edaacee23e
Instruction Fuzzy Hash: 5841E471901700DFCB61EF24C901765BBF5FF89320F5182B9E8469B2A1DB349A41EF51

Function 00F7C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c2ce745b256ec0b0ba23a937f06d4fc9812fa375a9c515b0c6afc4062538c51
Instruction ID: c5a66c559a98ea98a04c70a4eefc647810be8703c1ee4e9d8ccd2ccb43105e78
Opcode Fuzzy Hash: 9c2ce745b256ec0b0ba23a937f06d4fc9812fa375a9c515b0c6afc4062538c51
Instruction Fuzzy Hash: 113199B2A00345DFDB51DF58C440799BBF4EB49724F2085AEE109EB251D73AD902DF90

Function 00FC07C3 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfa4229c55a8a5cfaf98ae2a9a3696cc69834c5327eb6436381f0210b0854ac3
Instruction ID: fae92503fa372378e705435861451d38cd5604e58f797c6eaa6dbe57fb0c2c9c
Opcode Fuzzy Hash: bfa4229c55a8a5cfaf98ae2a9a3696cc69834c5327eb6436381f0210b0854ac3
Instruction Fuzzy Hash: 44417F719043119BD720DF24C845F9BBBE8FF88764F008A2EF598D7291DB749905DB92

Function 00F380A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e442b64cc7ab31461008c8e7915daa40fd6282e344b6467a7a618435d48d4fa
Instruction ID: 0bcabdcb895346f281c4313388bab4dc7e0632a8ab71d88bd2a7e46db63d5dcb
Opcode Fuzzy Hash: 9e442b64cc7ab31461008c8e7915daa40fd6282e344b6467a7a618435d48d4fa
Instruction Fuzzy Hash: 0F41C072E05715AFDB10EF14CD416A9B7B1BB447B0F248229F815A7290DB38ED43ABD0

Function 00FC05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ba0b6fb05ff75775558025a71028077587b8b9e9506d2af53c7689a810a9ef
Instruction ID: b6c86b8a95ffe78d23a55bf93933d8c82d49765cf171d90e9fd7fec9b5bee16c
Opcode Fuzzy Hash: 18ba0b6fb05ff75775558025a71028077587b8b9e9506d2af53c7689a810a9ef
Instruction Fuzzy Hash: 9241C372504652DFC320DF68C942F6AB3E9AFC8710F14062DF89597680EB34ED15E7A5

Function 00F44859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2270b82f8e03f408782c93c409dd5da2ccfb69497766dbea6add2869badcac6f
Instruction ID: 87a8265c9c416e710c8203625d46c7e93d91a5f911d49afdb683f80036b79439
Opcode Fuzzy Hash: 2270b82f8e03f408782c93c409dd5da2ccfb69497766dbea6add2869badcac6f
Instruction Fuzzy Hash: 0341D331A003018BD725DF28D884B2BBBE9EF81360F14442DFD95AB291DB35ED45EB51

Function 00F38B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6193d98b02bcfa90f7ada5887cf59bdc1c80961b3ab4e30829b3f6debb84bebd
Instruction ID: 3c71b70b68ba2ac407e1e2fd78b13abe0cb65897d704ba0b2987a69ba22ad36f
Opcode Fuzzy Hash: 6193d98b02bcfa90f7ada5887cf59bdc1c80961b3ab4e30829b3f6debb84bebd
Instruction Fuzzy Hash: 2B417272E01705CFCB14DF69C98059DB7F1FF883B0F24852AE466A7251DB389942EB50

Function 00F502E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 5ebfc68d085705b858c5d6556204f175b1d75201297aa7d2c79096f17b5e33c0
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: D1312632A01244AFDB118B68CC44B9ABFE9AF04360F0441A5FC19D7352C6B89988EBA4

Function 00FEE3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab3ba75a1acb4842ea57913670bb3cae6538d47c31ad2cda12036ccf3b9eaa8
Instruction ID: 1e464daffff036c7375bfb95813bdeb34bff3cff3809d0ee8074d72a1a04b87c
Opcode Fuzzy Hash: 4ab3ba75a1acb4842ea57913670bb3cae6538d47c31ad2cda12036ccf3b9eaa8
Instruction Fuzzy Hash: A631C635750755ABD722EF659C42FAB76A9AF48B50F100028FA00BB2D1DAA8DD00E7A0

Function 00FF4B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf68aff4fb272cf82b1b8f0af38b64314d6ee66745d5db172824b008b996603
Instruction ID: fc96a7223fa6144bbf55a3b337833a51a23ce56acff0ff27344c6c77df4719e7
Opcode Fuzzy Hash: 8bf68aff4fb272cf82b1b8f0af38b64314d6ee66745d5db172824b008b996603
Instruction Fuzzy Hash: BC31C332A052049FC720DF19D880E76B7E9FF81360F06446DEA959B262D732FD05EB95

Function 00F44260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300dda2dd425884891b9c629a2c3007fbd4290a7714b83cbbd793f21040fccec
Instruction ID: c0466afb8c37482139b72c6d673916c47a9e0c6f22a2f4f8ea5d31d098b0b138
Opcode Fuzzy Hash: 300dda2dd425884891b9c629a2c3007fbd4290a7714b83cbbd793f21040fccec
Instruction Fuzzy Hash: 5A41DF72500B45DFC722CF28C885FEA7BE8BF4A750F108429E9999B251CB74F844EB50

Function 00FF4BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576bfd58e467c6258a79779f08d03063bcff077516a65ba4f931b72c3c5fe8d6
Instruction ID: 2aaae46b6ce7d1aa7bca5a9329e84dff4c2f34a98b70f060dd80eb29f6fbdb5b
Opcode Fuzzy Hash: 576bfd58e467c6258a79779f08d03063bcff077516a65ba4f931b72c3c5fe8d6
Instruction Fuzzy Hash: C0319C71A052059FC720DF29C881A3BB3E5FF84720F05456DFA999B2A1E730ED04EBA1

Function 010061C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa19e7f80ed4d7748fa3613e4b04603fd921f915a8cc88852cd2416417796af
Instruction ID: e3a941aa332b7098b6c228500f029129e771538c6cff5dc897cd2af0f27e1e00
Opcode Fuzzy Hash: 2fa19e7f80ed4d7748fa3613e4b04603fd921f915a8cc88852cd2416417796af
Instruction Fuzzy Hash: B7310475A00616ABEB16DF98CC41FAEB7B6FB44B40F014168F940AB281D770ED00CBA0

Function 00FE483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468ae8dd34701de37f04e5afd003ae3e6d24febc8e178b1a5847dc3611f2bb38
Instruction ID: 86dc681409144c50b44456bd9d2378b03606e1ad14da254c4b92deb3452854a5
Opcode Fuzzy Hash: 468ae8dd34701de37f04e5afd003ae3e6d24febc8e178b1a5847dc3611f2bb38
Instruction Fuzzy Hash: 8B31A532E4016CABCF21DF55DC89BDE77B9AB88350F1000E5B908A3251CA34EE81DF90

Function 00F6EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2e13296a1b29e7877b355df43f38e66ae49dc89f858f645e141ae42d8db65d
Instruction ID: 806a30fd26912ebc505419cdefb721527fdbb40e5f0b5af3bc72ef650b5683a2
Opcode Fuzzy Hash: af2e13296a1b29e7877b355df43f38e66ae49dc89f858f645e141ae42d8db65d
Instruction Fuzzy Hash: 4631B377E00614AFCB21DFA9CC40BAEBBF9EF45760F114465E816E7251D6749E00AB90

Function 010060B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e68b4cba5213b0e71d57e215ca8e2e1a305868d973a4ba18851d993acc4dea2d
Instruction ID: 6a0643e0f292838972c226e39c3aa238d5fce62bda46bad52499aab81a4ce9eb
Opcode Fuzzy Hash: e68b4cba5213b0e71d57e215ca8e2e1a305868d973a4ba18851d993acc4dea2d
Instruction Fuzzy Hash: 9E31E231700605ABEB139F99CC50AAEB7FAAF44750F044069F581DF382DA36ED018B90

Function 00F407AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beee585422f5c1965f6bf30e797ea8a0ec3338b86b5b24d23df19de47b80707c
Instruction ID: 02717521ac7f92cc9ef9f755e458f12e2866fed25e9fd2c62356ca204b123631
Opcode Fuzzy Hash: beee585422f5c1965f6bf30e797ea8a0ec3338b86b5b24d23df19de47b80707c
Instruction Fuzzy Hash: 1D31C032A04611DBDB12DE248D80E6BBFA5AFD4360F014529FE55AB351EE34DC01B7E1

Function 00F48550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af2f14f8e6b4b2cc98578403333e657df4b03addd53d4d8590aea51ddd3eba58
Instruction ID: e80ea9e49988d9480db5b3d488cbc20988da6aec7daa0c110058f676ba35f99a
Opcode Fuzzy Hash: af2f14f8e6b4b2cc98578403333e657df4b03addd53d4d8590aea51ddd3eba58
Instruction Fuzzy Hash: 26317CB2A093018FD360CF19C840B2BBBE4FF98760F19896DE98497251D775EC44EB91

Function 00F7A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 204b2bc6057930d683fa5210a3d818f51e3dff68b6b53d5028d1c774fcb34684
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 7D313072B00B00AFD764CF69DD41B5BB7F8BF48B50F15452DA55AC3650E630E900EB51

Function 00FEEBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfb9a8fdad7cfc42ef335fbdb02c9eaad75363de666b0aa78752eb297ef695ad
Instruction ID: 72f3130754bb129af268cbe12c3e8f309db7873a0ff3e36d4497c8c0cf0b86f7
Opcode Fuzzy Hash: cfb9a8fdad7cfc42ef335fbdb02c9eaad75363de666b0aa78752eb297ef695ad
Instruction Fuzzy Hash: B03198719453819FC720DF1AD54091ABBF5FF8A324F144AAEE8889B311E3319E45DB92

Function 00F6438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55c48b235c673f722fe1042db04b2e92c93ae52ebb3c00c36be8f592513af147
Instruction ID: 541fd16d7880262e809aa84cf3c370499ea19eec36bec115bdc133a878dc5d5f
Opcode Fuzzy Hash: 55c48b235c673f722fe1042db04b2e92c93ae52ebb3c00c36be8f592513af147
Instruction Fuzzy Hash: AB31E272B002059FC724FFA8CD82B6EB7F9AB84304F108529E845D7691DB34EE45EB90

Function 00F3CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: d5cb7bc797e4744bcad405ab72e5de8285327e6a876882dc62fbd5761ac3db1d
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: 50212332E4025AAADB11DBB98801BAFF7B5EF457A0F168035AD55FB340E231DD00A7E1

Function 00F3C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff456f55e660508990cb0e1d2cb1073205ad30378abcf25ff97d982d3225802
Instruction ID: 2db584f2cf2b4f5a78f762ea86137baac4bf47184745dfeef66120b178d598b2
Opcode Fuzzy Hash: 4ff456f55e660508990cb0e1d2cb1073205ad30378abcf25ff97d982d3225802
Instruction Fuzzy Hash: D6313B719002009BDF31AF28CC41BB977B8AF41364F648169ED859B346DA39DD86EB90

Function 00FFC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: f3e504787ca4ff9d07ecaf5aaf8997093089b3e9a3135aa714124ccd80b65588
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: F1212B3660066DA6CB24EB958D11ABAB7B4EF40750F40801BFA95876B1E73CDD40E7E0

Function 00F3E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22ff29c71a15a4ad0a64b3677358434f4277c931a6ab88c957f032df00eabcd6
Instruction ID: d9fb730d9c22632be80e3a59d042a133a07a5add1c6bd759c8ea7a575f7ad8e8
Opcode Fuzzy Hash: 22ff29c71a15a4ad0a64b3677358434f4277c931a6ab88c957f032df00eabcd6
Instruction Fuzzy Hash: D031D436A4152C9BDB31DB14CC42FEEB7B9EF15760F0100A1FA45A72D0D674AE80AFA0

Function 00F744B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96fc77bd99122f0b9cabd05e7c45da2724ad309c9555a2c702f508c1a4d7626b
Instruction ID: 548f44900774f1bf99ee15a903edadd6cac16a966a83c2c4a46bb2d5c578370a
Opcode Fuzzy Hash: 96fc77bd99122f0b9cabd05e7c45da2724ad309c9555a2c702f508c1a4d7626b
Instruction Fuzzy Hash: C121C372A047459BC722DF18C841B6BB7E5FF8C760F05851AFD589B241D734ED00ABA2

Function 00F74588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 5e88fdc00f5a64f35ba66e9010668425bb89ced71477b2249406f58d68d924c1
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: A8218036A00608ABCB11CF58C980A9EFBA5FF49710F10C066ED299B241D774EE059B90

Function 00F3E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 60542f20a8634bfe870ff23c368490784fb022eef74d2631a72bfdac9802707b
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: A0319F31600608EFDB21DF68C884F6AB7F9EF45364F2445A9E552CB291E734EE01EB50

Function 00FBE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64106809ffcb9c0be11745d754d249b1c952a4b9cb04c72f0f090462b489a6c4
Instruction ID: f4522cacb82913860c876a4aa7d6cfb3508f060ef3d71ba1dd77bd7b236fa787
Opcode Fuzzy Hash: 64106809ffcb9c0be11745d754d249b1c952a4b9cb04c72f0f090462b489a6c4
Instruction Fuzzy Hash: 11319E75A10205AFCB14CF19C884AEE77B6EFA4300B118469E8469B391E731EE40DF90

Function 00FC06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 903546dcd67cbe572a7b9e25fbd07edbbb6f58da51540d57dbb149698cb89937
Instruction ID: 04967267d76ed03eb651bcee23b1baa53437f0fad9d3e9ab20fd3d5966163445
Opcode Fuzzy Hash: 903546dcd67cbe572a7b9e25fbd07edbbb6f58da51540d57dbb149698cb89937
Instruction Fuzzy Hash: 47218D71900629DBCF25DF59C982ABEB7F8FF48750B500069F941AB250DB38AD52DBA0

Function 00FC019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe0e5397d6a7864cbc77187532ead0b828f0d69cd594628f05f90648d96c4ba
Instruction ID: 4848301e081ad1a05763c7cb51de82f6795a0e9bcc51b2760d15762bba761e07
Opcode Fuzzy Hash: 3fe0e5397d6a7864cbc77187532ead0b828f0d69cd594628f05f90648d96c4ba
Instruction Fuzzy Hash: A2219771A00645EBC7159B68CD45F6AB7B8EF48790F140069F904DB6A1DA38EE01DBA8

Function 00FC0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c6a3e2e8428c3d40f98c291536524ce15a34824f0678784f5f376f255f8503
Instruction ID: d46a09dea7f9b039f8f47be7d45e631bccdeb92179682be9e1349da2acde575d
Opcode Fuzzy Hash: 17c6a3e2e8428c3d40f98c291536524ce15a34824f0678784f5f376f255f8503
Instruction Fuzzy Hash: 0F21C472904386DBC711EF59C949F9BB7ECAF81350F08045ABD80C7251DB34DA4AE6A1

Function 00F62835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff55d06faf96f986d74e09b7a17023556e229337154296aa0e95ffd3ad5a674a
Instruction ID: a98c8155e994c3d4734a5c7feb9a47874766257f3eb0c06b8bd56918d2b640c3
Opcode Fuzzy Hash: ff55d06faf96f986d74e09b7a17023556e229337154296aa0e95ffd3ad5a674a
Instruction Fuzzy Hash: C6213B72A44A859BE322577CCC04B2837A4AF42770F2803A5F9619BAD2DB6CCC05E201

Function 00F7A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904c102d37a813c41e5840b37490e28e98a62d32aa032168f37b55f44158f552
Instruction ID: 90eeaf9888e3fc1cf5548e31cd68e83060594e7a064b56080f0a1e95f81b3b22
Opcode Fuzzy Hash: 904c102d37a813c41e5840b37490e28e98a62d32aa032168f37b55f44158f552
Instruction Fuzzy Hash: B121AC36600A009FC725DF29CC01B4673F5AF48B44F248469A549CBB61E336E942DF95

Function 00FFA49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 870877606f4a2231bf6023bc6dba68f9da4ca4e3e312ed2d4f1e1eb0d77af1d8
Instruction ID: fdc184ce73cd1ad8fdc148d210d12b137ffbb21299df6dd4338fdc9715c12c57
Opcode Fuzzy Hash: 870877606f4a2231bf6023bc6dba68f9da4ca4e3e312ed2d4f1e1eb0d77af1d8
Instruction Fuzzy Hash: 5F11E7B2350F197FD32257549C41F77769ADFC4B60F190024BB0CDB1E1EA64EC01A696

Function 00FC0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fff858fb87bb6153c60fe0e9f592f5d2bf7ce187b5f3f31fc6f48030b8855da
Instruction ID: 20063b571731eb527fc697ab980227fe4310364dfd9ca46ea8836d727e80b13c
Opcode Fuzzy Hash: 9fff858fb87bb6153c60fe0e9f592f5d2bf7ce187b5f3f31fc6f48030b8855da
Instruction Fuzzy Hash: 1F2119B1E00219ABCB24DFAAD981AAEFBF8FF98710F10412EE405A7341DB749941DB50

Function 00FD80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 28730c8e2cdbd5fddcce2d98a17185273d3ce606aa4dde1abe130e3d19ddad39
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: F3218E72A00209EFDF129F98CC44BAEBBBAEF48360F240456F901A7351DB34DD56AB50

Function 00F70124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 3ee2a731f7fb99dee2faa27bfcbad6f849227f0b884be4a4b5cf798f7d63fdea
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 5911B273601604FFD7229B54CC41F9BBBB9EF80764F24802AF6099B190DAB5ED44EB51

Function 00F48770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9343c276344e84c92c9421892525ebcbba24df9b37c2371e5b92a6e9b773b3a0
Instruction ID: 19d0de3600e4028c8451c3a5f3acc38532e2005cbfd033da96a20529ba4ba363
Opcode Fuzzy Hash: 9343c276344e84c92c9421892525ebcbba24df9b37c2371e5b92a6e9b773b3a0
Instruction Fuzzy Hash: CE11AB35B01611DBCB11CF49C5D0A6EBBE9EF4A7A0B25406DED08DF205DAB6DD02D790

Function 00F7AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: b61eb59d323589a50a4dcb44d3109b82836604e26e20432e989f3b8f2d76be49
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 83214C72A40640DFC7259F4DC540A6AF7E6EBD4B60F26807EE94997621C734ED01EB42

Function 00F480E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d0e9fa5654958f11c20b2ddbee6645adc7ffc5e0c363f44eec7f20ee2abc3b
Instruction ID: e27a27840cf55c721abd43dec4b4c2fd27b0b94fe8ce58b896a47b02b5e556f9
Opcode Fuzzy Hash: c8d0e9fa5654958f11c20b2ddbee6645adc7ffc5e0c363f44eec7f20ee2abc3b
Instruction Fuzzy Hash: 25218B32A00205DFCB14CF98C581BAEBBB5FB88758F20416ED505AB310CB71AE47DB90

Function 00F7674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e809414bd9a61c3a55e6d108f094e36a47da0a6c47ccd87b0a5e3b42555622
Instruction ID: 17362147fb84849ead92b1099549c516466e72ef5b779ddc67ce3e993042a534
Opcode Fuzzy Hash: 86e809414bd9a61c3a55e6d108f094e36a47da0a6c47ccd87b0a5e3b42555622
Instruction Fuzzy Hash: 92216A71600A00EFC7248F69C881F66B3E8FF84794F54882EE5AEC7251DA30AD51EB61

Function 00F6E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884442842fb8b772418301551591911197408e25cb9723ed2d8d32b1a5ce9c15
Instruction ID: 3280cad4398d4b07b4ac4def3c071098517408c6202134bdc6a4ab5bc8c8f40c
Opcode Fuzzy Hash: 884442842fb8b772418301551591911197408e25cb9723ed2d8d32b1a5ce9c15
Instruction Fuzzy Hash: 24114877700114ABCB1ADB25CC81A2BB25AEFD2370B34853DE9228B280E931DD02D3A0

Function 00FD6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6348598b51150c5411c4051bc1bb54a7a9992beb7cadb75e600c765e47367556
Instruction ID: b91bb1e58638a7eb4a3a4ce361d82367b7ba892658f40065ef33fde5e061ace0
Opcode Fuzzy Hash: 6348598b51150c5411c4051bc1bb54a7a9992beb7cadb75e600c765e47367556
Instruction Fuzzy Hash: 22112332240614EFC722CB69CC51F5A77A9EF99B60F144026F201DB351DA74ED05F791

Function 00F766B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3f60e707d63607484204d8236007241b10160eb45d715d93e78d7e1ec07a267
Instruction ID: ef828b0631d9e1b76bde225e724bd95785881ea75b5783518ef366de90b0690f
Opcode Fuzzy Hash: c3f60e707d63607484204d8236007241b10160eb45d715d93e78d7e1ec07a267
Instruction Fuzzy Hash: CE110876E00604DFCB29CF59D480A5AB7F8AF84394B11807AD909DB311DA34DD01EB90

Function 0100A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: e8c2e91b04fdecc2c23bacbefad3ff68621e7dd214c2324b57adf42ba13b81f5
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 4A11B636B00919EFDB1ACB58CC05A9DB7F5EF84310F058269E89597390D675AE51CB80

Function 00F40AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: 02699cf90395429f209903b361d564bcc36be006a4dfc8de867a50a7d734f293
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: 572103B5A00B459FD3A0CF29C481B56BBF4FB48B20F10492EE98AC7B40E771E814DB94

Function 00FCE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: b4d9cc3b2c2c8a0805520be227fbb32a272187ed499d8033eddbda2eae536f27
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 2E119132E01602EFEB219F44CE42F5A77A5EB45760F15842CF9099B291D775DD40F790

Function 00F627ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87dea455be2ecce7de49888a41fd6c7754eb925995168c5cb3389e87bccd426
Instruction ID: f15d52e43567e34eaadd5c84bad0e2ce78c07fb71b3df28adb2ff340950e7e62
Opcode Fuzzy Hash: c87dea455be2ecce7de49888a41fd6c7754eb925995168c5cb3389e87bccd426
Instruction Fuzzy Hash: BB012672B06A44AFE326A269DC85F27779CEF817A0F154076F9418B641DB18DC04F2B2

Function 00F44690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f600e50dac6ae584a1feb26ce4db47d5193a6bd13e5398b2aafbcb7dfea749e9
Instruction ID: 2813746a5b1c020496680b546460a6513352fdbfebcb3a7335cb69177bd391e0
Opcode Fuzzy Hash: f600e50dac6ae584a1feb26ce4db47d5193a6bd13e5398b2aafbcb7dfea749e9
Instruction Fuzzy Hash: 4211AC36A41644AFCB25CF59D841B567FA8EB8AB64F104119FD04AB390C774FD41EF60

Function 01014B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b905af11d986978da5dc8e289cf627839e6e21b68732f2f093280aa6d680fef6
Instruction ID: b38d2de3fe663f11aad9a125010a918ccaa073268c1fff22fbdc1b8174320c2b
Opcode Fuzzy Hash: b905af11d986978da5dc8e289cf627839e6e21b68732f2f093280aa6d680fef6
Instruction Fuzzy Hash: A111C6362006119FD7619A29DC80F56B7E5FFC4711F194459EAC6C76A8DB38A802C790

Function 00F76620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b0b68d45f88934a41cf7c56064dbeaa4b979251142566b60e51791acad2f0ce
Instruction ID: 7c30c18f2bb36e5790fcdcd06dd02d1a00d27ecf80f0a7628d94a1045c02b0e5
Opcode Fuzzy Hash: 4b0b68d45f88934a41cf7c56064dbeaa4b979251142566b60e51791acad2f0ce
Instruction Fuzzy Hash: C711C272D00B14ABCB21EF58DD81F5EF7B8EF88750F90445AE908BB201D734AE05AB61

Function 00F6EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02bc8714011e877d645b8f2c9d6c52f4b82fe0223e5646375128c3c8b2ebef94
Instruction ID: f104cbd4a72aebc25baf10874c9fdd010656651237b12dae606ab99ca42851e3
Opcode Fuzzy Hash: 02bc8714011e877d645b8f2c9d6c52f4b82fe0223e5646375128c3c8b2ebef94
Instruction Fuzzy Hash: 11019E765101089FC725DB19D849F56BBFDFB85328F20826AE0498B261C778AC46DB90

Function 00F6E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: c8784ff2ecb55eac04a7a27d7090ef85b8f600373ed071c27f4460a9cbb26ffb
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 1C11E9B7A016C59BD7229758CD44B6677A4EB027A8F1D00B1ED42CF652F32CCD46F250

Function 00FCE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 8e91119b140b1a3b71a1547a2b3117937ebea9f3dc175a340bbec5e4012b6299
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 4501D232A00106AFDB259F54CE03F5A7AA9EF40BA0F158128F9159B260E775DE40E790

Function 00F3A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: f58e6ffb31c22aa5c0949871a645f525cb4852b0738aeb7e116b55d1b6d3751f
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 38012E32804B119BCB308F16D840A377BA8EF55B70B008A2DFCD98B680C735E800EBA1

Function 01014940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab5332683f1ad64913daf95dce5a6db287e821ad8c4fcc8397b663e6a72293a
Instruction ID: 039390d83c040bd8bf84a96fe65397303ba0520e9b9594568e69265a4b061355
Opcode Fuzzy Hash: fab5332683f1ad64913daf95dce5a6db287e821ad8c4fcc8397b663e6a72293a
Instruction Fuzzy Hash: 9801C0725416009BC362DF1C9C40E16B7EAEB85770B2542A5EAE8DB1AAE738D801CBD0

Function 00FBE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d38d60308cd168e3d6f8147acdd44ad105896e29a7575ce14575af3e9439ed
Instruction ID: eb7e50742366d4acb0e9d89f85a97b33264ccf26b747d19ea9e1e8fdc2ee3e5c
Opcode Fuzzy Hash: b4d38d60308cd168e3d6f8147acdd44ad105896e29a7575ce14575af3e9439ed
Instruction Fuzzy Hash: 40118B32641240EFCB16EF59CD81F96BBB8FF44B94F240065FE059B662C239ED01EA90

Function 00F46259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cc8bdd3b43a748b240f4f8fde2305a763df44bbb8218665ccb7a276681084f
Instruction ID: 489011922a3ca83eba9a0a3616ce63ad0d3d630286a5fb61facae51de0d6f106
Opcode Fuzzy Hash: 24cc8bdd3b43a748b240f4f8fde2305a763df44bbb8218665ccb7a276681084f
Instruction Fuzzy Hash: 6611A071A02218ABDF65EB64CC42FE8B3B4AF44710F5041D4B718E60E1DB74AE81EF85

Function 00F4208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 3a0cadbd8a22a76d4a847d2212d2a575f484dfbf6add71716717ec5f42dc5e99
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 45019E33A001108BEF559A2DD880B927BA6AFD4720F9545B9FD05CF256DA719C81E790

Function 00FC6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e1ff4198b9d61ecce6ff89de71bfa5a22cead048e1abf007381b1756b3f66c
Instruction ID: 52fa119b0d3ffc1639067850f01f93ec504ffc891127cb703e60043044106394
Opcode Fuzzy Hash: 67e1ff4198b9d61ecce6ff89de71bfa5a22cead048e1abf007381b1756b3f66c
Instruction Fuzzy Hash: 13112973900019ABCB12DB94CC85EEFBB7CEF48358F044166E906E7211EA34EA15DBE1

Function 00FD6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e149e63e9bf1185c5f8b0f59dfee7aeff595d2b43a08dfa6699e88e1f5bb20f
Instruction ID: 596aded08632be1eeaefcca6e2d78dc7d5807afa2ae454270c235aa1af8292bb
Opcode Fuzzy Hash: 9e149e63e9bf1185c5f8b0f59dfee7aeff595d2b43a08dfa6699e88e1f5bb20f
Instruction Fuzzy Hash: F611C4366441469FC711CF58E810BA6B7BAFF5A314F1C815AE849CB315D732EC85EBA0

Function 00FCC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f63f4c0e571622f3fb07cf1301f92fb246760c229ba0e8476a6c4b1a3c00d4
Instruction ID: bc8e6569d8322067c7e4321829aa6ef1976d5c266261bf982e08b6649d1114b0
Opcode Fuzzy Hash: 92f63f4c0e571622f3fb07cf1301f92fb246760c229ba0e8476a6c4b1a3c00d4
Instruction Fuzzy Hash: 5511E8B1E002199BCB04DFA9D541AAEB7F8EF48750F10806AF905E7351D678EE019BA4

Function 00FEEA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1952569085014fd5d05d1651ff41ba652fc55cbaa1e7c81da840d5deb9b0cf
Instruction ID: c2bdf5cd11309e36facaa29651dca371e58d0f90b8a2b3bf6de7d4c9e980da1d
Opcode Fuzzy Hash: 2d1952569085014fd5d05d1651ff41ba652fc55cbaa1e7c81da840d5deb9b0cf
Instruction Fuzzy Hash: 0701D8319401509BC732AF16E844E3AB7A9FF52B61B14443EF6455B211C73DDC41EB91

Function 00F820F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1809c6b97c54433981291cd56fa58791a2bc3601cbef79cabf24fad6c851aed0
Instruction ID: fdcc3bfd93da90057cf04b3fd36a6353056a77d82582ab88812dd8c0fb898faa
Opcode Fuzzy Hash: 1809c6b97c54433981291cd56fa58791a2bc3601cbef79cabf24fad6c851aed0
Instruction Fuzzy Hash: DB116D71A0120DABCB04EFA4CC55FEE7BB9EB44754F104059F90597290EA39AE11EB91

Function 00F3C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 54dc70c3a4816e123c9c3d81a559758d14ebada25c9d2c20603b27774af4666d
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 4B012872600744DFEF22966AC900FA773E9FFC4360F158419A986CB540DE74E801EBA0

Function 00F7E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39c6822bf01dae7cd27571a5697e226f3316889f07237ffaee6771dca242412
Instruction ID: bda4c321d5ba2e3f4bfa6f47d74371437e0632c581393f7c7e71eac598b0ad34
Opcode Fuzzy Hash: c39c6822bf01dae7cd27571a5697e226f3316889f07237ffaee6771dca242412
Instruction Fuzzy Hash: 5E01F7716005007FC311AB39CD41E57B7ECFF8A7A1B040625B60583552DB68EC05D6E0

Function 00FD69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3291393fa595667fb7a0fecca9b3a6efe356f39f43de887abb2ff4208a67024
Instruction ID: 4fbbccd862984e1d963ff2e78628f33f8b8d9b8937ef615004c4a50820142580
Opcode Fuzzy Hash: f3291393fa595667fb7a0fecca9b3a6efe356f39f43de887abb2ff4208a67024
Instruction Fuzzy Hash: 24014C336142019BC320EF68C849AA7B7A9EF48764F24412AF999D7280E7389D05D7D1

Function 00FCC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4ae01eb301f5fa2def500af74fa4d3f60135dd6262d1d45778430998369c328
Instruction ID: 3482e6ea41a0969f70b6896e15ffeb557c87677e6c0fbb7628723790e4cb80aa
Opcode Fuzzy Hash: b4ae01eb301f5fa2def500af74fa4d3f60135dd6262d1d45778430998369c328
Instruction Fuzzy Hash: A0115E71A0120DABCB19EF64C952EAE7BB5EB48350F008059FC0597340DA39ED11EB90

Function 00FCC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22298bc4077b3dcca71229903421bb2714fac90ea57f6c4bf3510bcec8178882
Instruction ID: 1a171edbb9d0641c0568b9a6852af78aa6dae35091479099220949789ea4047d
Opcode Fuzzy Hash: 22298bc4077b3dcca71229903421bb2714fac90ea57f6c4bf3510bcec8178882
Instruction Fuzzy Hash: 8511ADB16083089FC700DF69C842A9BBBF8EF88710F00851EF998D7391E634E900CB92

Function 00FCCA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da931efc74627421cc13dc010bd97162c9262f39bb18a87adaaae3f46cbe60d7
Instruction ID: 1999ca193996ddabae239a4ed895b9bdb4d31c0952dea8222a000f774cdbb117
Opcode Fuzzy Hash: da931efc74627421cc13dc010bd97162c9262f39bb18a87adaaae3f46cbe60d7
Instruction Fuzzy Hash: AE118EB16043089FC300DF69C842A8BBBF8EF89750F00851EF958D7361E634E900DB92

Function 01014A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: 9bdf72d0f62bb68ae4a1f1d71c8d234fef1b76d852a4250de53539f897279509
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 020124332006059FD7218AADC840F96BBEAFBC1300F454859F682CB664DBB8F840C790

Function 00F5E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 5a046aaf7e8392ca46a74de43fbcbd2d3f9939c55441a8bad00de1cbddd67513
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 01017C32604984DFE7268B1DC948F2677ECEF44760F0A04A5FA05CB6D1D6A8DE44E621

Function 00F3826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d80ec7660696a51da54459710e2e6e67d2be139572f508193f99ea6f18c4a93c
Instruction ID: 589d34f9b7904f6b4aa5a8178cadae9a83b6e1e5434e93d82dd1e0d1f042ccad
Opcode Fuzzy Hash: d80ec7660696a51da54459710e2e6e67d2be139572f508193f99ea6f18c4a93c
Instruction Fuzzy Hash: BA01D432B10604DBC714EB66DD02AAB73A8FF81770F158029B8019B242DE28DD02E390

Function 00FEEB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3193fa17f112b849adbc8ae915205dd6cf5301f57ecc56a8331260637ba1fef
Instruction ID: 37bc93f907db66c00a1bb0a4dd422d5bfa81dd9d3d2703ca5b283122c05a52c5
Opcode Fuzzy Hash: a3193fa17f112b849adbc8ae915205dd6cf5301f57ecc56a8331260637ba1fef
Instruction Fuzzy Hash: 5B01F271680700AFC3325F16EC41F06BAACEF85B60F10042AB6468F391D6B5A8409B44

Function 00F42582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b057d548a193ed33716f8c12ebf48d7ae8d12a0ed4e7dd1ea8bbda6565243d
Instruction ID: 1f3e0d424f54c5d8329fca138a4fbc5f08b35d529918488be6b513206a158042
Opcode Fuzzy Hash: e7b057d548a193ed33716f8c12ebf48d7ae8d12a0ed4e7dd1ea8bbda6565243d
Instruction Fuzzy Hash: 15F0F433A41A20B7C732DB5A8C41F17BEA9EB84BA0F144029BA0597650CA34ED01EAA0

Function 00F6C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: 69f8bfb74a56208560ddac47bc03c0f92880bdc2f8ca65c8dd5916f48922d221
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: 95F0C2B2A00A10ABD325CF4DDC41E67F7FADFC0B90F048128A645C7220EA31ED04CB90

Function 0101634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e8b4e65cf932989da3c832555ea7eda3426cc01bcdf146521967625d5f90b5
Instruction ID: 195dd79fcae63bed87305992b856d296467a3a5bd346713499e7b0ca0f6442bc
Opcode Fuzzy Hash: 53e8b4e65cf932989da3c832555ea7eda3426cc01bcdf146521967625d5f90b5
Instruction Fuzzy Hash: B2018F71A1020DEFCB00DFA9D841AEEB7F8EF48304F10806AF900E7351D678EA009BA0

Function 0101625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61d460ca7bd6dbb416427bb0f8c38d760344753b4356331876212b3799c1073
Instruction ID: a6c3d740936f933f065ff4c4fa833be35f4f9ad40839703db7b9d62fd47846dc
Opcode Fuzzy Hash: e61d460ca7bd6dbb416427bb0f8c38d760344753b4356331876212b3799c1073
Instruction Fuzzy Hash: 42012171A10619ABCB04DFA9D8519EEB7F8EF48744F10405AF905E7351D678AA018BA0

Function 010162D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88d6457b3064f7c2c20e5e692cd3c3f38a37b512bc0ba40f548cefd55e2f7815
Instruction ID: c99456763dcd3072a56a491c254355d17794fa52749477fab6b604895c122809
Opcode Fuzzy Hash: 88d6457b3064f7c2c20e5e692cd3c3f38a37b512bc0ba40f548cefd55e2f7815
Instruction Fuzzy Hash: 9E014471A0020DEFDB04DFA9D85599EB7F8EF48704F50805AF915E7351D678EE018BA0

Function 00F3C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 66c5d3da1a989ae7738cf075e7f0f8f7b01c4444e7c01db728e4754fff3ab548
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 49F02B33604A329BD73216694C40B2BB6958FC1BB4F2A4035F609FB244CE74CC02B7D1

Function 00F7CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 75c56f53e702ca7bacc7e1fa2a683f495b663fbebd3cde855a614df26662b7d3
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 3A01D632600689DFD722D61DC805F99BBACEF817A0F0880A6FA08CB691DA7CCD01E651

Function 010161E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 882e01508c568b00d7d96bee5df130c10517717343e726f54f127ed7d0778d0d
Instruction ID: 379b3cd6c5c6237f4a0e53f64a9f5fdcbc9c6490fcb14486e3471117b36d31cb
Opcode Fuzzy Hash: 882e01508c568b00d7d96bee5df130c10517717343e726f54f127ed7d0778d0d
Instruction Fuzzy Hash: 79018F71A012499BCB00DFA9D841AEEBBF8BF48314F14405AF901A7380D778EA01CB94

Function 00FC63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 8bff89af6d092bf0116caaf94c806dad30525efad2894ae19d5b314858c64503
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: F1F01D7220401DBFEF019F94DD81DAF7BBDEB493D8B104129FA11E2161D635DE21ABA0

Function 00FCA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94a6b76c4d0750698a920cf168bb8f0e81deb20106ff7e6b73519f1ca75a2c1
Instruction ID: c4faf038b0d6305a36d8eb6040fa4ae37b52b29b692c66d57ad9df7256ecd366
Opcode Fuzzy Hash: f94a6b76c4d0750698a920cf168bb8f0e81deb20106ff7e6b73519f1ca75a2c1
Instruction Fuzzy Hash: BE019A3650010DABCF129F84DD41EDE7F66FB4C768F098205FE1866224C236E971EB81

Function 00F3C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb73477fccf0b2c17ed65765a270bcf37cbf7e03bd5abd5104465c2e2b5727bb
Instruction ID: 08de541a53cf53ff7ecf5114b2d0da3d44354e3961e19635faffc7d3e9119fcc
Opcode Fuzzy Hash: fb73477fccf0b2c17ed65765a270bcf37cbf7e03bd5abd5104465c2e2b5727bb
Instruction Fuzzy Hash: E7F024727083005BF710B6199C12B6233AAEBC0770F69803AEA099B2C3EA74DC41B3D4

Function 00F7656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f63a1d2c38a504a9751457d68705b5e751c3c759153131a5f7159e837b51eac1
Instruction ID: d2aaf83d47600bb8ecebf5c6fd799c10b9fd74c524ff7771b7addaa2c1a08c3a
Opcode Fuzzy Hash: f63a1d2c38a504a9751457d68705b5e751c3c759153131a5f7159e837b51eac1
Instruction Fuzzy Hash: D801A471A00A85DFE332A72CCE49F6533E8AB40B50F5C4591B945CB6E7D72CE901BA11

Function 00FE437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 3b5e2396365fd1dff91dd4587dd84165f07395ade43791de87b1999d9e995254
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 07F0E936B41D924BDB35EA2B8820B2EB2559FC0F20B15052CA545CB650DF10FC00B7A1

Function 00FCC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce87aea62fda2506c28d8e5d7e88216ef6e0d8695a6efc0ab4cd6aa6b9add1d
Instruction ID: 42d5359fb926c06b5b35d9d898698463b078e91ed28eca4bbb246fbc38222b47
Opcode Fuzzy Hash: 0ce87aea62fda2506c28d8e5d7e88216ef6e0d8695a6efc0ab4cd6aa6b9add1d
Instruction Fuzzy Hash: 8DF0AF716053049FC310EF68C942E1BB7E4EF88714F40465EB898DB391EA38EA00D796

Function 00FCE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 0dc24382e761f918e767eab0a9efa1786ac51564138cda6cd70ec6c6aef257b4
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: 85F08933B515129BD3319A4DDD81F16B3A8EFC5B70F59006DBA049B2A0C764EC01E7D0

Function 00F70854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 6768066e19069e07669375188c85dee471afec3b5e514f21de3e4d21c401903f
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: DAF0E9B2610204EFE714DF21CC01F56B3E9EF98350F14C0799949D72A0FAB4EE01E655

Function 00FCC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d59087b643e38aa5468ae648c4c4cbe6403dbddc69b08a5cee90d359fcb51b
Instruction ID: 66aa460c50aadc3632bf6d6ff8625728e758fd9c44f9ac2d33493ef4267f7f1e
Opcode Fuzzy Hash: 18d59087b643e38aa5468ae648c4c4cbe6403dbddc69b08a5cee90d359fcb51b
Instruction Fuzzy Hash: A2F04F70A012499FCB04EFA9C516F9EB7B4EF08304F108159B959EB395DA38EA01DB90

Function 00F447FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ca551f8e6aaf5647c94bffe9150af48fa7d4b4f65f5263520bb288c616ca60
Instruction ID: 5eed83785d11bba93c6b6045a945efc1c5e7bef0694e32db2b1a12d808a37fd9
Opcode Fuzzy Hash: e4ca551f8e6aaf5647c94bffe9150af48fa7d4b4f65f5263520bb288c616ca60
Instruction Fuzzy Hash: F2F0BE32D166E09FE732CB68C444B61BFD4AB10730F1C896ADD99A7912C775FC84E650

Function 01000115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9dbecd26c7b26fb2acca5439ab6cf06372aa9c89d36fe1b202e869b4767c07
Instruction ID: 7608eccfd3959aeb3732b8ea5d3455bba49a74d7430702a3ea59b582bd34fc55
Opcode Fuzzy Hash: be9dbecd26c7b26fb2acca5439ab6cf06372aa9c89d36fe1b202e869b4767c07
Instruction Fuzzy Hash: 13F02E3641968416DB735B2C78513D13BAD9B41264F0514C6E5E45714AC57E4543D310

Function 00F7C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb534a68aa83515fccfb2afa22b2edd58794500f2ebe780330d4e97ae4ab72bc
Instruction ID: ab452782b3d0c8b7b4e921f799348b1dda7adb99a66f1ea6061a3ec0159954d5
Opcode Fuzzy Hash: eb534a68aa83515fccfb2afa22b2edd58794500f2ebe780330d4e97ae4ab72bc
Instruction Fuzzy Hash: 8EF0E2729116509FC3229718C9C8B51B3D8AB00BB1F19D56FD80EC7512C364DC80EAD2

Function 00F82619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 7899562212b6576a79f782ebd63abc07f54568d619d5115dc6cd96f793a4e81f
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 79E0D872300A402BD712AE59CCC1F97776EEFC2B10F040079B9045F252CAE6ED0997A4

Function 00FD6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: a473ce246a2d13c852316ac421e75ed15129afc5cb4a9843909e896e9541ca12
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: AEF0E572100204DFE3208F05DC48F52B7E9EB05364F19C026E608CB660D339EC40EBA0

Function 00F40710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 6e487877399bf0732bf2d15a7eecc1463c8b46538c9870aac2f825793f566dd0
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: EDF0ED3A6043589BEB15DF1AC040AA97FA8EB41360B100094FE428B351EB35FE82EB81

Function 00F749D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: e0b33b4b21a1cc2ec8626627714b0283171872d016b9ec1e48f3e41d801f1843
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 20E09233694586ABE3211E558801B6A76A5DBD47A0F15842AE6088B160EB78EC40F799

Function 01014164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481d5dc796b8b1a32d746794930177c04a978a62d5623d484057b65e3a9f8c77
Instruction ID: 3c56eea8b30416f18e38776a1b1bb6e2d7c99cf93a6d33b465bc9a8553fc74c7
Opcode Fuzzy Hash: 481d5dc796b8b1a32d746794930177c04a978a62d5623d484057b65e3a9f8c77
Instruction Fuzzy Hash: 82F06531A265914FE7B2D72CE554B9577E4AB10734F5A09D4D489C792AC728EC80C650

Function 00FE678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 860c7e1a35e144185bd622e926d89c9b0840c6c4f1d2499faa19cbcb6042a4b7
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: F7E0DF32A00164BBDB22979A8D02F9ABAACDB94FA4F050065BA00E70D0D930EE00E690

Function 010108C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: b889ab567bd2082ed13c8c444c11fe58cd43f9c5efbacfa871abd1d741e170bd
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: C9E09B316443518BCB258A2DC140A97B7E8EF95664F1580A9EDD54761AC275F882C6D0

Function 00FFA456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: d3e0d9a51234a71556d99a09b1772c181e088dfe80b3954a5db06fe2cbe2c989
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 63E09231010610DFD732AF25DC09B62B7E0BF40721F148C2DB19A114B1C7B9ACC0EB41

Function 00F425E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d5283b5a2c0a1533858f506da41f783051babf35717d32c143b078882b45b49
Instruction ID: b9e517f30840899c569274ecb8f755db1d8b106fff1edc3bad3f8985b4de4fed
Opcode Fuzzy Hash: 9d5283b5a2c0a1533858f506da41f783051babf35717d32c143b078882b45b49
Instruction Fuzzy Hash: 0BE09232100554ABC322BF29DD02F8B7BDAEF943A0F014525B55557191CB39B910E794

Function 00FC4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: e60e891c43a16950eff74c514dde8373fda3f8f62b4356a456abe3b9bf69a516
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: A2E0C2347803068FD715CF19C151B627BB6BFD5B20F28C068A9488F205EB32E842DB40

Function 00F7CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72ac461ecf9778c204ef95d385df9894fc12bf01f1d99566e3855b2dfeb267f
Instruction ID: 61ef119948bf8635aefc1cfba89a1239ccb275d223caede4021a12b7c761d6d0
Opcode Fuzzy Hash: c72ac461ecf9778c204ef95d385df9894fc12bf01f1d99566e3855b2dfeb267f
Instruction Fuzzy Hash: FCD02B324814606ADB35E114BC25F933A5D9B41721F018866F60CD2010D55CCC81B3C4

Function 00F3823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 0c10339038aa1ba17730da8e3895ae77a041efb22559dd41f1164dac960771ac
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 03E08C32401A10EFDB312E25ED01B9277E1FB94BB0F214829F081170A58BBCAC82FB44

Function 00F42050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f918282e6048e3bc13c8180626b1081b3fcb5e0e359d93ebc3714cce6c1f6b5
Instruction ID: 7b9b44bd5640eabe99e76a8e472021982cc81f73e2eab97209f5a07131a66ec9
Opcode Fuzzy Hash: 5f918282e6048e3bc13c8180626b1081b3fcb5e0e359d93ebc3714cce6c1f6b5
Instruction Fuzzy Hash: 79E0C2321004506BC312FF5DED02F4A779EEF943A0F010121F550972D1CB29BD00E7A4

Function 00F78A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: bb1ec40fd542c74a115937786c567d1c578100701a95fdf144e69d69b07af0d6
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: EDE02633550A0497C328DE18C415B7277A4EF44730F08823FA51747380C934E804D795

Function 00407B1E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2242560617.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62f91a99d5a08784d3e86c31a07967bb8ed5aac23ce2f858bee02d8484bed54
Instruction ID: 81ca58532264d00486dacab77599c4b2c22d855ca630581089b6c7d8cc3295b4
Opcode Fuzzy Hash: f62f91a99d5a08784d3e86c31a07967bb8ed5aac23ce2f858bee02d8484bed54
Instruction Fuzzy Hash: B5C04C33B5A45406D636090D78812F5E798DB5B234D1463A7E808E76154083D8560149

Function 00F96AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: dc9a461533934258789e2e837e63efbfd6e23ee8517fa783ae843ef824328976
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 84D05E36511A50AFC7329F1BEE04C13BBF9FBC5B61705062EA54593920C674AC06DBA0

Function 00F7E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 254aff47c84cadd37c321f3fd856d62a574691aed2d0f2ea5060ed510e05e752
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 87D0A932A08620ABDB32AA1CFC04FC333E8AB88761F060459B208C7150C3A4AC81DA84

Function 00FBE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: a8764654c3e906f238bdff58d451ea91aeadff0370125fabcee59cd5fe1cde9d
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: 70E0EC359506849BCF12EF59DA44F9AB7F5FB84B50F150054A4086B661C628AD04DB40

Function 00F3A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: 1a21c52f5160a3d71ea408128d0c97977f33e21a77d71ee30863249e61bd35d9
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: 20D0223321603093CB28A6666C04F637A059B80BB0F1A002C380AA3800C0088C42F6E0

Function 00F7A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: 083167b827181f087dc77ef458b713e664fada81cef9b4ba56dc6b8eed030029
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 48D012371D054CBBCB119F65DC02F957BA9E754BA0F444020BA04875A1C63AE950D584

Function 00F7CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf9bd389b8167328683b2d7fadc832a1b432c1ad7021a0fd70a033515790ea4
Instruction ID: 07ded48e1b9d26950f47a12a67d1552edb124cf1f9050cc72ef9055cd577a68f
Opcode Fuzzy Hash: 4bf9bd389b8167328683b2d7fadc832a1b432c1ad7021a0fd70a033515790ea4
Instruction Fuzzy Hash: D5D0A730901406DBDF16DF05C920E6E3FB8EB547C1B40006CE60051020D72DDD02FA50

Function 00F7C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 42bd99e4ac8f6565553b665776ee516cf1400c248651b39c416d3b37519ddff2
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 71C08C33290648AFC712EF98DD02F027BE9EB98B80F000021F7048B671C635FD20EA84

Function 00F60310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 81169ffa00b8395ab2acad564993fef2356622ea254d8ccdc6cdf5e11e3d97de
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: BFD01236100288EFCB05DF41C891D9A772AFBC8710F108019FD19077118A35ED62DA50

Function 00F40750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: f05b8bc6f6fca79478d70bbdb109092b6a0dec6a55137beea68ba24461be1669
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: B8C08838B00A008FCF00CB2AC280F0833F0FB00380F000880F802CBB22E228EC00EA00

Function 00F84340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb4bd1d0458809359002578b769241d95000e2ebcb988c76ee9c6deb7054583
Instruction ID: e4929284cf83d5029dcd29a8a2b913e8bdeb71ae7a6060e4177f5b562eba5580
Opcode Fuzzy Hash: dcb4bd1d0458809359002578b769241d95000e2ebcb988c76ee9c6deb7054583
Instruction Fuzzy Hash: A490023160580022A64071588884546400597E1341B55C022E0428554D8E188A576365

Function 00F84650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d2706a2d4aeab5977c28b9024915e8ae08bd72847e563b4c8f9e4b5ab754a9
Instruction ID: 6d7a302c74abbc6cef0481e7ce8bce057f8a9f99a615a0b2f07e4233947b7c52
Opcode Fuzzy Hash: 44d2706a2d4aeab5977c28b9024915e8ae08bd72847e563b4c8f9e4b5ab754a9
Instruction Fuzzy Hash: A190026160150052564071588804406600597E2341395C126A0558560D8A1C8956A26D

Function 00F82AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b020a791400283d9f03332956cdf8d7843d3edd70dc76355a45279f1304aab5a
Instruction ID: 4a018ee84ae04db6b2d3823c34485310034ca8bbd03ad53523d5fe6d0707e3fc
Opcode Fuzzy Hash: b020a791400283d9f03332956cdf8d7843d3edd70dc76355a45279f1304aab5a
Instruction Fuzzy Hash: 72900225221400121645B558460450B044597D7391395C026F141A590DCA2589666325

Function 00F82AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac209170b740584167a9984008718e9bdeb3b3e171a421206e8a0dd1a853077
Instruction ID: aeb04b9c9bdd685c829e49a07da188bbec3915ec6de9745c40be8f2dbe78cd11
Opcode Fuzzy Hash: 2ac209170b740584167a9984008718e9bdeb3b3e171a421206e8a0dd1a853077
Instruction Fuzzy Hash: 759002A1201540A25A00B258C404B0A450587E1341B55C027E1058560DC9298952A139

Function 00F82BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f544b50a5430f4e3fd290508f9e230dcd1d08cdfbd513a70efcf74e00712b39e
Instruction ID: 1f2a3bb0b8831200e795d3851cfa98a7c2698820780e6f0c15670c77f442a8a5
Opcode Fuzzy Hash: f544b50a5430f4e3fd290508f9e230dcd1d08cdfbd513a70efcf74e00712b39e
Instruction Fuzzy Hash: B890023120544852E64071588404A46001587D1345F55C022A0068694E9A298E56B665

Function 00F82BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fa395ca4cb707321657cdecb021368ccb3acf83b8b5244f938fbb6af4260992
Instruction ID: 511a8f5a0cc4ae764445bfe537c6fb548de796ecd21de2c06ee2276a231b5d90
Opcode Fuzzy Hash: 8fa395ca4cb707321657cdecb021368ccb3acf83b8b5244f938fbb6af4260992
Instruction Fuzzy Hash: 5690023160540812E65071588414746000587D1341F55C022A0028654E8B598B5676A5

Function 00F82B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a1233c04b22dd7ed651ce6d5a36d780a31144635ce24d6bbb35eda56876751
Instruction ID: 2b092b026c20239f5d7a8d419fe577d6184735b75ab4f0ce7c1ab4604ef01740
Opcode Fuzzy Hash: 18a1233c04b22dd7ed651ce6d5a36d780a31144635ce24d6bbb35eda56876751
Instruction Fuzzy Hash: 0190023120140812E60471588804686000587D1341F55C022A6028655F9A6989927135

Function 00F82CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf19744ef4614a7d2d6d2683ce66af1339980ff575dae72a8a271d64a52c908d
Instruction ID: 995903be01fd0d45c5af1e8d513f7bfc9653ee7b668342abda5c3c08af7274ec
Opcode Fuzzy Hash: cf19744ef4614a7d2d6d2683ce66af1339980ff575dae72a8a271d64a52c908d
Instruction Fuzzy Hash: B990023120140413E60071589508707000587D1341F55D422A0428558EDA5A89527125

Function 00F82CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1909ae66023842979c94e9b53dbf6dd5178c3766b28b49dd11d3a9119c0e5be4
Instruction ID: 1e1f2aed8ba679bbae41a9964dae7e99c5177d012e84c6b94151acece252e04a
Opcode Fuzzy Hash: 1909ae66023842979c94e9b53dbf6dd5178c3766b28b49dd11d3a9119c0e5be4
Instruction Fuzzy Hash: 0D90022160540412E64071589418706001587D1341F55D022A0028554ECA5D8B5676A5

Function 00F82C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5f6fdbeafff1e301faaef7be423465506e21c4b1f1351df124b8e248ec06b8f
Instruction ID: 1309d4ca2c01bfb04b8e0a28a5889c5f5c46597b8b89f996983732c35e844432
Opcode Fuzzy Hash: d5f6fdbeafff1e301faaef7be423465506e21c4b1f1351df124b8e248ec06b8f
Instruction Fuzzy Hash: 7690023120140852E60071588404B46000587E1341F55C027A0128654E8A19C9527525

Function 00F82DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b8d9228a6ebf685279608ab25f6bb5532b2bf1d79f22075e7fb138f265ae8a5
Instruction ID: a7dd55ed4145f3ff1e09cad7a5218382a55fc4ae3bd6305bf13c2f9715ce54e3
Opcode Fuzzy Hash: 0b8d9228a6ebf685279608ab25f6bb5532b2bf1d79f22075e7fb138f265ae8a5
Instruction Fuzzy Hash: D290023124140412E64171588404606000997D1381F95C023A0428554F8A598B57BA65

Function 00F82D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca0c0c934a5d6a32d4e3cf271057f9e0126ba05fe125b58821f586d8a4aeb906
Instruction ID: 2df95d377a08ca18761eb282f23a2aaac9ee150b0c97b30f24fdb6c72c5db5be
Opcode Fuzzy Hash: ca0c0c934a5d6a32d4e3cf271057f9e0126ba05fe125b58821f586d8a4aeb906
Instruction Fuzzy Hash: 7990022120544452E60075589408A06000587D1345F55D022A1068595ECA398952B135

Function 00F82EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb564b6c126e8d6e7efca81c18d443ceeb6f3d1ba55284ca91ef4135bd37f56f
Instruction ID: 3e2ce80cd8c7b630f5c4aeed8684de5a44f1b5b8d5a420617c06f5c4dc8695b6
Opcode Fuzzy Hash: fb564b6c126e8d6e7efca81c18d443ceeb6f3d1ba55284ca91ef4135bd37f56f
Instruction Fuzzy Hash: FA90026120180413E64075588804607000587D1342F55C022A2068555F8E2D8D527139

Function 00F82E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fdae2d39a49290eef9a274ce3ef8de74518828e394877d1d9edbdcd6ab5c85
Instruction ID: 5075023bce4b5d04a12bfa8e2f90e405b7a6ce65f4a76459a575315fa3b6bbb0
Opcode Fuzzy Hash: 00fdae2d39a49290eef9a274ce3ef8de74518828e394877d1d9edbdcd6ab5c85
Instruction Fuzzy Hash: 4890022130140412E602715884146060009C7D2385F95C023E1428555E8A298A53B136

Function 00F82FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72dd972a728c4ea87925d9e0df63d7f6e0c3bd900dbd27b01bde6961b76f16b
Instruction ID: 2ff981903f2ef6e93ccb12f699329100900438d7444a9d23d8a44a80a5a714bf
Opcode Fuzzy Hash: f72dd972a728c4ea87925d9e0df63d7f6e0c3bd900dbd27b01bde6961b76f16b
Instruction Fuzzy Hash: 2290023120180412E60071588808747000587D1342F55C022A5168555F8A69C9927535

Function 00F82F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a171304594cf87da5b07a4d1d27886ed6ddfb473589f53c61704211bdda39bf2
Instruction ID: 12c248dfb51c108a5ecd25000eb3e2424a88cbaa8bd0324696a3155374ca541a
Opcode Fuzzy Hash: a171304594cf87da5b07a4d1d27886ed6ddfb473589f53c61704211bdda39bf2
Instruction Fuzzy Hash: D190026121140052E60471588404706004587E2341F55C023A2158554DC92D8D626129

Function 00F83090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bd705576467f788708b5e8bc9fc2df0583b14dc9d550ca9fde6a9cb80d98f8
Instruction ID: 48dca4134c71b0b537e29a92c0ec4bc38ecdab662d20ba628466b1e6d06f6487
Opcode Fuzzy Hash: e8bd705576467f788708b5e8bc9fc2df0583b14dc9d550ca9fde6a9cb80d98f8
Instruction Fuzzy Hash: A790022124140812E6407158C4147070006C7D1741F55C022A0028554E8A1A8A6676B5

Function 00F83010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908161fa1bf765324de8e115683899944696253cb90061d6fc0dea91f19a63b3
Instruction ID: 51dd75316d44a9955205afcfb5c991337f2472395dfc4527096e85bb6d2ef05f
Opcode Fuzzy Hash: 908161fa1bf765324de8e115683899944696253cb90061d6fc0dea91f19a63b3
Instruction Fuzzy Hash: 7E90022120184452E64072588804B0F410587E2342F95C02AA415A554DCD1989566725

Function 00F835C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7421c0402db8c27a6277c94cc422d1c6e19e1d36f941628413aa469eddaa49b7
Instruction ID: 908e2b593f21f36a93449136b2053701b584df330a8bf52d20a63e9a86b79a9c
Opcode Fuzzy Hash: 7421c0402db8c27a6277c94cc422d1c6e19e1d36f941628413aa469eddaa49b7
Instruction Fuzzy Hash: 9A90023160550412E60071588514706100587D1341F65C422A0428568E8B998A5275A6

Function 00F839B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58d258b816884e1ca939ac94a3adb0427ca104085f8c42ecbc945b6a33f3885
Instruction ID: 9a6885a1fd2ea282cb18f897240086c7c2cb01fe6aa4e0ed9eda1b9099cf438e
Opcode Fuzzy Hash: e58d258b816884e1ca939ac94a3adb0427ca104085f8c42ecbc945b6a33f3885
Instruction Fuzzy Hash: 5F90022124545112E650715C84046164005A7E1341F55C032A0818594E895989567225

Function 00F83D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcdc592d71d5028096a0a3a5836443e3b2e11291cd48ac973a6608800e58ea1
Instruction ID: f0aa336df0f142df63d73ed93eae16addfee2759f4e7c326b08a7efb5cc612ad
Opcode Fuzzy Hash: 2bcdc592d71d5028096a0a3a5836443e3b2e11291cd48ac973a6608800e58ea1
Instruction Fuzzy Hash: 1A90023520140412EA1071589804646004687D1341F55D422A0428558E8A5889A2B125

Function 00F83D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907bfdf5efde5e00eb7748f62eed914d6d3c857134f834ad7cf2fb804eb39f27
Instruction ID: 71aa13fbd463bb3028e2254f75ee3d64b023748735735a0fac6d38e7218a9ffb
Opcode Fuzzy Hash: 907bfdf5efde5e00eb7748f62eed914d6d3c857134f834ad7cf2fb804eb39f27
Instruction Fuzzy Hash: D190023120240152AA4072589804A4E410587E2342B95D426A0019554DCD1889626225

Function 00F82C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 5857ab9bb1c272872b311a025d13eebebf94a0675d5f6af1f137923f8e1fe4e3
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 00F82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00F8293C
___swprintf_l.LIBCMT ref: 00F8295E
___swprintf_l.LIBCMT ref: 00F829A3
___swprintf_l.LIBCMT ref: 00FBA52E

Strings

:%u.%u.%u.%u, xrefs: 00FBA5B8
::%hs%u.%u.%u.%u, xrefs: 00FBA527
::ffff:0:%u.%u.%u.%u, xrefs: 00FBA54E
ffff:, xrefs: 00FBA504

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9e5700215f7fb4fbb63c440a8c9d31fb3098d3da0a3e857021f7aa7ee3615dd7
Instruction ID: 0ac839b9178f735a858f5750f2e5966e4d1e038a1c8872456d4c7d60f48d01a7
Opcode Fuzzy Hash: 9e5700215f7fb4fbb63c440a8c9d31fb3098d3da0a3e857021f7aa7ee3615dd7
Instruction Fuzzy Hash: 2751FAB6E00116BFDF60EF9988806BEF7B8BB08310B148169E465D7641D734EF50BBA1

Function 00FF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FF24A6
___swprintf_l.LIBCMT ref: 00FF24E2
___swprintf_l.LIBCMT ref: 00FF257D
___swprintf_l.LIBCMT ref: 00FF25A3
___swprintf_l.LIBCMT ref: 00FF25C8
___swprintf_l.LIBCMT ref: 00FF2608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 00FF24DA
ffff:, xrefs: 00FF247D, 00FF249D
::%hs%u.%u.%u.%u, xrefs: 00FF249E
:%u.%u.%u.%u, xrefs: 00FF25FF

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 920fd44db904e17dbffd41d53bbb18f03a0b2806031b4319303480ab8c83d573
Instruction ID: 479c74eda0a18db546384d7eeac1ce12caf0859c7d5b60684302ffd34c1d6e36
Opcode Fuzzy Hash: 920fd44db904e17dbffd41d53bbb18f03a0b2806031b4319303480ab8c83d573
Instruction Fuzzy Hash: 2A512671A00649AFCB70DF9CCC9097FB7F8EF44310B088459E695C3692EAB4DE00AB60

Function 00F77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 00FB46A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 00FB4742
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 00FB46FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 00FB4655
Execute=1, xrefs: 00FB4713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 00FB4725
CLIENT(ntdll): Processing section info %ws..., xrefs: 00FB4787

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: a3905a08bd52c5b2535025f44276322e25373d4b3f83391b3b095e1bde6f5ed1
Instruction ID: a398b8c5c0db74dcad84b0ffc538ea3f47a68c79cdfd9781d5a54e907f524b5e
Opcode Fuzzy Hash: a3905a08bd52c5b2535025f44276322e25373d4b3f83391b3b095e1bde6f5ed1
Instruction Fuzzy Hash: DB513A31A143197ADF10BAA4EC86FED73A8EF14310F1440AAE509A7181EB75AE45EF52

Function 01016940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: ebb7a05e70aa8ad21a893501795c1ac68093d707ca2dc0f62ec1fd4371f7f496
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: E2022571508341AFD345DF18C890A6BBBE5FFC8700F448A6DF9858B268DB7AE945CB42

Function 00F8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00F8B6BF

Strings

-, xrefs: 00F8B650
0, xrefs: 00F8B695
+, xrefs: 00F8B65A
0, xrefs: 00F8B66F

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: d902d8f3d58bdbe80343c5727dbe56f1ce6a32c90d7292c714adb5b3d6087e40
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: AA81E330E052499EDF24EF68C8917FEBBB5AF85330F18425AE861A72D1D7349C41EB50

Function 00FF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FF214F
___swprintf_l.LIBCMT ref: 00FF2172

Strings

%%%u, xrefs: 00FF2146
]:%u, xrefs: 00FF2169
[, xrefs: 00FF212B

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 9af872a9c25d13fcbb8761612d2cc06efd6a54cd921a2b69cbb374bfb4ec7101
Instruction ID: c04c9d1ce6a266c1c97543bc6956cb6c624eb46eafe547f7ab458103036792c1
Opcode Fuzzy Hash: 9af872a9c25d13fcbb8761612d2cc06efd6a54cd921a2b69cbb374bfb4ec7101
Instruction Fuzzy Hash: 34218EB6E0011DABDB50DE69CC41AFEBBE8AF54754F040126EA05E3251EB34DA01ABA5

Function 00F6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00FB02E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00FB02BD
RTL: Re-Waiting, xrefs: 00FB031E

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: d73561c0decccfd23021b045da346fc9c3bd8cc97938db959cb56235198aac0a
Instruction ID: d8fbed5575a5db16d8bbd821b96bc733c6c8255eb8bd304daabd3938aad7117e
Opcode Fuzzy Hash: d73561c0decccfd23021b045da346fc9c3bd8cc97938db959cb56235198aac0a
Instruction Fuzzy Hash: F1E1E131A047419FD724CF28D885B6AB7E0BF84324F240A6DF4A5CB2E1DB75D949EB42

Function 00F7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 00FB7B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 00FB7B7F
RTL: Re-Waiting, xrefs: 00FB7BAC

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 114863093132ac1726ca9e8607fe5b3418641aeb796c246ea539615a1d3fa2be
Instruction ID: 3d6773fb05553b6485d4cbcf68ca1fc219a04869d2752dbcce0723f4e00a6568
Opcode Fuzzy Hash: 114863093132ac1726ca9e8607fe5b3418641aeb796c246ea539615a1d3fa2be
Instruction Fuzzy Hash: 4C41E5317057029FC720DE25DC41BAAB7E5EF85720F104A1EF85ADB281DB31E905AF92

Function 00F7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 00FB7294
RTL: Resource at %p, xrefs: 00FB72A3
RTL: Re-Waiting, xrefs: 00FB72C1

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 22bd92fc3c8eaa868eeef8bf1d21f2f6b3525c402e65d67b1231138edf2d13df
Instruction ID: b8a23c1049469fde6adb77de265a705d9346610e654c90123ffee8459a0c8430
Opcode Fuzzy Hash: 22bd92fc3c8eaa868eeef8bf1d21f2f6b3525c402e65d67b1231138edf2d13df
Instruction Fuzzy Hash: 11410531B04312ABC720EE25CC42FA6B7A5FF95720F144619F859EB281DB31E846ABD1

Function 00FF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 00FF238D
___swprintf_l.LIBCMT ref: 00FF23B3

Strings

%%%u, xrefs: 00FF2384
]:%u, xrefs: 00FF23AA

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 4c7386949c3efa3a893cab03ecc36378dd7bda801d845e86116b8957dbec71f2
Instruction ID: 27e7d9ab7cf0154801fc211782ab89d71d4d64f38d822510601f1329393af763
Opcode Fuzzy Hash: 4c7386949c3efa3a893cab03ecc36378dd7bda801d845e86116b8957dbec71f2
Instruction Fuzzy Hash: 14318272A0061D9FDB60DE28CC41BFEB7B8EF44710F444556E949E3241EB34EA44ABA0

Function 00F87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 00F87E8B

Strings

-, xrefs: 00F87DDD
+, xrefs: 00F87DE8

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 1fb6bf95b9fb458ea6d30d3124fd390cb1c2b98b5dc566514368c1421ddd78ee
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 7491A171E0831A9ADF24FE6AC8817FEB7A1AF44370F74451AE965A72C0DB30DD41A760

Function 00F49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 00F49191
@, xrefs: 00F49175

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: e8b035115dc05aacc2258adaf0b888396525cbc274848e139041202396f33ae5
Instruction ID: 29d6c1afd1346209c1cdc015f37ef4767f513cbc6311bc0c5427770e98433762
Opcode Fuzzy Hash: e8b035115dc05aacc2258adaf0b888396525cbc274848e139041202396f33ae5
Instruction Fuzzy Hash: 1F812D71E012699BDB35DB54CC45BEEB7B8AF48710F0441EAE909B7280D7745E84DFA0

Function 00FCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 00FCCFBD

Strings

@, xrefs: 00FCCF0A
@4Cw@4Cw, xrefs: 00FCCFD5, 00FCCFDA, 00FCCFF1

Memory Dump Source

Source File: 00000009.00000002.2244290413.0000000000F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F10000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_f10000_MSBuild.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 232f84934b81fe59648976eebfbc0cc34439b24806f4a6dc8b4838b13d641f3f
Instruction ID: 99ede4ccf924a1596f80de5cee8173d454a60c692db93c20d0b787f0c8cb0ae3
Opcode Fuzzy Hash: 232f84934b81fe59648976eebfbc0cc34439b24806f4a6dc8b4838b13d641f3f
Instruction Fuzzy Hash: 66419C71D00219DFCB21EFA9C942BADBBB8BF45B10F00402EE944DB255E639D905EB64

Analysis Process: explorer.exePID: 4004, Parent PID: 6528COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	69
Total number of Limit Nodes:	7

Executed Functions

Function 110FF232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 110FF449

Strings

`, xrefs: 110FF41D

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: 33dd125d4addfcd4d454f9e4e089fb717ba21c094ea14df12c2fa8e620d01243
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: CA223B71A18A0A9FDB49EF28C4956AEF7E1FB98305F50422ED45ED3250DF30A452CBC6

Function 11100E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 11100E67

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 88f2b8adbc3e18e740f859b5f28658800910f478758b1c8c9aaa481a1faae823
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 57019E34628B884F8788EF6C948122AB7E4FBD9214F000B3EA99AC3250EB60C5414782

Function 11100E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 11100E67

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 355666ecf4baf2ff4863bd7c953910ad3c58fb9765cca972392179dee473ac60
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 4001A23462CB884B8748EF2C94412A6B7E5FBCE314F000B3EE99AC3240DB61D5024782

Function 110FFF82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1110012E

Strings

GET , xrefs: 11100318
tion, xrefs: 11100331
dat=, xrefs: 11100290
ose, xrefs: 1110033F
Co, xrefs: 11100323
: cl, xrefs: 11100338
&br=, xrefs: 11100509
&sql, xrefs: 11100471
nnec, xrefs: 1110032A
&un=, xrefs: 111004F1

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: getaddrinfo
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 300660673-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 50cc6f3ce7d519e32d8c1c12671fdeac21f3a29f26bdc242c624c12167a0efda
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 27528E30A18A498BD719EF68C4847EAF7E1FB58304F504A2ED49FC7146EE34B949CB81

Function 110FA8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 110FA9A0

Strings

User-Agent: , xrefs: 110FA935, 110FA948
urlmon.dll, xrefs: 110FA959
on.d, xrefs: 110FA902
nt: , xrefs: 110FA91E

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 29194ecd1c8c0616aa685295d75afa4a4ab5c63bcf8ac3c3788bb554d615ce7e
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: F931D131A14A4E8BCB05EFA8C8857EDB7E0FB58209F40422AE45ED7240DE789645C799

Function 110FA8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 110FA9A0

Strings

User-Agent: , xrefs: 110FA935, 110FA948
urlmon.dll, xrefs: 110FA959
on.d, xrefs: 110FA902
nt: , xrefs: 110FA91E

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 2abfa4491c9da5b1fab97f58949de1464b0ba2b5b3233dcce0823a9d3f3ef509
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: A721F634A14A4E8FCB05EFA8C8857EDBBE0FF58209F40422AE45AD7240DF789645C799

Function 110F6B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 110F6CCA

Strings

.dll, xrefs: 110F6BCD
el32, xrefs: 110F6BA0
kern, xrefs: 110F6B99

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 84f0b3b589d5535f960fe68c050f3562efd192866869a9b18190f405f96e8c8a
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: BF416974D18A0D8FDB44EFA8C8997ADB7E0FB68304F00417AC84ADB255DE349946CB85

Function 110F6B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 110F6CCA

Strings

.dll, xrefs: 110F6BCD
el32, xrefs: 110F6BA0
kern, xrefs: 110F6B99

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 080d4fcdc43f055ac56f592641e47c29f9bdabdd0d3e5220081bc6d52c8a8fdb
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 82413974918A098FDB84EFA8C8997EDB7F0FB68304F04417AC84ADB255DE349945CB85

Function 110FC5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 110FC611

Strings

sock, xrefs: 110FC5D9

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 0887a5aa9955f880b2cb1fd297887d8b10a19c7f9ef3e62ee278727b151b7eab
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: C2018F30618A1C8FCB84EF1CE049B50BBE0FB59314F1545AEE80ECB226C7B0C981CB82

Function 110F42DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 110F432D

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 94279b44391a38d4c790edb79612b3557a74c1d119dead5775922b9c7f5f7b45
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 62316B74A08B4BDFDB58DF29808A295B7E0FB54305F4682BECD2DCA106CB74A554CF92

Function 110F4412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 110F4461

Memory Dump Source

Source File: 0000000A.00000002.3414384840.0000000011000000.00000040.80000000.00040000.00000000.sdmp, Offset: 11000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_11000000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 1f32334a93fde9804e75388cee5486ba2cb3e9c63e9348fbf5310b2de1574d4d
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 65F04630628A090FD788EF2CD44563AF3D0FBE8204F41063EA94DC3224CE39D5828706

Non-executed Functions

Function 0E386D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

ll, xrefs: 0E386F13
el32, xrefs: 0E386F27
user, xrefs: 0E386F03
.dll, xrefs: 0E386F2F
kern, xrefs: 0E386F5A
M, xrefs: 0E387082
wini, xrefs: 0E386F72
net., xrefs: 0E386F44
S, xrefs: 0E387073
32.d, xrefs: 0E386F0B
dll, xrefs: 0E386F4C

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: a618574486551dc01adbdd009202f54f7dfc91e6e0ac81b69e48f9b72485fec3
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 1EE15B74618F488FCB64EF68C4947AABBE1FB58300F904A2E959FC7255DF30A941CB85

Function 0EE8DD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

user, xrefs: 0EE8DF03
S, xrefs: 0EE8E073
kern, xrefs: 0EE8DF5A
el32, xrefs: 0EE8DF27
dll, xrefs: 0EE8DF4C
wini, xrefs: 0EE8DF72
net., xrefs: 0EE8DF44
ll, xrefs: 0EE8DF13
M, xrefs: 0EE8E082
32.d, xrefs: 0EE8DF0B
.dll, xrefs: 0EE8DF2F

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 663cd8cd6377aa4222af43011a94e0acd8606b8edae0eb829950574c9fc91dac
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 92E15A70618B4C8FCB65EF68C4947AAB7E0FB58300F405A2E959FC7255DF30A941DB8A

Function 0E389792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

Subm, xrefs: 0E389855
e, xrefs: 0E3898BD
ypte, xrefs: 0E3898A5
dUse, xrefs: 0E3898AD
encr, xrefs: 0E38989D
ypte, xrefs: 0E3898DA
name, xrefs: 0E38987D
guid, xrefs: 0E3897CE
encr, xrefs: 0E3898D2
swor, xrefs: 0E3898EA
user, xrefs: 0E389876
form, xrefs: 0E38984D
rnam, xrefs: 0E3898B5
d, xrefs: 0E3898F2
itUR, xrefs: 0E38985D
dPas, xrefs: 0E3898E2
Fiel, xrefs: 0E389884

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: d1b7b4b41e54511b0a73e28e953c0a35b39ad0dc3a24a606d2a19651976872a6
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 72B16B30518B488EDB59EF68C485AEEBBF1FF98300F50491ED49AD7251EF70A905CB86

Function 0EE90792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

itUR, xrefs: 0EE9085D
encr, xrefs: 0EE908D2
Subm, xrefs: 0EE90855
rnam, xrefs: 0EE908B5
guid, xrefs: 0EE907CE
user, xrefs: 0EE90876
ypte, xrefs: 0EE908DA
form, xrefs: 0EE9084D
d, xrefs: 0EE908F2
ypte, xrefs: 0EE908A5
e, xrefs: 0EE908BD
dPas, xrefs: 0EE908E2
name, xrefs: 0EE9087D
dUse, xrefs: 0EE908AD
swor, xrefs: 0EE908EA
Fiel, xrefs: 0EE90884
encr, xrefs: 0EE9089D

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 0c3434fcee28416c42698db6dc7017a82243d8705a36de26af3eeceadaab2142
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: F2B18A70518B4C8EDB59EF688485AEEB7F1FF98300F40591ED49AC7261EF709909CB86

Function 0E387622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

c, xrefs: 0E387697
e, xrefs: 0E38766D
w, xrefs: 0E3876B3
l, xrefs: 0E3876AC
d, xrefs: 0E3876A5
s, xrefs: 0E387689
n, xrefs: 0E3876C1
l, xrefs: 0E387682
d, xrefs: 0E38767B
p, xrefs: 0E387690
d, xrefs: 0E3876CF
i, xrefs: 0E38769E
t, xrefs: 0E3876C8
n, xrefs: 0E3876BA
u, xrefs: 0E387661
l, xrefs: 0E3876D6
2, xrefs: 0E387674

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 8539620e8500436a00e9de80a565f16e3d6076675fec2dfa933d1bb7838d7f07
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 0541C270A18B088FDB18EF88A4457BD7BE2FB48700F00025EE849D3245DBB59D45CBD6

Function 0EE8E622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

u, xrefs: 0EE8E661
i, xrefs: 0EE8E69E
t, xrefs: 0EE8E6C8
e, xrefs: 0EE8E66D
s, xrefs: 0EE8E689
d, xrefs: 0EE8E6CF
d, xrefs: 0EE8E67B
w, xrefs: 0EE8E6B3
l, xrefs: 0EE8E6D6
l, xrefs: 0EE8E682
n, xrefs: 0EE8E6BA
2, xrefs: 0EE8E674
d, xrefs: 0EE8E6A5
l, xrefs: 0EE8E6AC
n, xrefs: 0EE8E6C1
p, xrefs: 0EE8E690
c, xrefs: 0EE8E697

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 2403ce5b8fb8079214553e4ad3eab1a6efbba5f169aa0e38ddbf0b0e8c3a5265
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: C141AF70A18B0C8FDB18EF88A8456BD7BE2EB48704F00025ED44DD3355DBB59D458BD6

Function 0E38EAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 0E38EC2D
], xrefs: 0E38ECA8
], xrefs: 0E38EC3D
n, xrefs: 0E38EC98
[, xrefs: 0E38EBF6
[, xrefs: 0E38ECCD
[, xrefs: 0E38EC66
l, xrefs: 0E38EC35
e, xrefs: 0E38ECA0
[, xrefs: 0E38EC90
b, xrefs: 0E38EC73
c, xrefs: 0E38EC0B
D, xrefs: 0E38ECDA
l, xrefs: 0E38ECE2

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: e543fcd2619dbbcc5631e32f5eac1fb6fb364450a516ad6bc97cb879f3b3cda7
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 2FC15C70618F099FC758EF64C8956AAF7E1FB94304F404B2E949AC7250DF30AA15CB86

Function 0EE95AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 0EE95C66
e, xrefs: 0EE95CA0
n, xrefs: 0EE95C98
[, xrefs: 0EE95C90
], xrefs: 0EE95C3D
c, xrefs: 0EE95C0B
], xrefs: 0EE95CA8
l, xrefs: 0EE95C35
[, xrefs: 0EE95CCD
b, xrefs: 0EE95C73
D, xrefs: 0EE95CDA
l, xrefs: 0EE95CE2
[, xrefs: 0EE95C2D
[, xrefs: 0EE95BF6

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 3af69c50705897d10cc39853684ddea6fae734b98defa32d54b996028f0fa35d
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 21C16B74218B098FCB59EF68D4956AAF3E1FB94304F405B2E949EC7210DF30E915CB86

Function 0E38EF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 0E38EF63
r, xrefs: 0E38EFC0
r, xrefs: 0E38EF90
r, xrefs: 0E38EFB8
n, xrefs: 0E38EF6B
r, xrefs: 0E38EFB0
0, xrefs: 0E38EF5B
c, xrefs: 0E38EFC8
r, xrefs: 0E38EF98
r, xrefs: 0E38EFA0
r, xrefs: 0E38EFA8
r, xrefs: 0E38EF88

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: abf9321bd1c3c2c85cd52e90afb2b3722947e6ef8a986403e127392770a29d19
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 4451E87121C7488FD719EF18C8812AAB7E5FBC5704F501A2EE8CBC7251DBB49906CB82

Function 0EE95F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 0EE95F90
c, xrefs: 0EE95FC8
r, xrefs: 0EE95F98
r, xrefs: 0EE95FB8
r, xrefs: 0EE95F88
n, xrefs: 0EE95F6B
r, xrefs: 0EE95FC0
., xrefs: 0EE95F63
r, xrefs: 0EE95FA8
r, xrefs: 0EE95FA0
0, xrefs: 0EE95F5B
r, xrefs: 0EE95FB0

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 65137630965c98133865e95a2090509fa58a4eee495667851347a16939ecd611
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: A151C73111C74C8FDB19DF18D4816AAB7E5FB85704F50292EE8CBC7256DBB49906CB82

Function 0E3882F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

l, xrefs: 0E3884E2
dll, xrefs: 0E38832E
opera_browser.dll, xrefs: 0E388629
sspi, xrefs: 0E388320
4.dl, xrefs: 0E3884DB
cli., xrefs: 0E388327
nspr, xrefs: 0E3884D4
dragon_s.dll, xrefs: 0E388614

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 9ce6c484fb3a10be1d07ca1d6d69499472ab48c0049fb31eeebfa27702c89d27
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: CDC17E70618B194FCB58FF68D495AAAFBE1FB98300F914729844ED7255DF30AE01CB85

Function 0E3882F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

l, xrefs: 0E3884E2
dll, xrefs: 0E38832E
opera_browser.dll, xrefs: 0E388629
sspi, xrefs: 0E388320
4.dl, xrefs: 0E3884DB
cli., xrefs: 0E388327
nspr, xrefs: 0E3884D4
dragon_s.dll, xrefs: 0E388614

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: a2f0b50709ae8c011afd1b9f1dc721f1cff56df15c5bd6f64a727ed1d08ee136
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: F8C18E70618B194FCB58FF68D495AAAFBE1FB98300F814729844AD7255DF30AE02CB85

Function 0EE8F2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 0EE8F320
nspr, xrefs: 0EE8F4D4
opera_browser.dll, xrefs: 0EE8F629
4.dl, xrefs: 0EE8F4DB
dll, xrefs: 0EE8F32E
l, xrefs: 0EE8F4E2
dragon_s.dll, xrefs: 0EE8F614
cli., xrefs: 0EE8F327

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 9d501bf15f80dc0f7d0fdaa7d5f9d3b4324f3595cf758e60e5d41eafa586e00b
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: CDC18F70628A1D4FCB58FF68D495AAAB3E1FB98304F55572A940EC7250DF309E06CBC6

Function 0EE8F2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

sspi, xrefs: 0EE8F320
nspr, xrefs: 0EE8F4D4
opera_browser.dll, xrefs: 0EE8F629
4.dl, xrefs: 0EE8F4DB
dll, xrefs: 0EE8F32E
l, xrefs: 0EE8F4E2
dragon_s.dll, xrefs: 0EE8F614
cli., xrefs: 0EE8F327

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: ba8e37c217e39268307eeda9df9ab6aceb722710a80a65e5469cf60f34483103
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: ADC19070628A1D4FCB58FF68D495AAAB3E1FB98304F45572A940EC7250DF30AE06C7C6

Function 0E389CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 0E389D9E
Pass, xrefs: 0E389D97
UR, xrefs: 0E389D5F
name, xrefs: 0E389DB2
L: , xrefs: 0E389D66
2, xrefs: 0E389DE1
User, xrefs: 0E389DAB

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: ad957159667a8866d2346b4247587bcd297bd7373249eb059e0fad0dc52344c1
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 03A18F706187488BDB19EFA894447EEBBE1FF98300F404A6EE48ED7251EF7099458789

Function 0EE90CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 0EE90D66
word, xrefs: 0EE90D9E
2, xrefs: 0EE90DE1
UR, xrefs: 0EE90D5F
name, xrefs: 0EE90DB2
Pass, xrefs: 0EE90D97
User, xrefs: 0EE90DAB

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 44ca8cfcd77600f72b2d30bf2f795911460be25c05a33056e4aa16a8c6b827bd
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: F4A1BF7062874C8BDB18EFA894447EEB7E1FF89304F405A2DE48AD7251EF709945C789

Function 0E389CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 0E389D9E
Pass, xrefs: 0E389D97
UR, xrefs: 0E389D5F
name, xrefs: 0E389DB2
L: , xrefs: 0E389D66
2, xrefs: 0E389DE1
User, xrefs: 0E389DAB

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: df61dc7f7abfe3b20a41891ad31fdf0734e7055bd9847bd8f465b61451b23963
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 63917F706187488BDB19EFA8D444BEEBBE1FF98300F404A2EE48ED7251EB749945C785

Function 0EE90CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 0EE90D66
word, xrefs: 0EE90D9E
2, xrefs: 0EE90DE1
UR, xrefs: 0EE90D5F
name, xrefs: 0EE90DB2
Pass, xrefs: 0EE90D97
User, xrefs: 0EE90DAB

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: c902b1ad7874f4831dea94f571521b64c5e6be0815ed3c6698b0882e62a6a851
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 9B919E70618B4C8BDB18EFA8D444BEEB7E1FB89304F40562EE48AD7251EB708945C789

Function 0E389352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 0E3894A0
e, xrefs: 0E38948E
., xrefs: 0E3893B0
, xrefs: 0E38947C
n, xrefs: 0E3893E7

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 114bb981c2776befe1ab2b0201ffa58068794c2963f3f51a269295ca1a9c857f
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 34717371618B498FDB58EFA8C4847AAB7F1FF98304F000A2FD44AD7261EB71D9458B85

Function 0EE90352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 0EE9047C
e, xrefs: 0EE9048E
., xrefs: 0EE903B0
v, xrefs: 0EE904A0
n, xrefs: 0EE903E7

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 4e6f1066b7665046be7a6ff375cab06c672e5a5bf657980ff24c06e468c17fac
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: C6718E31618B4D8FDB58EFA8C4846AAB7F1FF99304F40162FD44AC7221EB71E9458B85

Function 0E384C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 0E384C97
2.dl, xrefs: 0E384C64
dll, xrefs: 0E384C9E
ole3, xrefs: 0E384C5D
shel, xrefs: 0E384C90

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 73fd04bec0ead2591c94cd3aae752faeb66dedc438b802e4e34585e8c0e18e9b
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: FB513DB0914B4C8BDB54EF64C0456EEB7F1FF68300F404A2E949AE7254EF709541CB99

Function 0EE8BC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 0EE8BC5D
dll, xrefs: 0EE8BC9E
l32., xrefs: 0EE8BC97
shel, xrefs: 0EE8BC90
2.dl, xrefs: 0EE8BC64

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: b6afa12d43c5ef8f191b84530deb01adae31bb023357863ceb89715633e4c6a8
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 7A516FB0918B4D8FDB54EFA4C044AEEB7F1FF58300F405A2E959AE7214EF3095459B89

Function 0E38586F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

dll, xrefs: 0E3858F4
4, xrefs: 0E3859E9
\, xrefs: 0E3859E0
vers, xrefs: 0E3858E4
ion., xrefs: 0E3858EC

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 3713bb86bb03049645dfa9cddf30fb0514fc3ee6eb47bdbefe02e569178aa99b
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 35416F30268B4D9BCB69EF2498957EA77E5FB99301F40462E989EC7240EF30D945C782

Function 0EE8C86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

ion., xrefs: 0EE8C8EC
vers, xrefs: 0EE8C8E4
\, xrefs: 0EE8C9E0
dll, xrefs: 0EE8C8F4
4, xrefs: 0EE8C9E9

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 8b0abb54877680866dd3338ca10176dddf723a10d9b43bbbf1cf48388f91be6e
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: B9418130228B8C8FCB75EF2498557EAB3E4FB99305F515A2E985EC7240EF30D9058782

Function 0E3874B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 0E38750E
cli., xrefs: 0E387515
user, xrefs: 0E3874D3
32.d, xrefs: 0E3874DA
dll, xrefs: 0E38751C

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: fff65a222dd249d3c5052b3b3bbbaabf130b1b9630937d8aa9d943587d274634
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: AE415D70A18F0D8FCF58FF6881957AD7BE6FB68300F50456BA80ED7250DA70D9418B86

Function 0EE8E4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 0EE8E4D3
dll, xrefs: 0EE8E51C
sspi, xrefs: 0EE8E50E
32.d, xrefs: 0EE8E4DA
cli., xrefs: 0EE8E515

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: db7aba3744618518c6d5dd3aeac1fdfdb11995a5eaada1ece09d2838214adef1
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: FE417E70A28E1D8FCF98FF68C5957AD73E1FB58304F40556AA80ED7260EA70C9418B86

Function 0E385432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E38553F
kern, xrefs: 0E38552A
h, xrefs: 0E38551F
el32, xrefs: 0E385537

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 2ef026837e5c9b9c5ae66ca7be3b092d7fcda98ee6a0af159468de6fcccade51
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 2F418370608B4D9FD769EF28C4983AABBE1FB98301F104A6F949EC7255DB70C945CB42

Function 0EE8C432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 0EE8C537
.dll, xrefs: 0EE8C53F
kern, xrefs: 0EE8C52A
h, xrefs: 0EE8C51F

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 74d4bb32250463e01803f040b11e9bf379a476c70fb91ce5c19f95f1e520adcd
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 48418270618B4D4FDB69EF2880843AAF7E1FB99304F105A2F959EC3255DB70C845CB42

Function 0E38C0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 0E38C184
Snif, xrefs: 0E38C154
om:, xrefs: 0E38C146
f fr, xrefs: 0E38C13D

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: d7505a7f8be0ee6cd864e5cbecc8867462398614596278c3d74c8075d7579131
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BE31B071519B885FD71AEB28C4846EABBD4FB84300F504D1EE49BD7252EF31A949CA43

Function 0EE930B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

, xrefs: 0EE93184
om:, xrefs: 0EE93146
f fr, xrefs: 0EE9313D
Snif, xrefs: 0EE93154

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 2960305d08aa3291a865f5f9364bac93ccef94d9e44902e7c01405986d34c385
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 5231A17151CB8C6FDB1AEB28C4856EAB7D4FB94300F505D1EE49BC7261EE30A949CB42

Function 0E38C0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 0E38C184
Snif, xrefs: 0E38C154
om:, xrefs: 0E38C146
f fr, xrefs: 0E38C13D

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 4eb551d63ce9bed85ac4eb0877ff016f81ab174489d0128f4027b65be77b23ad
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 2D31B271519B486FD719EB28C4846EABBD4FB94300F504D1EE49BD7292EF30E946CA43

Function 0EE930C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

, xrefs: 0EE93184
om:, xrefs: 0EE93146
f fr, xrefs: 0EE9313D
Snif, xrefs: 0EE93154

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 09b98b43e25c7424f716e469b7a560ed16064f198ac5038a40112abe76ef02a0
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 6131E071518B4C6FDB1AEB28C4846EAB7D4FB94300F404D1EE49BC3251EE30A94ACA42

Function 0E387FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 0E388023
hild, xrefs: 0E387FF6
.dll, xrefs: 0E387FFE
me_c, xrefs: 0E387FEE

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: a70b3f057385db7144927b25a1d1f8da54c440a95bb97731742c704be50d1172
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: AC318B70218B184FCB84FF289494BAABBE1FB98200F840A6D944ADB254DF30C905CB52

Function 0EE8EFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 0EE8EFFE
chro, xrefs: 0EE8F023
me_c, xrefs: 0EE8EFEE
hild, xrefs: 0EE8EFF6

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 15ad78fb8e34bea7a12b5b4e59317ca65ac2824408d79b879908b27bb65a6a1a
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: CF317E70228B4C4FCB84FF289494BAAB7E1FF98200F946A2D944ECB264DF30C945C752

Function 0E387FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 0E388023
hild, xrefs: 0E387FF6
.dll, xrefs: 0E387FFE
me_c, xrefs: 0E387FEE

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 4b5794c5aa4f52e0c7a9165abbfc2046ba3137ed9132c7b0bcaa424e20a3dea4
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 51319C71218B188FCB94FF289494BAABBE1FFD8300F855A6D944ADB254DF30C905CB52

Function 0EE8EFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 0EE8EFFE
chro, xrefs: 0EE8F023
me_c, xrefs: 0EE8EFEE
hild, xrefs: 0EE8EFF6

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: e055d8c4cc3d6661f64d4c10a3fcc98298097995c368acccb1224f4afb780040
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: CE316D70228B4C4FCB84EF689494BAAB7E1FF98300F946A2D944ECB265DF30C945D756

Function 0E38A8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0E38A959
User-Agent: , xrefs: 0E38A935, 0E38A948
on.d, xrefs: 0E38A902
nt: , xrefs: 0E38A91E

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 4095f9076c5d82fe614d2bdb12fa1008bd4d4b71d8b472aa96c9bb860bc16185
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: EF31DF31614A4D8BCF44FFA8C8847EEBBE1FB58205F40062AD44EE7240DF788A45CB89

Function 0EE918C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

nt: , xrefs: 0EE9191E
urlmon.dll, xrefs: 0EE91959
User-Agent: , xrefs: 0EE91935, 0EE91948
on.d, xrefs: 0EE91902

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: ef8aa0e07ce09d3ebb51c23b7a5199a279020eda46e9ee7b50a91c8cc752a989
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 4331DD71614A0D8BCF05EFA8C8847EEBBE1FB58204F40162AD45EE7250DF788A49C789

Function 0E38A8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0E38A959
User-Agent: , xrefs: 0E38A935, 0E38A948
on.d, xrefs: 0E38A902
nt: , xrefs: 0E38A91E

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 69e9dee55d248caadab842493c7c19d7a7c52c2715af51501dc26d75c813ceb4
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 6121D030A14A4D8BCF44FFA8C8847EDBBE1FF58205F41462AD45AE7240DF748A05CB89

Function 0EE918BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

nt: , xrefs: 0EE9191E
urlmon.dll, xrefs: 0EE91959
User-Agent: , xrefs: 0EE91935, 0EE91948
on.d, xrefs: 0EE91902

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 6bda40a26b0a1a44f7a2b8cada0adbd67086aa16006e48756c97c4bbe380bb1a
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 9B21E171A14A4D8BCF05EFA8C8847EDBBF1FF59204F40562AD45AD7250DF748A09CB89

Function 0E38BE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E38BF03
t, xrefs: 0E38BEF4
., xrefs: 0E38BF1F
l, xrefs: 0E38BF26

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 132a3e48d5d37108a4791bb3923eed97529554f8ac9879f1a9912cf48dcede11
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 59215C74A24B0E9FDB48EFA8D0447AEBAF1FB58304F504A2ED049E3610DB749951CB84

Function 0E38BE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E38BF03
t, xrefs: 0E38BEF4
., xrefs: 0E38BF1F
l, xrefs: 0E38BF26

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 604604ed8f36cd2b34fcef59ceb7a3b96af5fb2f705e866fb233d09ec001d94a
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 10216B74A24A0E9BDB48EFA8D0447EEBBF1FB58304F504A2ED049E3600DB789951CB84

Function 0EE92E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 0EE92F1F
l, xrefs: 0EE92F03
t, xrefs: 0EE92EF4
l, xrefs: 0EE92F26

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: e46ee2bd7d00d680c8a179e6b6cf1bcdd282fa6df0b3c6d1d4db3c0bb421375d
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 01215A74A24B0E9FDB48EFA8D0447AEBAF1FF58304F505A2ED009D3610DB7499958B88

Function 0EE92E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 0EE92F1F
l, xrefs: 0EE92F03
t, xrefs: 0EE92EF4
l, xrefs: 0EE92F26

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 7d7b8ebfbabfb1cf93655bf217fe1e709c0ff484f9b5b93e602ec9749c3b88e7
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 92216B74A24B0D9BDB08EFA8D0447EDBBF1FF18304F505A2ED009D3610DB7499958B88

Function 0E38BFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 0E38C022
auth, xrefs: 0E38C02F
user, xrefs: 0E38C015
logi, xrefs: 0E38C03C

Memory Dump Source

Source File: 0000000A.00000002.3411921457.000000000E320000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e320000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 6ef1f0ecc88b55676e427bf6371e4a10f01e16f16dd670bfd2f989d7a51c7685
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 2321C070614B0D8BCF05EF9998906EEBBE1EF88344F005619D44AEB345D7B0D9148BC6

Function 0EE92FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0EE9302F
pass, xrefs: 0EE93022
user, xrefs: 0EE93015
logi, xrefs: 0EE9303C

Memory Dump Source

Source File: 0000000A.00000002.3412589618.000000000EE70000.00000040.80000000.00040000.00000000.sdmp, Offset: 0EE70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ee70000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 8c53bc6d6182a3bf18ecd6c9d5a24a5c070597763cfc00a02596f0e1bb610f51
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 4921C030624B0D8BCF05DF9D98906EEB7E1EF88344F006619D44ADB358D7B0E9148BC6

Analysis Process: zhvapfBrgjZdoS.exePID: 6548, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	426
Total number of Limit Nodes:	22

Executed Functions

Function 072B869C Relevance: 1.7, Strings: 1, Instructions: 463COMMON

Download Yara Rule

Strings

@RM_, xrefs: 072BE277

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID: @RM_
API String ID: 0-1802174674
Opcode ID: 122e9159a1fd32ebdd631652f1cad5d65de5d022d6d8190c354e67ba5d5f762d
Instruction ID: 32074f9288e58f462b3f899ebefd255ccf31028218dd6a2db1d783fcf832f32b
Opcode Fuzzy Hash: 122e9159a1fd32ebdd631652f1cad5d65de5d022d6d8190c354e67ba5d5f762d
Instruction Fuzzy Hash: 24028074A103199FCB14DFA9C854AAEBBF6FF89350F10856AE509AB350DB309D42CF91

Function 072B85DC Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a50bbdffdc407432c9a2ca89ab1ac1340dc329303499b017894aaa8a510a0c
Instruction ID: 4a6241036ee1b9bf70413873c06f1dbc08c6a2174d6c22d4d496aba624441501
Opcode Fuzzy Hash: 55a50bbdffdc407432c9a2ca89ab1ac1340dc329303499b017894aaa8a510a0c
Instruction Fuzzy Hash: ADA24C71E102598FCB14DF68D8986EDB7B2FF89340F1582A9D90AA7351EB706E85CF40

Function 072BB6CC Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

@RM_, xrefs: 072BEBDA

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID: @RM_
API String ID: 0-1802174674
Opcode ID: bc39cb1e8285f3f44ac29aeb37d7462aab057cca0259cf13fdb4b63fe19d3c22
Instruction ID: 41233f6cd7cd127f618849cb5ab1d882abf4eb6b0a4abca01f41b0273204733d
Opcode Fuzzy Hash: bc39cb1e8285f3f44ac29aeb37d7462aab057cca0259cf13fdb4b63fe19d3c22
Instruction Fuzzy Hash: 4E71D3B5E10209AFCF15DFA8D980ADEBBF6FF48310F14852AE915A3210D7359951CFA1

Function 072B25B8 Relevance: 1.3, Strings: 1, Instructions: 66COMMON

Download Yara Rule

Strings

@RM_, xrefs: 072B25E2

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID: @RM_
API String ID: 0-1802174674
Opcode ID: 3dfdb918dda207c304d7552a269758b6815f28f08575f14193da2f4aa41e1147
Instruction ID: f72c1289707899e9e986acdc2eddd5f1191f68fc10d3845e7dda64ba3903dd2b
Opcode Fuzzy Hash: 3dfdb918dda207c304d7552a269758b6815f28f08575f14193da2f4aa41e1147
Instruction Fuzzy Hash: 6321FEB590134ADFDB10CF9AD884ADEFBF8FB48310F24842EE519A7200D774A944CBA4

Function 072B25C0 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

@RM_, xrefs: 072B25E2

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID: @RM_
API String ID: 0-1802174674
Opcode ID: 9325c76e3e9acbc7b59eee566ce20b6c10f6e85718f3fa72c8088cea1eca28cf
Instruction ID: 5234662acb51a9dbafff083ad4e619f6da2e81c1cc34b592651098f9ab689f11
Opcode Fuzzy Hash: 9325c76e3e9acbc7b59eee566ce20b6c10f6e85718f3fa72c8088cea1eca28cf
Instruction Fuzzy Hash: D321DFB5D0134ADFDB10CF9AD984ADEFBF4BB48310F24842EE519A7200D775A944CBA4

Function 072BB6DC Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

@RM_, xrefs: 072BE277

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID: @RM_
API String ID: 0-1802174674
Opcode ID: f734108823aae137bf5115d0433096e18d92d705f6e07040fe7fadd26bb8417f
Instruction ID: c8bcfb0b9f0e6d365938f2276169257e8820e9eaba12e1f40858140d4ec3989f
Opcode Fuzzy Hash: f734108823aae137bf5115d0433096e18d92d705f6e07040fe7fadd26bb8417f
Instruction Fuzzy Hash: D82106B5C003499FDB10CF9AD844ADEBBF4FB48320F508419E918A7300C374A554CFA1

Function 072BB7D0 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a051a12c7e81d85816cb0b279f35a0c777099183fc94a0888746c7a01968a9
Instruction ID: fb8a32da28f9c8cf8a1f1b4d105b0993b518c40cb09216499157b98ec002ed0e
Opcode Fuzzy Hash: 70a051a12c7e81d85816cb0b279f35a0c777099183fc94a0888746c7a01968a9
Instruction Fuzzy Hash: 5202A57191061ACFCB10EF68C844ADDB7B1FF49304F118699E959B7221EB70AA89CF80

Function 072BB7C0 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ae2f544ee9a756bd96dfa9d80614ba22c0c76b57b9eac1c38b4f6a7ab63b38
Instruction ID: f45702da2cbf1e46dcf5d375da76aa4c6e8904ac16ff7c38e6ddac7bfc6b88b8
Opcode Fuzzy Hash: 85ae2f544ee9a756bd96dfa9d80614ba22c0c76b57b9eac1c38b4f6a7ab63b38
Instruction Fuzzy Hash: A9F1B371D1061A8FCB10EF68C944ADCB7B1FF59300F11869AD959B7220EB70AA89CF80

Function 072B0448 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8421f3cec8a26966c462ef0bc808a8c57e4cea6c0878da92c4baa3b0a42e4b7
Instruction ID: 92f2fdf1aa197eccc1f266156af741032c469817164fb0b3027dc4871c81d3cd
Opcode Fuzzy Hash: e8421f3cec8a26966c462ef0bc808a8c57e4cea6c0878da92c4baa3b0a42e4b7
Instruction Fuzzy Hash: ECC15C74B2021A9FDB25DFA8D854AAE7BB6BF88740F148169E905E7390DF30DC41CB90

Function 072BAD88 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 916206061f97d2ebbb124bd812339347160bf152a42e3aa0f74029e9e376feba
Instruction ID: c6455f650918801d8b122dea53c4200da2735befb55f490533317d0bdb7ddb0a
Opcode Fuzzy Hash: 916206061f97d2ebbb124bd812339347160bf152a42e3aa0f74029e9e376feba
Instruction Fuzzy Hash: 6DA1B575A1020ACFCB14DFA8D8949DDBBB5FF49300F20866AE819EB351EB31A955CF50

Function 072BAD78 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75937c923fb1cb9f30660200f607415cc52238e0c56c45b66abf2a3afd8d919b
Instruction ID: 716bccf56f9842de03f28b7f6228140f956e55dc1e6238b94f7871057602acec
Opcode Fuzzy Hash: 75937c923fb1cb9f30660200f607415cc52238e0c56c45b66abf2a3afd8d919b
Instruction Fuzzy Hash: 87A1D475A1020ACFCB10DFA8D8949DDBBB5FF49300F20866AE819EB351EB31A955CF50

Function 072BB37C Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c3a859cad5e2d710ae01b73befb229190fce7f2ed1098fe3e48aa92121559f8
Instruction ID: 01a578e4faacbe34678b520b3ceb31659e99047dc269ed224e92a1eec9cf7367
Opcode Fuzzy Hash: 8c3a859cad5e2d710ae01b73befb229190fce7f2ed1098fe3e48aa92121559f8
Instruction Fuzzy Hash: 9891FB75D1020ACFCF21DFA8C844ADDB7B1FF49340F1485AAE959AB211EB70AA85CF50

Function 072B86AC Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1640646adcfb52f7ceb20b839db9625b27225dbc483882c3e76fc9b0861ba0d4
Instruction ID: a1b525520fa2b23624a403f6da5aebd007d74613686add2a971077ff0255220f
Opcode Fuzzy Hash: 1640646adcfb52f7ceb20b839db9625b27225dbc483882c3e76fc9b0861ba0d4
Instruction Fuzzy Hash: FB911C74910719DACB24DF64C840BEEBBB5FF89300F10859AE949A7211EB719E86CF91

Function 072BB55C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e1dc1aa6c1ccc8736c0bafd814e413fa96dc5e6acca239ceda31de5276ffe3
Instruction ID: 276e36d71a375290d56a1f3e6ee7d596c65c9f641b6662fe255fd0b5e9056e51
Opcode Fuzzy Hash: f6e1dc1aa6c1ccc8736c0bafd814e413fa96dc5e6acca239ceda31de5276ffe3
Instruction Fuzzy Hash: 3341CF70B106058FCB14EF68D8486AEBBF2EFC9350F15455AE109EB361DB749E41CB91

Function 072BC798 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b039adcd3d1e6c44ea5e99fb7956ecbf80fd7ddb73f15fc0fb87fc5572ddd3f1
Instruction ID: 00294141e84633feebc14d6e6bc91c9aa7291a5f5aab971df59658a5382ab14f
Opcode Fuzzy Hash: b039adcd3d1e6c44ea5e99fb7956ecbf80fd7ddb73f15fc0fb87fc5572ddd3f1
Instruction Fuzzy Hash: 3F413CB1A1020ACFCB15DF68C48499ABBF5FF88310B14C669D819EB345DB74E945CBA0

Function 072B1780 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb7d2ea9a277242c4eec7648ea6f3c7ba5c8f38567971caeccdecb1f286c4fa
Instruction ID: 2432781e986ea11f0e963bf36223d727b1f59fb179cde7620b1afbc8b21c9da2
Opcode Fuzzy Hash: 4eb7d2ea9a277242c4eec7648ea6f3c7ba5c8f38567971caeccdecb1f286c4fa
Instruction Fuzzy Hash: 20415C31D2060DDFDB14EFA8E955ADDBBB1FF49381F008129E94577250EB30AA98CB91

Function 072BBECB Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3083e4b84234c9a2c3a553ac75dba628d498867350a2ce25a3d759e255750be6
Instruction ID: 4ab5a8ca8bbf6b2236bf2ad93393970b75ed27c6b5217a21bbd49261123a2f4a
Opcode Fuzzy Hash: 3083e4b84234c9a2c3a553ac75dba628d498867350a2ce25a3d759e255750be6
Instruction Fuzzy Hash: 78310A75A10619DFCF04EF68C884DDDFBB5FF89310F058699E5056B220EB70A949CB90

Function 072BBED8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f5cd7ec2a94f2a95704d5b17fafd7f92e42df993701c3d67bf69b3b09d1142
Instruction ID: 2ef5b34961ea2cbcf59966e1d0f5466a350d4eeeff42c138a85a183d9a225398
Opcode Fuzzy Hash: a2f5cd7ec2a94f2a95704d5b17fafd7f92e42df993701c3d67bf69b3b09d1142
Instruction Fuzzy Hash: 2D31E935A10619DFCF04EF68C894CDDFBB5FF89314B058699E505AB221EB70A949CB90

Function 072B7E70 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11c6951a8ce300d906f83b05fc1f5228d120b8495cced89f4287545ebe36073
Instruction ID: 9569c6b4961861e1ab57f5402378bea2d1376be5245bf90f24752ef90baf773b
Opcode Fuzzy Hash: b11c6951a8ce300d906f83b05fc1f5228d120b8495cced89f4287545ebe36073
Instruction Fuzzy Hash: 6F2165703302124FEB18A768C468BBE3396AFD9B40F14406AE506CB7E5CEB1DC418795

Function 0113D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2230908135.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_113d000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4be7fd2cf04673b9b333b9e1c618337bf8f513d59ba2d9a9d6d9d2185c0522a
Instruction ID: 5c8461d723257e4e1f28aa07dbd742077f90a8ca80054a761f9cc1f425b25435
Opcode Fuzzy Hash: d4be7fd2cf04673b9b333b9e1c618337bf8f513d59ba2d9a9d6d9d2185c0522a
Instruction Fuzzy Hash: 3621F4B6504204DFDF09DF54E9C0B66BF65FBC4324F60C169D9090B65AC336E456CBA2

Function 0113D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2230908135.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_113d000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99ec67b72c2e33b7da1e38ead78064a7aa25e191536094dff6704106c3bae295
Instruction ID: c5b145fc48310230cf49ae8e050a95dc3d214337a96ef408b0f1a17fea325213
Opcode Fuzzy Hash: 99ec67b72c2e33b7da1e38ead78064a7aa25e191536094dff6704106c3bae295
Instruction Fuzzy Hash: F6210672504240DFDF09DF54E9C0B26BF75FBC4318F60C569E9090B29AC336D456CAA2

Function 072BF448 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f645ccfc18ed324c7c8c4fab8c080647d023d52408cd8cb11644200c1dfc564b
Instruction ID: b9a76032e89ae723c543d2708722642ad77344c5882e802386e9955bb197e7d5
Opcode Fuzzy Hash: f645ccfc18ed324c7c8c4fab8c080647d023d52408cd8cb11644200c1dfc564b
Instruction Fuzzy Hash: 352168B4A10605CFCB04EF68C989AEEBBF6EF88310F04415AE4099B321DBB49D41CB91

Function 072B4544 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e06e2a4ff4460c5f14977049522db79444590833a905a219edf05dacb8a9466
Instruction ID: 024d68adfc52261543ac02a59ffd89fc89e07c613403ed4adc8ab33e41cbd849
Opcode Fuzzy Hash: 2e06e2a4ff4460c5f14977049522db79444590833a905a219edf05dacb8a9466
Instruction Fuzzy Hash: 2321F131A107018BDB04EF39C8982E5B762EF96308F0985BDD84A2F216DFB1A484C791

Function 072BD740 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4bae83af0e3fe54707b207f169c4f9116095f468c8486da40d47971cd9bc3c
Instruction ID: f475b8bce12abbb48932b3557a3c6f2329fe004e0a560d2867d0317e58b6ea35
Opcode Fuzzy Hash: 4a4bae83af0e3fe54707b207f169c4f9116095f468c8486da40d47971cd9bc3c
Instruction Fuzzy Hash: EE115B70310610CFCB29B73994246AE32E6AFC9641B1840BDD10ACF3A1CEB6CC439789

Function 072B2E00 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e9be45b73b66d562ae008f32c1919f1d1f6b9d9b785334805b7e8f6acb653c5
Instruction ID: c0c4120a6498a4791c5a5340dab5cc9f958283c299b0ac148fdd430673dca32a
Opcode Fuzzy Hash: 8e9be45b73b66d562ae008f32c1919f1d1f6b9d9b785334805b7e8f6acb653c5
Instruction Fuzzy Hash: D111BE313106118FC714EB69D888EAEBBEAFF89224B14452EE046DB760DF30DC02CB90

Function 072B7651 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8263e3b0a057c9f2e8031e740ecc877207d71c2a041b9c82926cd8ebd6e4fcd
Instruction ID: cda259920b51a2f849ab0e65c549c56bad254778655bb56ebfecf55df1cdfcab
Opcode Fuzzy Hash: e8263e3b0a057c9f2e8031e740ecc877207d71c2a041b9c82926cd8ebd6e4fcd
Instruction Fuzzy Hash: 1921E131A007418FDB00EF39D4982E5BB71EF96318F0985BDD84E1F256DB71A484C751

Function 072B2C82 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bc35914a8dc0748d45b308580340a66184a225abb174df2b51dd252be5d3c2
Instruction ID: 6e821bb6412a3c33f531ebbdcc5e5ec02cdd727245bf44ac9bc49c6f1b32a9a8
Opcode Fuzzy Hash: d5bc35914a8dc0748d45b308580340a66184a225abb174df2b51dd252be5d3c2
Instruction Fuzzy Hash: 6121F335A10219CFDB59EB69C898AEDB7F2BF88310F554469E401BB3A5CB759C02CB60

Function 072B2E10 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05eae09db8cc7eb4a77732bb376481e0385cc6b9f5a07046b0074021064bab3
Instruction ID: 13341eec4c37aa9b78ce29bfbeeb6125f9a16327be3c3db9f9166a912b44dcf1
Opcode Fuzzy Hash: c05eae09db8cc7eb4a77732bb376481e0385cc6b9f5a07046b0074021064bab3
Instruction Fuzzy Hash: 051191713106108FC714EB69D888D6E77EAFF89660B10456EE106CB760DF70EC01CB90

Function 072B2C90 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320548111c4b262ed1943d953ca8ca959b1237d27dd5c918143c4c8d5e8245c3
Instruction ID: 1e4167a9dbab7553991f02e35e9fe01266f82c23f37e9ba10b2e4fd19c49de92
Opcode Fuzzy Hash: 320548111c4b262ed1943d953ca8ca959b1237d27dd5c918143c4c8d5e8245c3
Instruction Fuzzy Hash: 2621F735A10219CFDF18EB69C898AEDB7F2BF89310F514469D401BB3A4CB759C01CB64

Function 072BC560 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1edc83a3b557a2ab8ff447bc671e7ded6e4a1dc31e361a98ef99302633b06be
Instruction ID: 12297d6736f06ec6bf0cdc514255d377d73f6ef53a9b7ac516c90f97cf86db7a
Opcode Fuzzy Hash: b1edc83a3b557a2ab8ff447bc671e7ded6e4a1dc31e361a98ef99302633b06be
Instruction Fuzzy Hash: 88114FB1A1021A9FCB00DFA8D4917EEBBF4FB49350F10805AE919EB345E7309A04CBE1

Function 072BACE8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebbd2d0dac4fb8c1440f3c848c461015886049b3f5d8f553d069670cdb84045a
Instruction ID: 699f73f314977392cc7183b5256b3bc9bace9742fd0727fca89da8bd07fa1b44
Opcode Fuzzy Hash: ebbd2d0dac4fb8c1440f3c848c461015886049b3f5d8f553d069670cdb84045a
Instruction Fuzzy Hash: E9113071A0011AAFDB10CF98C8819EFBBB6FB88310F10C519F904A7240D771AE55CBA1

Function 0113D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2230908135.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_113d000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 3405d3976b0e99fdc4fde29f7850857e310272585d57f71e5c10c882404b137f
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 3411CDB6404280CFDF06CF54E5C0B56BF61FB84224F2482A9D8090A65AC33AE456CBA2

Function 0113D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2230908135.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_113d000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 0d3c0d880fe0849e1d99a7c5dba6ee9a7495f9812d38346c2efb0b05930e5191
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 0011AF76504280CFDF16CF54E5C4B16BF71FB84328F24C6A9D8490B65AC33AD456CBA2

Function 072BCF50 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7c1f7b7b90e19a1c8e06cccaf90551c392cf6afd04576d6436bbe5ac64c0d7
Instruction ID: 9f697e2bf90a403153af3cfc1e2a222188f2277ddd1435ffb90a0404f97aa6ca
Opcode Fuzzy Hash: 5a7c1f7b7b90e19a1c8e06cccaf90551c392cf6afd04576d6436bbe5ac64c0d7
Instruction Fuzzy Hash: C401F975A007058FC710EB68D884ADDB775FFD6370F00875AE81557290EB305E42CB91

Function 072BACF8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1f32f8f807b5ce9ea276755102fd142ba24820ee70f022a56a59c6d68c61a8
Instruction ID: e630112fb0f08a64cf7216205fb66886b31a07de5d293d2649c8d74468efaa06
Opcode Fuzzy Hash: bc1f32f8f807b5ce9ea276755102fd142ba24820ee70f022a56a59c6d68c61a8
Instruction Fuzzy Hash: 10111C71A0010AAFDB14DF98C8818EFBBB6FB88310F10C519F914A7240D771AE55CBA1

Function 072BC54F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361483894ab2558a1a23b25dfd39b8fa44540f10286199d9c0ca2dfd8fb22b01
Instruction ID: d7f917d91496917a76e9999be41717b799c7b2ce74e2c1fe965cb16c68a3a482
Opcode Fuzzy Hash: 361483894ab2558a1a23b25dfd39b8fa44540f10286199d9c0ca2dfd8fb22b01
Instruction Fuzzy Hash: BC114CB1E1021A8FCB40DFA8D4917EEBBF0FF49300F14816AE958EB345D6309A41CB90

Function 072BAC5B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5f0c07edefeb6d2593227aa1186ec9927b92dd14ae772c22a4b4e78e6af9bc
Instruction ID: 1bbf9d2274be5085c0f6ba6e4e5d8d4969d3610b9aef2cafb2307586253af74f
Opcode Fuzzy Hash: 3c5f0c07edefeb6d2593227aa1186ec9927b92dd14ae772c22a4b4e78e6af9bc
Instruction Fuzzy Hash: 38115E76D102198FCB40EFA8C945AEEBBF4FF48300F148666D918F7204EB709A048BE1

Function 072BAC68 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 074ef8daca53774fabfad84a57e507ece80aca1c8e72ab1c864e6fecfd4b7d3e
Instruction ID: dd89b82d278559909e5c61a6678cdda1c398a75f7f94fe307c1f067ae17fe264
Opcode Fuzzy Hash: 074ef8daca53774fabfad84a57e507ece80aca1c8e72ab1c864e6fecfd4b7d3e
Instruction Fuzzy Hash: 78012171D106198FCB50EFACC8445EEBBF4FF49310B108666D915F7214EB709A048BE1

Function 072B85EC Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff075c079858925affe7cea6f07d70b3d671057f1d496e9c1f69d10e72fd62d6
Instruction ID: 1cacae90dfb785905cc93fe652a06cfdd394e155752db24a859c1a325d6a7319
Opcode Fuzzy Hash: ff075c079858925affe7cea6f07d70b3d671057f1d496e9c1f69d10e72fd62d6
Instruction Fuzzy Hash: E101A9B5A2061A9FCB10EA68D9409FFF7F9FFC9350B104629D905A3300EB70AE0586E1

Function 072BCF80 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ba6e49c9f46633cf65aaebc07402cbc7531846719d233a9dc2ecdfab678ab28
Instruction ID: 2efd342227a4f0c6ac3a32524f255ae684f0ec40fa69f890fb6b9dec49ac2635
Opcode Fuzzy Hash: 0ba6e49c9f46633cf65aaebc07402cbc7531846719d233a9dc2ecdfab678ab28
Instruction Fuzzy Hash: 8B01A935A007059BCB10FB68D8848EEF7B9EFC9750F408259E90557354EB305A41CBE5

Function 072BEF39 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b54a91c16671fcfe84ce3bf4f955095c6977d840f8457f6ca0b56f2277d1d6
Instruction ID: 8576cc77ec41e8a74d99f2045b5fff4432923c69278ea7f43cc0b256ae3cc41e
Opcode Fuzzy Hash: 07b54a91c16671fcfe84ce3bf4f955095c6977d840f8457f6ca0b56f2277d1d6
Instruction Fuzzy Hash: 07F052B1B1062143EB28B73A18602FEB2079FC1B60F25462E811887280CE38880283C6

Function 072B86BC Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3080acf0cd44b50287d54ae7248c63a5029befb8ae1fd0535ff868583f723aa3
Instruction ID: 663789e180df2b8da6067eda458d931316b88a34340cccf5d59d01fac0c5e706
Opcode Fuzzy Hash: 3080acf0cd44b50287d54ae7248c63a5029befb8ae1fd0535ff868583f723aa3
Instruction Fuzzy Hash: 14F06D32320A118FC304DF2DE85486AB7F8FFC971130684AAE209C7721DA71E810CB90

Function 072B8EB2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc9425bf67ff72c11144e46b514fde0dc762bf77b8db0185506ba60cf2e4ad
Instruction ID: c25018596ceddf6b55d7dddb391fb2403fc7c1fbffc5f06a66480bd6bc82eafd
Opcode Fuzzy Hash: 44fc9425bf67ff72c11144e46b514fde0dc762bf77b8db0185506ba60cf2e4ad
Instruction Fuzzy Hash: EDF0A4303147128FC329DB399844BAA7BAAAFC5754F4540AAE449CB261DF60CD028B91

Function 072BBE58 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd73c1b96f95f1ebdf4b9487a8fcbbd849d21edde672ce4fafc43fcea3ea4ac3
Instruction ID: 1704c009126629dfe7ec18f239c1596fec8ca5ba9fcebe0ce36ac56d71e2766a
Opcode Fuzzy Hash: fd73c1b96f95f1ebdf4b9487a8fcbbd849d21edde672ce4fafc43fcea3ea4ac3
Instruction Fuzzy Hash: 2E0181718246498FCB11FBA4D8848EEBB78FF85310B05C26AD5592B115EB305948CBA2

Function 072B7DEB Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70d3e081ab494aa9cc9264f276a100998c79f94fbf7da894843771c0a5b0faa
Instruction ID: d2a99d9656031fa1ac7db89556f9d49e24ebafa627cc3301c6231547045f84dc
Opcode Fuzzy Hash: d70d3e081ab494aa9cc9264f276a100998c79f94fbf7da894843771c0a5b0faa
Instruction Fuzzy Hash: F901DC30A006198FCB05EBA8D85A9ACBFB1FF81310F018199E6099F366EF718944CBC1

Function 072BEF48 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f7cf44485acaceadd54c800f24a826049ba7c318c985658f4c0c90d108382e4
Instruction ID: b4a917219d17a584780078432ff29ec49cd6711ee34621f81786478cccbf4729
Opcode Fuzzy Hash: 5f7cf44485acaceadd54c800f24a826049ba7c318c985658f4c0c90d108382e4
Instruction Fuzzy Hash: 19E0E5B5B10625439B28753A18604FE724B4FC6F60B65462E5119877D4CD39D80343CA

Function 072B7DF8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abef14b3d31e691e1e485644cabe9ff9b89a7163dc2ae1d2d7169a0db0146a01
Instruction ID: 8cdd992ce875c34d127eb0f2f82af8b04e7a487c8f0ffc7b91b2a83d2c98ff79
Opcode Fuzzy Hash: abef14b3d31e691e1e485644cabe9ff9b89a7163dc2ae1d2d7169a0db0146a01
Instruction Fuzzy Hash: 51F04930A106198FCB05EBA8C8598ADBBB5FF85300F418199E6099B365EF719944CBD5

Function 072B4F08 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc00e5bffbdc8825bf89bfa4b1e9010382807ad7f7cc2175ae0e20767d02e5fd
Instruction ID: 05c798bef1e96f05e966ad832e6b1ed3640482acc5f83cf236f254dd2656c156
Opcode Fuzzy Hash: dc00e5bffbdc8825bf89bfa4b1e9010382807ad7f7cc2175ae0e20767d02e5fd
Instruction Fuzzy Hash: 91F0E53270001963DF263E4D9854AFE3A97EFC8660F14401AFA0587351DAA6DD5293C1

Function 072BBE68 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b1bfe4f819c1124485bc9ced52b60adaaf8ede473d4987dc577ac11ff7207ad
Instruction ID: feeccbe6f18f7ebd7acec7ecbb72766622ed0c1076571f7e999bf8c429de7950
Opcode Fuzzy Hash: 4b1bfe4f819c1124485bc9ced52b60adaaf8ede473d4987dc577ac11ff7207ad
Instruction Fuzzy Hash: B6F062719206099FCB10FAA8D8848EEF778FFC5350B00C21AD51527104EB306948C7A2

Function 072BB6A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ce47b0a663502f2287fdf332de1cfeb3f1374f0e8755949af48fd763afd4b2
Instruction ID: 208c88a4d62b29f5cebf90b3d53c808176f82c8c7b844b61fad0d2fe0756c98d
Opcode Fuzzy Hash: a3ce47b0a663502f2287fdf332de1cfeb3f1374f0e8755949af48fd763afd4b2
Instruction Fuzzy Hash: 09F082B2620109AF9F18DF98D8449DE7FAAEB48350F10806AE405D7214EA70AD108B95

Function 072B2C30 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba0c6cb2cbe1737eb5822439a22d48595de149889ceea05cc5f74c3b54e5d9b
Instruction ID: 1dd47a6f029e9ddc24d55231697b32923c822847d553f581b55dac43023113d7
Opcode Fuzzy Hash: 5ba0c6cb2cbe1737eb5822439a22d48595de149889ceea05cc5f74c3b54e5d9b
Instruction Fuzzy Hash: 8DF0392220E7905FE70313299834BCABF749F17654F2A50D7D1CACBAA3C9185C1A87B2

Function 072B8EC8 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6888add48b07f5d531a655000dcd1ab5ad9c1bdde02fe4cd442a490644867cef
Instruction ID: d258132a640530bfa3165d87ddf709b89a5da75fad8cae635f4be9bd1f497d2b
Opcode Fuzzy Hash: 6888add48b07f5d531a655000dcd1ab5ad9c1bdde02fe4cd442a490644867cef
Instruction Fuzzy Hash: 5BF05E707105128FC728AB2AD444ABA37DAAFC4754F45407AE509C7320DF70DC018BD1

Function 072B1648 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1953eab53b8ec22bc2ee0fa942e291246f3bf97927843c4d051a26bb0b7c3f
Instruction ID: 326db3952cff622c156d219dcbaabf1a58f842c2eee27af0af61eea34a52264e
Opcode Fuzzy Hash: 1b1953eab53b8ec22bc2ee0fa942e291246f3bf97927843c4d051a26bb0b7c3f
Instruction Fuzzy Hash: 29E02B313146451FDB15951CC8109EE7B5B9FCA51071E80F7D154C7B53C9559C0143A1

Function 072B2DAA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c247460fb193275a2d147c61da04d0d9b0f07396ba00f4aa497d858bd2d6835
Instruction ID: 13b56a97ce632d2aaa08e271b97638323e2a76044cfe0fce0e42045490c5b079
Opcode Fuzzy Hash: 6c247460fb193275a2d147c61da04d0d9b0f07396ba00f4aa497d858bd2d6835
Instruction Fuzzy Hash: 5EF01DB2634207CFDBA0DE58E4497E833F1FB45396F400065D505DB1A1C7B8D585CB61

Function 072BEE60 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3418473f60216e6fe89cae48f84cd8967836063c3f1ec0c796e5608304cbda6
Instruction ID: 2938c907eda68f04108d21a157a152cf1514d04b606488a673f0baf0ae334ed1
Opcode Fuzzy Hash: f3418473f60216e6fe89cae48f84cd8967836063c3f1ec0c796e5608304cbda6
Instruction Fuzzy Hash: F1F0F4B0D1030A9FDB94DFA9C845AAEBBF0BB48350F118869E515E7200E7708A01CF91

Function 072BEE70 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7639d3c64e33a4807735908ad3830478a959427bd286c63bfe445d38cd2a5df0
Instruction ID: c08534686b436e6c94852704dae1d042ae259ff0eeb1c39a63ae6c154aa74bd5
Opcode Fuzzy Hash: 7639d3c64e33a4807735908ad3830478a959427bd286c63bfe445d38cd2a5df0
Instruction Fuzzy Hash: FFF03AB0D1020A9FDB54DFA9C841AAEBBF4BB48350F0145AAD518E7200D77095008BD1

Function 072B4F18 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e22336509852c71954b2ec347962edbd922812f9892cebd72e5beca028c51e4
Instruction ID: 24a3b946f9b8522cfda7c5017e55906bf4bd4d6bcbf66c8de8868daac3869549
Opcode Fuzzy Hash: 6e22336509852c71954b2ec347962edbd922812f9892cebd72e5beca028c51e4
Instruction Fuzzy Hash: 96E02032B00419674F263E4994448FE3A9BEFC4660714801BFA04CB310DEF6CD1293D6

Function 072BB41C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1eaa478c325a7377efeb956e09e466ebaa38fa4195afe36ceebda6793bb6b4
Instruction ID: 74b47f2756b29fa059e97ce04f4c8f90ebddf7f486e806f24aa66fe50263b310
Opcode Fuzzy Hash: fe1eaa478c325a7377efeb956e09e466ebaa38fa4195afe36ceebda6793bb6b4
Instruction Fuzzy Hash: F6E06535751204D7D225967C9480BD6B6A6FFC9351F40183DD24A47740CEB2ED028791

Function 072B1658 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b77e20d980458731047b8c360ea7a80a6580f57d84e8d43d43668a6e1b4ec0
Instruction ID: 6934b176c2af10a926a48fd9eb8eab2725eb4f34828a835cf89c8e25b1ea5482
Opcode Fuzzy Hash: b8b77e20d980458731047b8c360ea7a80a6580f57d84e8d43d43668a6e1b4ec0
Instruction Fuzzy Hash: C4E0C2323605160BCE28A50DD8049AE339F9FC9A21B1940BAE104CBB52CDA1DC0103E4

Function 072B173A Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce469b062edb9c4c3eacb1080a3ed7af13b23bc989f48844bb8fc9f00092bf22
Instruction ID: d3f399326f02f32637f37ad62a72ff4f5ea4af14e976524b5d308f88be268f74
Opcode Fuzzy Hash: ce469b062edb9c4c3eacb1080a3ed7af13b23bc989f48844bb8fc9f00092bf22
Instruction Fuzzy Hash: A5E04F3192060CDECB60EE38D5193DE7BE8EB45355F00C539E849DA510FB30D598DB80

Function 072B4EC8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2887cb334a68a5660068647d89cda4a2945ec97a904dc0f325893ae0773bad5d
Instruction ID: a0fcbb101c05998f917a941b5fb66c2612f63a26c2daf812f09efb0b9e72d946
Opcode Fuzzy Hash: 2887cb334a68a5660068647d89cda4a2945ec97a904dc0f325893ae0773bad5d
Instruction Fuzzy Hash: 19E08C3260011D6BDB029E88D845BDA372AFF44250F18802AFE489A611CA329961DBE1

Function 072BB528 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f427d387c1e6ebc38b0dd710ef14871ead1a7f79e28cd315fa101df6bfa5cb
Instruction ID: d7152a07bb0099d6659c2b85f8c2b4963c01b4f877ff5178eeca102c95dca982
Opcode Fuzzy Hash: 01f427d387c1e6ebc38b0dd710ef14871ead1a7f79e28cd315fa101df6bfa5cb
Instruction Fuzzy Hash: C5D02BA13593605BC218152D28D43E6BFDBDB493A1F04042AF54EC3201CD85580442AB

Function 072B2D6E Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff225d5850f2f741f9255417989eecebc61046f09d18112d9d6aa0069009efb
Instruction ID: 960376786685e098c681295040550478031e45122f682fa614cd5404917308fd
Opcode Fuzzy Hash: 1ff225d5850f2f741f9255417989eecebc61046f09d18112d9d6aa0069009efb
Instruction Fuzzy Hash: 0AE04FB2620116CFCF94DF68E848BEC73F2FB84366F4000A4E219DB1A1CB389945CB10

Function 072B1700 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8097a6de153f76326c552f226e92740e3e25e3e4579b7a490bb18414ddbaeb93
Instruction ID: 1886bb67e1578899966312c6809491366d07d0daa0a9a99c2ddb5b073680eef6
Opcode Fuzzy Hash: 8097a6de153f76326c552f226e92740e3e25e3e4579b7a490bb18414ddbaeb93
Instruction Fuzzy Hash: A9E08630205FC18FC302EB38D4458A0BF70AF1760078581E6E089CB523E721D414C702

Function 072B5F38 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aace8390df350e8c3920070c933dc1d434ec24513ba999a49498f6b0e762ef6
Instruction ID: a52d629677288307c230b41566863f2a74e0696a72e89c3141e22266a4594741
Opcode Fuzzy Hash: 5aace8390df350e8c3920070c933dc1d434ec24513ba999a49498f6b0e762ef6
Instruction Fuzzy Hash: E2D05B33550704CFC700EB68D815FD9B7F4FF51245F094175E98DA7220E720D985D640

Function 072B1748 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0e5ba925eb48122903e2b904ea81df231fdcee3245e2141c03d790ba302796
Instruction ID: 3920a76c2057b684ac39b1172bb754783253943820f06ff50877bdc6ff63c989
Opcode Fuzzy Hash: ad0e5ba925eb48122903e2b904ea81df231fdcee3245e2141c03d790ba302796
Instruction Fuzzy Hash: D6E0E27182060DDECBA0EF78E5484DA7BE8EB05351F00C52AE80D9A100FB30D2A8DF80

Function 072B4ED8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f00ab925183d29e68d624eaddc587bb9a3149129bb2be0ea6f9105f4dc65c6c
Instruction ID: 59a86e5825689183d4c8e9b3df8eec92a8d5e0ef7f92d189da29efce3ab3c958
Opcode Fuzzy Hash: 7f00ab925183d29e68d624eaddc587bb9a3149129bb2be0ea6f9105f4dc65c6c
Instruction Fuzzy Hash: 12D05E3250015DBBDF02AE88D840EEA3B69EF04360F04C026FE085B611C772A960ABE1

Function 072BEF10 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8902b1762ca6cbc3f33707a740d675d98a5feb3de83e45b56ba3094a58acbaf8
Instruction ID: dc1f228fbeb0d6f075d4275bab47993950100eba62dacbf031f068a8136e6da4
Opcode Fuzzy Hash: 8902b1762ca6cbc3f33707a740d675d98a5feb3de83e45b56ba3094a58acbaf8
Instruction Fuzzy Hash: ECD012725101099E5B50EE94E840CD277ECBF18740B458422F544C7120E721F424D795

Function 072B1710 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d1d28ba2122f84b52212affe37ac6cdb2fb4c5241efd44bba711055f5a5a03
Instruction ID: 6c94c4edfdb7c6208ca51efabf53063a2dcfb6d7cf9afa77eb407bfe8a2652d9
Opcode Fuzzy Hash: 20d1d28ba2122f84b52212affe37ac6cdb2fb4c5241efd44bba711055f5a5a03
Instruction Fuzzy Hash: DED0C931510A088FC300EB6CD945864B7B4EF45604B450195E1059B221EB21F8548A41

Function 072B2C60 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d05f8c4a2c25d987f0415497c520a7b1f24e7a310dc272bf53dfb3fe0b3f833
Instruction ID: c02eac173423248ea064039d053304c9a5d55696bda59791bebd3ea9ce92780c
Opcode Fuzzy Hash: 2d05f8c4a2c25d987f0415497c520a7b1f24e7a310dc272bf53dfb3fe0b3f833
Instruction Fuzzy Hash: C0C08C2130873857DA052269A028B9FBA8C4B46564F40045EE54E87341CE96180187EA

Function 072B5F48 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2238990934.00000000072B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_72b0000_zhvapfBrgjZdoS.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bca61eacb2bd6dbfeee933445a442b155539e2c21d985f98c4c7f82d2fb0aff
Instruction ID: b38dda1caac4ded8b44202a3f5fd776e97fd9db976e3f9b3b91ef77c5a7cc2a8
Opcode Fuzzy Hash: 2bca61eacb2bd6dbfeee933445a442b155539e2c21d985f98c4c7f82d2fb0aff
Instruction Fuzzy Hash: 57D01231410608CFC300FF68D848D98B7F8FF55301F0582A6E549AB231EB70E994CB91

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Shipping Document.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipping Document.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zhvapfBrgjZdoS.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_05kgjhbi.dce.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cgaj0vx3.mbs.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3pv420m.tkd.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljdam2jb.w0r.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz1trzsq.iru.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzpwqtho.imk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yht4xkgj.auu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yln0fgwy.l4n.ps1

C:\Users\user\AppData\Local\Temp\tmp26D7.tmp

C:\Users\user\AppData\Local\Temp\tmp388A.tmp

Windows Analysis Report
Shipping Document.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre