Edit tour

Windows Analysis Report
New purchase order.exe

Overview

General Information

Sample name:	New purchase order.exe
Analysis ID:	1590626
MD5:	1b507df9a13477b647da450a1b79b2e7
SHA1:	b0de85855b3462fe0b37c79831b391eeb044e437
SHA256:	a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91
Tags:	exeuser-cocaman
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

New purchase order.exe (PID: 3064 cmdline: "C:\Users\user\Desktop\New purchase order.exe" MD5: 1B507DF9A13477B647DA450A1B79B2E7)

powershell.exe (PID: 3224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 3472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5228 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6672 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7152 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cscript.exe (PID: 4784 cmdline: "C:\Windows\SysWOW64\cscript.exe" MD5: CB601B41D4C8074BE8A84AED564A94DC)

cmd.exe (PID: 6932 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chkdsk.exe (PID: 1224 cmdline: "C:\Windows\SysWOW64\chkdsk.exe" MD5: B4016BEE9D8F3AD3D02DD21C3CAFB922)

DjsaCPLWOz.exe (PID: 4896 cmdline: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe MD5: 1B507DF9A13477B647DA450A1B79B2E7)

schtasks.exe (PID: 2084 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 5964 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ustonehuman.info/a01d/"], "decoy": ["eniorshousing05.shop", "rywisevas.biz", "4726.pizza", "itchen-design-42093.bond", "3456.tech", "4825.plus", "nlinecraps.xyz", "itamins-52836.bond", "nfluencer-marketing-40442.bond", "nline-advertising-58573.bond", "rautogroups.net", "limbtrip.net", "oftware-download-14501.bond", "nline-advertising-66733.bond", "erity.xyz", "xknrksi.icu", "x-ist.club", "yber-security-26409.bond", "oincatch.xyz", "onitoring-devices-34077.bond", "hbvc.xyz", "xecadminadvo.vip", "ookers.homes", "irlypods.shop", "nalyzator.fun", "rinciple.press", "ejigghq.company", "nity-officiels.shop", "chtm.info", "ggrupdanismanlik.online", "alterjaviersemolic.online", "6zc.lat", "ukce.fun", "ikretgunay.online", "d8ns7gu.skin", "06ks7.club", "icovideo.voyage", "nlinetutoringcanada776681.icu", "etzero.icu", "228080a0.buzz", "agoslotoke.art", "ruaim.online", "nline-mba-87219.bond", "oldsaver.biz", "agonel.online", "ommbank.video", "indlab.shop", "hesweettray.store", "bilebe.info", "uxemasculine.store", "arkbarron.xyz", "ektor.fun", "8255.pizza", "ike-loans-53803.bond", "ong-ya.info", "costcomembers-wholesale.online", "75396.vip", "leaning-services-53131.bond", "uickcabinet.net", "alifstorch.online", "ahtel.net", "usinessoverpleasure.shop", "duway.pro", "usiness-software-47704.bond"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6c81:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d5c0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb3ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x162e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa338:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa5b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x160e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15bd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x161e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1635f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xafca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14e4c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbcc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c327:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19249:$sqlite3step: 68 34 1C 7B E1 0x1935c:$sqlite3step: 68 34 1C 7B E1 0x19278:$sqlite3text: 68 38 2A 90 C5 0x1939d:$sqlite3text: 68 38 2A 90 C5 0x1928b:$sqlite3blob: 68 53 D8 7F 8C 0x193b3:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.4569837606.0000000010DCB000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa92:$a2: pass 0xa98:$a3: email 0xa9f:$a4: login 0xaa6:$a5: signin 0xab7:$a6: persistent 0xc8a:$r1: C:\Users\user\AppData\Roaming\9K2584DB\9K2log.ini
00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2134617071.0000000004179000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2136893760.0000000005C10000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2133550897.0000000003284000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6a89:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d3c8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb207:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x160ef:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa140:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa3ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15eed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x159d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15fef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16167:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadd2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14c54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbacb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c12f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d132:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19051:$sqlite3step: 68 34 1C 7B E1 0x19164:$sqlite3step: 68 34 1C 7B E1 0x19080:$sqlite3text: 68 38 2A 90 C5 0x191a5:$sqlite3text: 68 38 2A 90 C5 0x19093:$sqlite3blob: 68 53 D8 7F 8C 0x191bb:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x81fb9:$a1: 3C 30 50 4F 53 54 74 09 40 0xaf3d9:$a1: 3C 30 50 4F 53 54 74 09 40 0x988f8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc5d18:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x86737:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb3b57:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x9161f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbea3f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85670:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x858ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb2a90:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb2d0a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9141d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbe83d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x90f09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbe329:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x9151f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbe93f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x91697:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbeab7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x86302:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb3722:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x90184:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbd5a4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x86ffb:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb441b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9765f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xc4a7f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x98662:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x94581:$sqlite3step: 68 34 1C 7B E1 0x94694:$sqlite3step: 68 34 1C 7B E1 0xc19a1:$sqlite3step: 68 34 1C 7B E1 0xc1ab4:$sqlite3step: 68 34 1C 7B E1 0x945b0:$sqlite3text: 68 38 2A 90 C5 0x946d5:$sqlite3text: 68 38 2A 90 C5 0xc19d0:$sqlite3text: 68 38 2A 90 C5 0xc1af5:$sqlite3text: 68 38 2A 90 C5 0x945c3:$sqlite3blob: 68 53 D8 7F 8C 0x946eb:$sqlite3blob: 68 53 D8 7F 8C 0xc19e3:$sqlite3blob: 68 53 D8 7F 8C 0xc1b0b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: New purchase order.exe PID: 3064	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: New purchase order.exe PID: 3064	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4ac90:$a1: 3C 30 50 4F 53 54 74 09 40 0x6d1c7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xd4510:$s2: ~ Shell I 0x20d9e5:$s2: ~ Shell I 0x305534:$s2: ~ Shell I
Process Memory Space: DjsaCPLWOz.exe PID: 4896	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: DjsaCPLWOz.exe PID: 4896	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1a64:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: MSBuild.exe PID: 5964	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x36aba:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cscript.exe PID: 4784	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1ead:$a1: 3C 30 50 4F 53 54 74 09 40 0x302b:$a1: 3C 30 50 4F 53 54 74 09 40 0x8d02b:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: chkdsk.exe PID: 1224	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xc547e:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.MSBuild.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.MSBuild.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
0.2.New purchase order.exe.3564624.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.MSBuild.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.MSBuild.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0.2.New purchase order.exe.5c10000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.New purchase order.exe.5c10000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.New purchase order.exe.3564624.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.New purchase order.exe.33427f4.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.New purchase order.exe.3289e88.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New purchase order.exe", ParentImage: C:\Users\user\Desktop\New purchase order.exe, ParentProcessId: 3064, ParentProcessName: New purchase order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe", ProcessId: 3224, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe, ParentImage: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe, ParentProcessId: 4896, ParentProcessName: DjsaCPLWOz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp", ProcessId: 2084, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New purchase order.exe", ParentImage: C:\Users\user\Desktop\New purchase order.exe, ParentProcessId: 3064, ParentProcessName: New purchase order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp", ProcessId: 6672, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\New purchase order.exe", ParentImage: C:\Users\user\Desktop\New purchase order.exe, ParentProcessId: 3064, ParentProcessName: New purchase order.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe", ProcessId: 3224, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\New purchase order.exe", ParentImage: C:\Users\user\Desktop\New purchase order.exe, ParentProcessId: 3064, ParentProcessName: New purchase order.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp", ProcessId: 6672, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.hbvc.xyz/a01d/	Avira URL Cloud: Label: phishing
Source: http://www.hbvc.xyz/a01d/www.usinessoverpleasure.shop	Avira URL Cloud: Label: phishing
Source: http://www.hbvc.xyz	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ustonehuman.info/a01d/"], "decoy": ["eniorshousing05.shop", "rywisevas.biz", "4726.pizza", "itchen-design-42093.bond", "3456.tech", "4825.plus", "nlinecraps.xyz", "itamins-52836.bond", "nfluencer-marketing-40442.bond", "nline-advertising-58573.bond", "rautogroups.net", "limbtrip.net", "oftware-download-14501.bond", "nline-advertising-66733.bond", "erity.xyz", "xknrksi.icu", "x-ist.club", "yber-security-26409.bond", "oincatch.xyz", "onitoring-devices-34077.bond", "hbvc.xyz", "xecadminadvo.vip", "ookers.homes", "irlypods.shop", "nalyzator.fun", "rinciple.press", "ejigghq.company", "nity-officiels.shop", "chtm.info", "ggrupdanismanlik.online", "alterjaviersemolic.online", "6zc.lat", "ukce.fun", "ikretgunay.online", "d8ns7gu.skin", "06ks7.club", "icovideo.voyage", "nlinetutoringcanada776681.icu", "etzero.icu", "228080a0.buzz", "agoslotoke.art", "ruaim.online", "nline-mba-87219.bond", "oldsaver.biz", "agonel.online", "ommbank.video", "indlab.shop", "hesweettray.store", "bilebe.info", "uxemasculine.store", "arkbarron.xyz", "ektor.fun", "8255.pizza", "ike-loans-53803.bond", "ong-ya.info", "costcomembers-wholesale.online", "75396.vip", "leaning-services-53131.bond", "uickcabinet.net", "alifstorch.online", "ahtel.net", "usinessoverpleasure.shop", "duway.pro", "usiness-software-47704.bond"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: New purchase order.exe	Virustotal: Detection: 36%			Perma Link
Source: New purchase order.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: New purchase order.exe

Joe Sandbox ML: detected

Source: New purchase order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: New purchase order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: MSBuild.exe, 0000000F.00000002.2182083079.0000000003350000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2178927625.0000000001158000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4558737099.0000000000490000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: faZh.pdbSHA256 source: New purchase order.exe, DjsaCPLWOz.exe.0.dr
Source:	Binary string: chkdsk.pdbGCTL source: MSBuild.exe, 00000009.00000002.2184612576.0000000001450000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2184305774.0000000001228000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192669096.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: MSBuild.exe, 00000009.00000002.2184612576.0000000001450000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2184305774.0000000001228000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192669096.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000003.2180451919.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000003.2178527747.0000000004B5B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2183744457.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2187189233.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004DFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: faZh.pdb source: New purchase order.exe, DjsaCPLWOz.exe.0.dr
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000010.00000003.2180451919.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000003.2178527747.0000000004B5B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2183744457.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2187189233.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004DFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdb source: MSBuild.exe, 0000000F.00000002.2182083079.0000000003350000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2178927625.0000000001158000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000010.00000002.4558737099.0000000000490000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_004A2674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,__alloca_probe_16,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,

16_2_004A2674

Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 4x nop then jmp 07CF43BAh	0_2_07CF3D44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then pop edi	15_2_00416CBB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 4x nop then pop edi	16_2_02E56CBB

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ustonehuman.info/a01d/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.nlinecraps.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: www.ustonehuman.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ruaim.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ommbank.video replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.irlypods.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.chtm.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ejigghq.company replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.uxemasculine.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.nlinecraps.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.limbtrip.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.hesweettray.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.228080a0.buzz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.onitoring-devices-34077.bond replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.ommbank.video
Source: global traffic	DNS traffic detected: DNS query: www.ruaim.online
Source: global traffic	DNS traffic detected: DNS query: www.onitoring-devices-34077.bond
Source: global traffic	DNS traffic detected: DNS query: www.irlypods.shop
Source: global traffic	DNS traffic detected: DNS query: www.chtm.info
Source: global traffic	DNS traffic detected: DNS query: www.hesweettray.store
Source: global traffic	DNS traffic detected: DNS query: www.228080a0.buzz
Source: global traffic	DNS traffic detected: DNS query: www.uxemasculine.store
Source: global traffic	DNS traffic detected: DNS query: www.nlinecraps.xyz
Source: global traffic	DNS traffic detected: DNS query: www.ustonehuman.info
Source: global traffic	DNS traffic detected: DNS query: www.limbtrip.net
Source: global traffic	DNS traffic detected: DNS query: www.ejigghq.company

Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4564685923.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4564685923.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4564685923.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4564685923.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000002.4563775247.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2115248877.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2122412017.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: New purchase order.exe, 00000000.00000002.2133550897.0000000003186000.00000004.00000800.00020000.00000000.sdmp, DjsaCPLWOz.exe, 0000000C.00000002.2164910003.00000000028E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: New purchase order.exe, DjsaCPLWOz.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.228080a0.buzz
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.228080a0.buzz/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.228080a0.buzz/a01d/www.uxemasculine.store
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.228080a0.buzzReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chtm.info
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chtm.info/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chtm.info/a01d/www.hesweettray.store
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.chtm.infoReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.d8ns7gu.skin
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.d8ns7gu.skin/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.d8ns7gu.skin/a01d/www.nline-advertising-58573.bond
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.d8ns7gu.skinReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ejigghq.company
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ejigghq.company/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ejigghq.company/a01d/www.d8ns7gu.skin
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ejigghq.companyReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyz
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyz/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyz/a01d/www.usinessoverpleasure.shop
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hbvc.xyzReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hesweettray.store
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hesweettray.store/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hesweettray.store/a01d/www.228080a0.buzz
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hesweettray.storeReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irlypods.shop
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irlypods.shop/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irlypods.shop/a01d/www.chtm.info
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irlypods.shopReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.limbtrip.net
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.limbtrip.net/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.limbtrip.net/a01d/www.ejigghq.company
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.limbtrip.netReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-advertising-58573.bond
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-advertising-58573.bond/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-advertising-58573.bond/a01d/www.hbvc.xyz
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-advertising-58573.bondReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinecraps.xyz
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinecraps.xyz/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinecraps.xyz/a01d/www.ustonehuman.info
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nlinecraps.xyzReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ommbank.video
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ommbank.video/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ommbank.video/a01d/www.ruaim.online
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ommbank.videoReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onitoring-devices-34077.bond
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onitoring-devices-34077.bond/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onitoring-devices-34077.bond/a01d/www.irlypods.shop
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onitoring-devices-34077.bondReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruaim.online
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruaim.online/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruaim.online/a01d/www.onitoring-devices-34077.bond
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ruaim.onlineReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usinessoverpleasure.shop
Source: explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usinessoverpleasure.shop/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.usinessoverpleasure.shopReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustonehuman.info
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustonehuman.info/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustonehuman.info/a01d/www.limbtrip.net
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ustonehuman.infoReferer:
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uxemasculine.store
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uxemasculine.store/a01d/
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uxemasculine.store/a01d/www.nlinecraps.xyz
Source: explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uxemasculine.storeReferer:
Source: explorer.exe, 0000000A.00000003.2979316978.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2132453518.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076449895.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000A.00000000.2136477465.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000002.4562814874.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000A.00000002.4562814874.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 0000000A.00000000.2136477465.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4567724151.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980918529.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 0000000A.00000000.2136477465.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4567724151.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980918529.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 0000000A.00000002.4567536413.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2136477465.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000003.2979316978.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565119704.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2132453518.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076449895.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 0000000A.00000000.2136477465.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4567724151.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980918529.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4562814874.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4569837606.0000000010DCB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: New purchase order.exe PID: 3064, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: DjsaCPLWOz.exe PID: 4896, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 5964, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 4784, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 1224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New purchase order.exe

Source: C:\Windows\explorer.exe	Code function: 10_2_10DB4E12 NtProtectVirtualMemory,	10_2_10DB4E12
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB3232 NtCreateFile,	10_2_10DB3232
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB4E0A NtProtectVirtualMemory,	10_2_10DB4E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A330 NtCreateFile,	15_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A3E0 NtReadFile,	15_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A460 NtClose,	15_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A510 NtAllocateVirtualMemory,	15_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A3DD NtReadFile,	15_2_0041A3DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A45A NtClose,	15_2_0041A45A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A50A NtAllocateVirtualMemory,	15_2_0041A50A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702B60 NtClose,LdrInitializeThunk,	15_2_01702B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_01702BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702AD0 NtReadFile,LdrInitializeThunk,	15_2_01702AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_01702D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_01702D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_01702DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702DD0 NtDelayExecution,LdrInitializeThunk,	15_2_01702DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_01702C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_01702CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702F30 NtCreateSection,LdrInitializeThunk,	15_2_01702F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702FE0 NtCreateFile,LdrInitializeThunk,	15_2_01702FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702FB0 NtResumeThread,LdrInitializeThunk,	15_2_01702FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702F90 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_01702F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_01702EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_01702E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01704340 NtSetContextThread,	15_2_01704340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01704650 NtSuspendThread,	15_2_01704650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702BE0 NtQueryValueKey,	15_2_01702BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702BA0 NtEnumerateValueKey,	15_2_01702BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702B80 NtQueryInformationFile,	15_2_01702B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702AF0 NtWriteFile,	15_2_01702AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702AB0 NtWaitForSingleObject,	15_2_01702AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702D00 NtSetInformationFile,	15_2_01702D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702DB0 NtEnumerateKey,	15_2_01702DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702C60 NtCreateKey,	15_2_01702C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702C00 NtQueryInformationProcess,	15_2_01702C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702CF0 NtOpenProcess,	15_2_01702CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702CC0 NtQueryVirtualMemory,	15_2_01702CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702F60 NtCreateProcessEx,	15_2_01702F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702FA0 NtQuerySection,	15_2_01702FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702E30 NtWriteVirtualMemory,	15_2_01702E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702EE0 NtQueueApcThread,	15_2_01702EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703010 NtOpenDirectoryObject,	15_2_01703010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703090 NtSetValueKey,	15_2_01703090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017035C0 NtCreateMutant,	15_2_017035C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017039B0 NtGetContextThread,	15_2_017039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703D70 NtOpenThread,	15_2_01703D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703D10 NtOpenProcessToken,	15_2_01703D10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22CA0 NtQueryInformationToken,LdrInitializeThunk,	16_2_04F22CA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_04F22C70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22C60 NtCreateKey,LdrInitializeThunk,	16_2_04F22C60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_04F22DF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22DD0 NtDelayExecution,LdrInitializeThunk,	16_2_04F22DD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22D10 NtMapViewOfSection,LdrInitializeThunk,	16_2_04F22D10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_04F22EA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22FE0 NtCreateFile,LdrInitializeThunk,	16_2_04F22FE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22F30 NtCreateSection,LdrInitializeThunk,	16_2_04F22F30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22AD0 NtReadFile,LdrInitializeThunk,	16_2_04F22AD0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_04F22BF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22BE0 NtQueryValueKey,LdrInitializeThunk,	16_2_04F22BE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22B60 NtClose,LdrInitializeThunk,	16_2_04F22B60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F235C0 NtCreateMutant,LdrInitializeThunk,	16_2_04F235C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F24650 NtSuspendThread,	16_2_04F24650
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F24340 NtSetContextThread,	16_2_04F24340
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22CF0 NtOpenProcess,	16_2_04F22CF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22CC0 NtQueryVirtualMemory,	16_2_04F22CC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22C00 NtQueryInformationProcess,	16_2_04F22C00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22DB0 NtEnumerateKey,	16_2_04F22DB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22D30 NtUnmapViewOfSection,	16_2_04F22D30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22D00 NtSetInformationFile,	16_2_04F22D00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22EE0 NtQueueApcThread,	16_2_04F22EE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22E80 NtReadVirtualMemory,	16_2_04F22E80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22E30 NtWriteVirtualMemory,	16_2_04F22E30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22FB0 NtResumeThread,	16_2_04F22FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22FA0 NtQuerySection,	16_2_04F22FA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22F90 NtProtectVirtualMemory,	16_2_04F22F90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22F60 NtCreateProcessEx,	16_2_04F22F60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22AF0 NtWriteFile,	16_2_04F22AF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22AB0 NtWaitForSingleObject,	16_2_04F22AB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22BA0 NtEnumerateValueKey,	16_2_04F22BA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F22B80 NtQueryInformationFile,	16_2_04F22B80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F23090 NtSetValueKey,	16_2_04F23090
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F23010 NtOpenDirectoryObject,	16_2_04F23010
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F23D70 NtOpenThread,	16_2_04F23D70
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F23D10 NtOpenProcessToken,	16_2_04F23D10
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F239B0 NtGetContextThread,	16_2_04F239B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5A3E0 NtReadFile,	16_2_02E5A3E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5A330 NtCreateFile,	16_2_02E5A330
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5A460 NtClose,	16_2_02E5A460
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5A510 NtAllocateVirtualMemory,	16_2_02E5A510
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5A3DD NtReadFile,	16_2_02E5A3DD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5A45A NtClose,	16_2_02E5A45A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5A50A NtAllocateVirtualMemory,	16_2_02E5A50A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CFA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	16_2_04CFA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CF9BAF NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	16_2_04CF9BAF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CFA042 NtQueryInformationProcess,	16_2_04CFA042
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CF9BB2 NtCreateSection,NtMapViewOfSection,	16_2_04CF9BB2

Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_01704204	0_2_01704204
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_01707018	0_2_01707018
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_0170D8EC	0_2_0170D8EC
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7F5B0	0_2_05D7F5B0
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7E7C8	0_2_05D7E7C8
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D75180	0_2_05D75180
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7C008	0_2_05D7C008
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7E390	0_2_05D7E390
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7EC00	0_2_05D7EC00
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7BFC8	0_2_05D7BFC8
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7BFF8	0_2_05D7BFF8
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7CF88	0_2_05D7CF88
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D73F48	0_2_05D73F48
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D73F70	0_2_05D73F70
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_05D7EBF0	0_2_05D7EBF0
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_07CF1070	0_2_07CF1070
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_07CF4668	0_2_07CF4668
Source: C:\Users\user\Desktop\New purchase order.exe	Code function: 0_2_07CF69E8	0_2_07CF69E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0100	9_2_016B0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01706000	9_2_01706000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE3F0	9_2_016CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017402C0	9_2_017402C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0535	9_2_016C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017165D0	9_2_017165D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017165B2	9_2_017165B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E4750	9_2_016E4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DC6E0	9_2_016DC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D6962	9_2_016D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CA840	9_2_016CA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B28F0	9_2_016B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A68F1	9_2_016A68F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE8F0	9_2_016EE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F8890	9_2_016F8890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2A45	9_2_016C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CED7A	9_2_016CED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CAD00	9_2_016CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C8DC0	9_2_016C8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D8DBF	9_2_016D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0C00	9_2_016C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0CF2	9_2_016B0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734F40	9_2_01734F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01702F28	9_2_01702F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E0F30	9_2_016E0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B2FC8	9_2_016B2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173EFA0	9_2_0173EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0E59	9_2_016C0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D2ED9	9_2_016D2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F516C	9_2_016F516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AF172	9_2_016AF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CB1B0	9_2_016CB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C33F3	9_2_016C33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DD2F0	9_2_016DD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C52A0	9_2_016C52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017074E0	9_2_017074E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C3497	9_2_016C3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CB730	9_2_016CB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B1979	9_2_016B1979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C9950	9_2_016C9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DB950	9_2_016DB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C59DA	9_2_016C59DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172D800	9_2_0172D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C38E0	9_2_016C38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01735BF0	9_2_01735BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016FDBF9	9_2_016FDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DFB80	9_2_016DFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01733A6C	9_2_01733A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C3D40	9_2_016C3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DFDC0	9_2_016DFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01739C32	9_2_01739C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D9C20	9_2_016D9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C1F92	9_2_016C1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C9EB0	9_2_016C9EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_0E21C232	10_2_0E21C232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E216B30	10_2_0E216B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E216B32	10_2_0E216B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E21B036	10_2_0E21B036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E212082	10_2_0E212082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E213D02	10_2_0E213D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E219912	10_2_0E219912
Source: C:\Windows\explorer.exe	Code function: 10_2_0E21F5CD	10_2_0E21F5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0E35B232	10_2_0E35B232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E355B30	10_2_0E355B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E355B32	10_2_0E355B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E35A036	10_2_0E35A036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E351082	10_2_0E351082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E358912	10_2_0E358912
Source: C:\Windows\explorer.exe	Code function: 10_2_0E352D02	10_2_0E352D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E35E5CD	10_2_0E35E5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB3232	10_2_10DB3232
Source: C:\Windows\explorer.exe	Code function: 10_2_10DA9082	10_2_10DA9082
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB2036	10_2_10DB2036
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB65CD	10_2_10DB65CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB0912	10_2_10DB0912
Source: C:\Windows\explorer.exe	Code function: 10_2_10DAAD02	10_2_10DAAD02
Source: C:\Windows\explorer.exe	Code function: 10_2_10DADB32	10_2_10DADB32
Source: C:\Windows\explorer.exe	Code function: 10_2_10DADB30	10_2_10DADB30
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Code function: 12_2_00E34204	12_2_00E34204
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Code function: 12_2_00E37018	12_2_00E37018
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Code function: 12_2_00E3D8EC	12_2_00E3D8EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D8ED	15_2_0041D8ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D99C	15_2_0041D99C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041E2C2	15_2_0041E2C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041DAE1	15_2_0041DAE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041DB20	15_2_0041DB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041EBF3	15_2_0041EBF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041E493	15_2_0041E493
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D576	15_2_0041D576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041DD02	15_2_0041DD02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00409E60	15_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01758158	15_2_01758158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C0100	15_2_016C0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176A118	15_2_0176A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017881CC	15_2_017881CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017901AA	15_2_017901AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017841A2	15_2_017841A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01762000	15_2_01762000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178A352	15_2_0178A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DE3F0	15_2_016DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017903E6	15_2_017903E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01770274	15_2_01770274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017502C0	15_2_017502C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0535	15_2_016D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01790591	15_2_01790591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01782446	15_2_01782446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01774420	15_2_01774420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0177E4F6	15_2_0177E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0770	15_2_016D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016F4750	15_2_016F4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016CC7C0	15_2_016CC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EC6E0	15_2_016EC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016E6962	15_2_016E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D29A0	15_2_016D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0179A9A6	15_2_0179A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D2840	15_2_016D2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DA840	15_2_016DA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016FE8F0	15_2_016FE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016B68B8	15_2_016B68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178AB40	15_2_0178AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01786BD7	15_2_01786BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016CEA80	15_2_016CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176CD1F	15_2_0176CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DAD00	15_2_016DAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016CADE0	15_2_016CADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016E8DBF	15_2_016E8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0C00	15_2_016D0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C0CF2	15_2_016C0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01770CB5	15_2_01770CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01744F40	15_2_01744F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01772F30	15_2_01772F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01712F28	15_2_01712F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016F0F30	15_2_016F0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DCFE0	15_2_016DCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C2FC8	15_2_016C2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0174EFA0	15_2_0174EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0E59	15_2_016D0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178EE26	15_2_0178EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178EEDB	15_2_0178EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178CE93	15_2_0178CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016E2E90	15_2_016E2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0179B16B	15_2_0179B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016BF172	15_2_016BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0170516C	15_2_0170516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DB1B0	15_2_016DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017870E9	15_2_017870E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178F0E0	15_2_0178F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D70C0	15_2_016D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0177F0CC	15_2_0177F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016BD34C	15_2_016BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178132D	15_2_0178132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0171739A	15_2_0171739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017712ED	15_2_017712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EB2C0	15_2_016EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D52A0	15_2_016D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01787571	15_2_01787571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017995C3	15_2_017995C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176D5B0	15_2_0176D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C1460	15_2_016C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178F43F	15_2_0178F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178F7B0	15_2_0178F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01715630	15_2_01715630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017816CC	15_2_017816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D9950	15_2_016D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EB950	15_2_016EB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01765910	15_2_01765910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0173D800	15_2_0173D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D38E0	15_2_016D38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FB76	15_2_0178FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01745BF0	15_2_01745BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0170DBF9	15_2_0170DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EFB80	15_2_016EFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01743A6C	15_2_01743A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FA49	15_2_0178FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01787A46	15_2_01787A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0177DAC6	15_2_0177DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01715AA0	15_2_01715AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01771AA3	15_2_01771AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176DAAC	15_2_0176DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01787D73	15_2_01787D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01781D5A	15_2_01781D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D3D40	15_2_016D3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EFDC0	15_2_016EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01749C32	15_2_01749C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FCF2	15_2_0178FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FF09	15_2_0178FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01693FD2	15_2_01693FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01693FD5	15_2_01693FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FFB1	15_2_0178FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D1F92	15_2_016D1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D9EB0	15_2_016D9EB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_00497110	16_2_00497110
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F9E4F6	16_2_04F9E4F6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA2446	16_2_04FA2446
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F94420	16_2_04F94420
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FB0591	16_2_04FB0591
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF0535	16_2_04EF0535
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F0C6E0	16_2_04F0C6E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EEC7C0	16_2_04EEC7C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF0770	16_2_04EF0770
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F14750	16_2_04F14750
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F82000	16_2_04F82000
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA81CC	16_2_04FA81CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FB01AA	16_2_04FB01AA
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA41A2	16_2_04FA41A2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F78158	16_2_04F78158
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F8A118	16_2_04F8A118
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EE0100	16_2_04EE0100
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F702C0	16_2_04F702C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F90274	16_2_04F90274
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FB03E6	16_2_04FB03E6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EFE3F0	16_2_04EFE3F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAA352	16_2_04FAA352
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EE0CF2	16_2_04EE0CF2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F90CB5	16_2_04F90CB5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF0C00	16_2_04EF0C00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EEADE0	16_2_04EEADE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F08DBF	16_2_04F08DBF
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F8CD1F	16_2_04F8CD1F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EFAD00	16_2_04EFAD00
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAEEDB	16_2_04FAEEDB
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F02E90	16_2_04F02E90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FACE93	16_2_04FACE93
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF0E59	16_2_04EF0E59
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAEE26	16_2_04FAEE26
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EFCFE0	16_2_04EFCFE0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EE2FC8	16_2_04EE2FC8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F6EFA0	16_2_04F6EFA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F64F40	16_2_04F64F40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F10F30	16_2_04F10F30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F92F30	16_2_04F92F30
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F32F28	16_2_04F32F28
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F1E8F0	16_2_04F1E8F0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04ED68B8	16_2_04ED68B8
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF2840	16_2_04EF2840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EFA840	16_2_04EFA840
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF29A0	16_2_04EF29A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FBA9A6	16_2_04FBA9A6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F06962	16_2_04F06962
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EEEA80	16_2_04EEEA80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA6BD7	16_2_04FA6BD7
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAAB40	16_2_04FAAB40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EE1460	16_2_04EE1460
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAF43F	16_2_04FAF43F
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FB95C3	16_2_04FB95C3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F8D5B0	16_2_04F8D5B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA7571	16_2_04FA7571
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA16CC	16_2_04FA16CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F35630	16_2_04F35630
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAF7B0	16_2_04FAF7B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA70E9	16_2_04FA70E9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAF0E0	16_2_04FAF0E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF70C0	16_2_04EF70C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F9F0CC	16_2_04F9F0CC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EFB1B0	16_2_04EFB1B0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FBB16B	16_2_04FBB16B
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F2516C	16_2_04F2516C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EDF172	16_2_04EDF172
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F912ED	16_2_04F912ED
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F0B2C0	16_2_04F0B2C0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF52A0	16_2_04EF52A0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F3739A	16_2_04F3739A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EDD34C	16_2_04EDD34C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA132D	16_2_04FA132D
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAFCF2	16_2_04FAFCF2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F69C32	16_2_04F69C32
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F0FDC0	16_2_04F0FDC0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA7D73	16_2_04FA7D73
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA1D5A	16_2_04FA1D5A
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF3D40	16_2_04EF3D40
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF9EB0	16_2_04EF9EB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EB3FD2	16_2_04EB3FD2
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EB3FD5	16_2_04EB3FD5
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAFFB1	16_2_04FAFFB1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF1F92	16_2_04EF1F92
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAFF09	16_2_04FAFF09
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF38E0	16_2_04EF38E0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F5D800	16_2_04F5D800
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F0B950	16_2_04F0B950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EF9950	16_2_04EF9950
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F85910	16_2_04F85910
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F9DAC6	16_2_04F9DAC6
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F35AA0	16_2_04F35AA0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F8DAAC	16_2_04F8DAAC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F91AA3	16_2_04F91AA3
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F63A6C	16_2_04F63A6C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAFA49	16_2_04FAFA49
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FA7A46	16_2_04FA7A46
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F65BF0	16_2_04F65BF0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F2DBF9	16_2_04F2DBF9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04F0FB80	16_2_04F0FB80
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04FAFB76	16_2_04FAFB76
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5D576	16_2_02E5D576
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5DAE1	16_2_02E5DAE1
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5DB20	16_2_02E5DB20
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5D8ED	16_2_02E5D8ED
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5D99C	16_2_02E5D99C
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E49E60	16_2_02E49E60
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E42FB0	16_2_02E42FB0
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E42D90	16_2_02E42D90
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_02E5DD02	16_2_02E5DD02
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CFA036	16_2_04CFA036
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CFE5CD	16_2_04CFE5CD
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CF2D02	16_2_04CF2D02
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CF1082	16_2_04CF1082
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CF8912	16_2_04CF8912
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CFB232	16_2_04CFB232
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CF5B32	16_2_04CF5B32
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04CF5B30	16_2_04CF5B30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0173EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0174F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01707E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0172EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 016BB970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01705130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01717E54 appears 111 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 04F37E54 appears 111 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 04F5EA12 appears 86 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 04F25130 appears 58 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 04EDB970 appears 280 times
Source: C:\Windows\SysWOW64\cscript.exe	Code function: String function: 04F6F290 appears 105 times

Source: New purchase order.exe, 00000000.00000002.2133550897.0000000003284000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs New purchase order.exe
Source: New purchase order.exe, 00000000.00000002.2134617071.0000000004179000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs New purchase order.exe
Source: New purchase order.exe, 00000000.00000002.2136893760.0000000005C10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs New purchase order.exe
Source: New purchase order.exe, 00000000.00000002.2131239357.000000000142E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs New purchase order.exe
Source: New purchase order.exe, 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs New purchase order.exe
Source: New purchase order.exe, 00000000.00000002.2138134759.0000000007D30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs New purchase order.exe
Source: New purchase order.exe, 00000000.00000000.2091966424.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefaZh.exeB vs New purchase order.exe
Source: New purchase order.exe	Binary or memory string: OriginalFilenamefaZh.exeB vs New purchase order.exe

Source: New purchase order.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4569837606.0000000010DCB000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: New purchase order.exe PID: 3064, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: DjsaCPLWOz.exe PID: 4896, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 5964, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 4784, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 1224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: New purchase order.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DjsaCPLWOz.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *.sln
Source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@418/15@12/0

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_0049BCDF FormatMessageW,SysAllocString,LocalFree,GetLastError,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,LocalFree,

16_2_0049BCDF

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_004964E0 CLSIDFromString,CoCreateInstance,

16_2_004964E0

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_004A82B5 FindResourceExW,LoadResource,

16_2_004A82B5

Source: C:\Users\user\Desktop\New purchase order.exe

File created: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2244:120:WilError_03
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Mutant created: \Sessions\1\BaseNamedObjects\gYgDmNdWFmoyLWHOnNsAj
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_03

Source: C:\Users\user\Desktop\New purchase order.exe

File created: C:\Users\user\AppData\Local\Temp\tmp96C3.tmp

Jump to behavior

Source: New purchase order.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: New purchase order.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\New purchase order.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\New purchase order.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New purchase order.exe, 00000000.00000000.2091966424.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, DjsaCPLWOz.exe.0.dr

Binary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);

Source: New purchase order.exe	Virustotal: Detection: 36%
Source: New purchase order.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\New purchase order.exe

File read: C:\Users\user\Desktop\New purchase order.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\New purchase order.exe "C:\Users\user\Desktop\New purchase order.exe"
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: devobj.dll

Source: C:\Users\user\Desktop\New purchase order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\New purchase order.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: New purchase order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: New purchase order.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: New purchase order.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cscript.pdbUGP source: MSBuild.exe, 0000000F.00000002.2182083079.0000000003350000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2178927625.0000000001158000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4558737099.0000000000490000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: faZh.pdbSHA256 source: New purchase order.exe, DjsaCPLWOz.exe.0.dr
Source:	Binary string: chkdsk.pdbGCTL source: MSBuild.exe, 00000009.00000002.2184612576.0000000001450000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2184305774.0000000001228000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192669096.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: chkdsk.pdb source: MSBuild.exe, 00000009.00000002.2184612576.0000000001450000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2184305774.0000000001228000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192669096.0000000000C50000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.4569561657.00000000104FF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4561289762.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000010.00000002.4559527624.00000000031C8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000003.2180451919.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000003.2178527747.0000000004B5B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2183744457.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2187189233.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004DFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: faZh.pdb source: New purchase order.exe, DjsaCPLWOz.exe.0.dr
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000010.00000003.2180451919.0000000004D02000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000010.00000003.2178527747.0000000004B5B000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2183744457.00000000008C9000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000003.2187189233.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000011.00000002.2192857144.0000000004DFE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cscript.pdb source: MSBuild.exe, 0000000F.00000002.2182083079.0000000003350000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2178927625.0000000001158000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000010.00000002.4558737099.0000000000490000.00000040.80000000.00040000.00000000.sdmp

Source: New purchase order.exe

Static PE information: 0xED1B63D8 [Sat Jan 21 14:40:24 2096 UTC]

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_0049AA82 LoadLibraryW,GetProcAddress,FreeLibrary,

16_2_0049AA82

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B09AD push ecx; mov dword ptr [esp], ecx	9_2_016B09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01681328 push eax; iretd	9_2_01681369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01681FEC push eax; iretd	9_2_01681FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01707E99 push ecx; ret	9_2_01707EAC
Source: C:\Windows\explorer.exe	Code function: 10_2_0E21FB02 push esp; retn 0000h	10_2_0E21FB03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E21FB1E push esp; retn 0000h	10_2_0E21FB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E21F9B5 push esp; retn 0000h	10_2_0E21FAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0E35EB1E push esp; retn 0000h	10_2_0E35EB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E35EB02 push esp; retn 0000h	10_2_0E35EB03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E2C0001 push ebp; retf	10_2_0E2C000B
Source: C:\Windows\explorer.exe	Code function: 10_2_0E35E9B5 push esp; retn 0000h	10_2_0E35EAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB69B5 push esp; retn 0000h	10_2_10DB6AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB6B1E push esp; retn 0000h	10_2_10DB6B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10DB6B02 push esp; retn 0000h	10_2_10DB6B03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041792C push cs; ret	15_2_0041792D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00416A45 push 573B2D1Ch; iretd	15_2_00416A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00416B05 push es; retf	15_2_00416B06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D4D2 push eax; ret	15_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D4DB push eax; ret	15_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D485 push eax; ret	15_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041E509 push dword ptr [6EBCD4A2h]; ret	15_2_0041E521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D53C push eax; ret	15_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0169225F pushad ; ret	15_2_016927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016927FA pushad ; ret	15_2_016927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C09AD push ecx; mov dword ptr [esp], ecx	15_2_016C09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0169283D push eax; iretd	15_2_01692858
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0049DF11 push ecx; ret	16_2_0049DF24
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EB27FA pushad ; ret	16_2_04EB27F9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EB225F pushad ; ret	16_2_04EB27F9
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EB283D push eax; iretd	16_2_04EB2858
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_04EE09AD push ecx; mov dword ptr [esp], ecx	16_2_04EE09B6

Source: New purchase order.exe	Static PE information: section name: .text entropy: 7.70487272734604
Source: DjsaCPLWOz.exe.0.dr	Static PE information: section name: .text entropy: 7.70487272734604

Source: C:\Users\user\Desktop\New purchase order.exe

File created: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\New purchase order.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: New purchase order.exe PID: 3064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: DjsaCPLWOz.exe PID: 4896, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\cscript.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 2E49904 second address: 2E4990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 2E49B7E second address: 2E49B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 149904 second address: 14990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 149B7E second address: 149B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\New purchase order.exe	Memory allocated: 16B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory allocated: 5150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory allocated: 91F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory allocated: A1F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory allocated: A3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory allocated: B3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Memory allocated: DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Memory allocated: 85B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Memory allocated: 6D10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Memory allocated: 95B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Memory allocated: A5B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_016AE0D0 rdtsc

9_2_016AE0D0

Source: C:\Users\user\Desktop\New purchase order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7463	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2250	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6850	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2820	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9675	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 861	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 3605
Source: C:\Windows\SysWOW64\cscript.exe	Window / User API: threadDelayed 6369

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.1 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\cscript.exe	API coverage: 1.6 %

Source: C:\Users\user\Desktop\New purchase order.exe TID: 6500	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5808	Thread sleep count: 7463 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7160	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5848	Thread sleep count: 2250 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5776	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep count: 9675 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep time: -19350000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep count: 274 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1136	Thread sleep time: -548000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe TID: 1512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe TID: 5676	Thread sleep count: 3605 > 30
Source: C:\Windows\SysWOW64\cscript.exe TID: 5676	Thread sleep time: -7210000s >= -30000s
Source: C:\Windows\SysWOW64\cscript.exe TID: 5676	Thread sleep count: 6369 > 30
Source: C:\Windows\SysWOW64\cscript.exe TID: 5676	Thread sleep time: -12738000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cscript.exe

16_2_004A2674

Source: C:\Users\user\Desktop\New purchase order.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 0000000A.00000002.4565119704.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 0000000A.00000003.3076449895.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 0000000A.00000000.2128744833.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 0000000A.00000000.2112893628.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.2128744833.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4564685923.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.2112893628.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 0000000A.00000002.4562814874.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000003.3076449895.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 0000000A.00000000.2112893628.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000003.3076449895.00000000098E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 0000000A.00000000.2112893628.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\New purchase order.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_016AE0D0 rdtsc

9_2_016AE0D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_016F2B60 LdrInitializeThunk,

9_2_016F2B60

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_0049AA82 LoadLibraryW,GetProcAddress,FreeLibrary,

16_2_0049AA82

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F2160 mov eax, dword ptr fs:[00000030h]	9_2_016F2160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B2140 mov ecx, dword ptr fs:[00000030h]	9_2_016B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B2140 mov eax, dword ptr fs:[00000030h]	9_2_016B2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AC156 mov eax, dword ptr fs:[00000030h]	9_2_016AC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6154 mov eax, dword ptr fs:[00000030h]	9_2_016B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6154 mov eax, dword ptr fs:[00000030h]	9_2_016B6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E0124 mov eax, dword ptr fs:[00000030h]	9_2_016E0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E01F8 mov eax, dword ptr fs:[00000030h]	9_2_016E01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0172E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0172E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0172E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0172E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0172E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0170E1D8 mov eax, dword ptr fs:[00000030h]	9_2_0170E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017201DA mov eax, dword ptr fs:[00000030h]	9_2_017201DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017201DA mov eax, dword ptr fs:[00000030h]	9_2_017201DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C61D1 mov eax, dword ptr fs:[00000030h]	9_2_016C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C61D1 mov eax, dword ptr fs:[00000030h]	9_2_016C61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F0185 mov eax, dword ptr fs:[00000030h]	9_2_016F0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173019F mov eax, dword ptr fs:[00000030h]	9_2_0173019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173019F mov eax, dword ptr fs:[00000030h]	9_2_0173019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173019F mov eax, dword ptr fs:[00000030h]	9_2_0173019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173019F mov eax, dword ptr fs:[00000030h]	9_2_0173019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA197 mov eax, dword ptr fs:[00000030h]	9_2_016AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA197 mov eax, dword ptr fs:[00000030h]	9_2_016AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA197 mov eax, dword ptr fs:[00000030h]	9_2_016AA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA060 mov eax, dword ptr fs:[00000030h]	9_2_016EA060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DC073 mov eax, dword ptr fs:[00000030h]	9_2_016DC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736050 mov eax, dword ptr fs:[00000030h]	9_2_01736050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01712045 mov eax, dword ptr fs:[00000030h]	9_2_01712045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B2050 mov eax, dword ptr fs:[00000030h]	9_2_016B2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AC020 mov eax, dword ptr fs:[00000030h]	9_2_016AC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA020 mov eax, dword ptr fs:[00000030h]	9_2_016AA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734000 mov ecx, dword ptr fs:[00000030h]	9_2_01734000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE016 mov eax, dword ptr fs:[00000030h]	9_2_016CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE016 mov eax, dword ptr fs:[00000030h]	9_2_016CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE016 mov eax, dword ptr fs:[00000030h]	9_2_016CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE016 mov eax, dword ptr fs:[00000030h]	9_2_016CE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B80E9 mov eax, dword ptr fs:[00000030h]	9_2_016B80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_016AA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017360E0 mov eax, dword ptr fs:[00000030h]	9_2_017360E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AC0F0 mov eax, dword ptr fs:[00000030h]	9_2_016AC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F20F0 mov ecx, dword ptr fs:[00000030h]	9_2_016F20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017320DE mov eax, dword ptr fs:[00000030h]	9_2_017320DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A80A0 mov eax, dword ptr fs:[00000030h]	9_2_016A80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B208A mov eax, dword ptr fs:[00000030h]	9_2_016B208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172035C mov eax, dword ptr fs:[00000030h]	9_2_0172035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172035C mov eax, dword ptr fs:[00000030h]	9_2_0172035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172035C mov eax, dword ptr fs:[00000030h]	9_2_0172035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172035C mov eax, dword ptr fs:[00000030h]	9_2_0172035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173035C mov eax, dword ptr fs:[00000030h]	9_2_0173035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173035C mov eax, dword ptr fs:[00000030h]	9_2_0173035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173035C mov eax, dword ptr fs:[00000030h]	9_2_0173035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173035C mov ecx, dword ptr fs:[00000030h]	9_2_0173035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173035C mov eax, dword ptr fs:[00000030h]	9_2_0173035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173035C mov eax, dword ptr fs:[00000030h]	9_2_0173035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01732349 mov eax, dword ptr fs:[00000030h]	9_2_01732349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0171634C mov eax, dword ptr fs:[00000030h]	9_2_0171634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B2324 mov eax, dword ptr fs:[00000030h]	9_2_016B2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA30B mov eax, dword ptr fs:[00000030h]	9_2_016EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA30B mov eax, dword ptr fs:[00000030h]	9_2_016EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA30B mov eax, dword ptr fs:[00000030h]	9_2_016EA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AC301 mov ecx, dword ptr fs:[00000030h]	9_2_016AC301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D0310 mov ecx, dword ptr fs:[00000030h]	9_2_016D0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C03E9 mov eax, dword ptr fs:[00000030h]	9_2_016C03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E63FF mov eax, dword ptr fs:[00000030h]	9_2_016E63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE3F0 mov eax, dword ptr fs:[00000030h]	9_2_016CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE3F0 mov eax, dword ptr fs:[00000030h]	9_2_016CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE3F0 mov eax, dword ptr fs:[00000030h]	9_2_016CE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B83C0 mov eax, dword ptr fs:[00000030h]	9_2_016B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B83C0 mov eax, dword ptr fs:[00000030h]	9_2_016B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B83C0 mov eax, dword ptr fs:[00000030h]	9_2_016B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B83C0 mov eax, dword ptr fs:[00000030h]	9_2_016B83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017363C0 mov eax, dword ptr fs:[00000030h]	9_2_017363C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AE388 mov eax, dword ptr fs:[00000030h]	9_2_016AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AE388 mov eax, dword ptr fs:[00000030h]	9_2_016AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AE388 mov eax, dword ptr fs:[00000030h]	9_2_016AE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D438F mov eax, dword ptr fs:[00000030h]	9_2_016D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D438F mov eax, dword ptr fs:[00000030h]	9_2_016D438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8397 mov eax, dword ptr fs:[00000030h]	9_2_016A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8397 mov eax, dword ptr fs:[00000030h]	9_2_016A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8397 mov eax, dword ptr fs:[00000030h]	9_2_016A8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A826B mov eax, dword ptr fs:[00000030h]	9_2_016A826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B4260 mov eax, dword ptr fs:[00000030h]	9_2_016B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B4260 mov eax, dword ptr fs:[00000030h]	9_2_016B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B4260 mov eax, dword ptr fs:[00000030h]	9_2_016B4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01738243 mov eax, dword ptr fs:[00000030h]	9_2_01738243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01738243 mov ecx, dword ptr fs:[00000030h]	9_2_01738243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6259 mov eax, dword ptr fs:[00000030h]	9_2_016B6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA250 mov eax, dword ptr fs:[00000030h]	9_2_016AA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A823B mov eax, dword ptr fs:[00000030h]	9_2_016A823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0218 mov eax, dword ptr fs:[00000030h]	9_2_016C0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C02E1 mov eax, dword ptr fs:[00000030h]	9_2_016C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C02E1 mov eax, dword ptr fs:[00000030h]	9_2_016C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C02E1 mov eax, dword ptr fs:[00000030h]	9_2_016C02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_016BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_016BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_016BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_016BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA2C3 mov eax, dword ptr fs:[00000030h]	9_2_016BA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C02A0 mov eax, dword ptr fs:[00000030h]	9_2_016C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C02A0 mov eax, dword ptr fs:[00000030h]	9_2_016C02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE284 mov eax, dword ptr fs:[00000030h]	9_2_016EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE284 mov eax, dword ptr fs:[00000030h]	9_2_016EE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01730283 mov eax, dword ptr fs:[00000030h]	9_2_01730283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01730283 mov eax, dword ptr fs:[00000030h]	9_2_01730283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01730283 mov eax, dword ptr fs:[00000030h]	9_2_01730283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E656A mov eax, dword ptr fs:[00000030h]	9_2_016E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E656A mov eax, dword ptr fs:[00000030h]	9_2_016E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E656A mov eax, dword ptr fs:[00000030h]	9_2_016E656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE53E mov eax, dword ptr fs:[00000030h]	9_2_016DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE53E mov eax, dword ptr fs:[00000030h]	9_2_016DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE53E mov eax, dword ptr fs:[00000030h]	9_2_016DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE53E mov eax, dword ptr fs:[00000030h]	9_2_016DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE53E mov eax, dword ptr fs:[00000030h]	9_2_016DE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0535 mov eax, dword ptr fs:[00000030h]	9_2_016C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0535 mov eax, dword ptr fs:[00000030h]	9_2_016C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0535 mov eax, dword ptr fs:[00000030h]	9_2_016C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0535 mov eax, dword ptr fs:[00000030h]	9_2_016C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0535 mov eax, dword ptr fs:[00000030h]	9_2_016C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0535 mov eax, dword ptr fs:[00000030h]	9_2_016C0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC5ED mov eax, dword ptr fs:[00000030h]	9_2_016EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC5ED mov eax, dword ptr fs:[00000030h]	9_2_016EC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE5E7 mov eax, dword ptr fs:[00000030h]	9_2_016DE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B25E0 mov eax, dword ptr fs:[00000030h]	9_2_016B25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE5CF mov eax, dword ptr fs:[00000030h]	9_2_016EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE5CF mov eax, dword ptr fs:[00000030h]	9_2_016EE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B65D0 mov eax, dword ptr fs:[00000030h]	9_2_016B65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA5D0 mov eax, dword ptr fs:[00000030h]	9_2_016EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA5D0 mov eax, dword ptr fs:[00000030h]	9_2_016EA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D45B1 mov eax, dword ptr fs:[00000030h]	9_2_016D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D45B1 mov eax, dword ptr fs:[00000030h]	9_2_016D45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E4588 mov eax, dword ptr fs:[00000030h]	9_2_016E4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B2582 mov eax, dword ptr fs:[00000030h]	9_2_016B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B2582 mov ecx, dword ptr fs:[00000030h]	9_2_016B2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA580 mov ecx, dword ptr fs:[00000030h]	9_2_016AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA580 mov eax, dword ptr fs:[00000030h]	9_2_016AA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE59C mov eax, dword ptr fs:[00000030h]	9_2_016EE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173C460 mov ecx, dword ptr fs:[00000030h]	9_2_0173C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA471 mov eax, dword ptr fs:[00000030h]	9_2_016BA471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DA470 mov eax, dword ptr fs:[00000030h]	9_2_016DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DA470 mov eax, dword ptr fs:[00000030h]	9_2_016DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DA470 mov eax, dword ptr fs:[00000030h]	9_2_016DA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EE443 mov eax, dword ptr fs:[00000030h]	9_2_016EE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D245A mov eax, dword ptr fs:[00000030h]	9_2_016D245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AE420 mov eax, dword ptr fs:[00000030h]	9_2_016AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AE420 mov eax, dword ptr fs:[00000030h]	9_2_016AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AE420 mov eax, dword ptr fs:[00000030h]	9_2_016AE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AC427 mov eax, dword ptr fs:[00000030h]	9_2_016AC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736420 mov eax, dword ptr fs:[00000030h]	9_2_01736420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736420 mov eax, dword ptr fs:[00000030h]	9_2_01736420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736420 mov eax, dword ptr fs:[00000030h]	9_2_01736420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736420 mov eax, dword ptr fs:[00000030h]	9_2_01736420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736420 mov eax, dword ptr fs:[00000030h]	9_2_01736420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736420 mov eax, dword ptr fs:[00000030h]	9_2_01736420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01736420 mov eax, dword ptr fs:[00000030h]	9_2_01736420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA430 mov eax, dword ptr fs:[00000030h]	9_2_016EA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8402 mov eax, dword ptr fs:[00000030h]	9_2_016E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8402 mov eax, dword ptr fs:[00000030h]	9_2_016E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8402 mov eax, dword ptr fs:[00000030h]	9_2_016E8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B04E5 mov ecx, dword ptr fs:[00000030h]	9_2_016B04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B64AB mov eax, dword ptr fs:[00000030h]	9_2_016B64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0173A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A64BA mov eax, dword ptr fs:[00000030h]	9_2_016A64BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E44B0 mov ecx, dword ptr fs:[00000030h]	9_2_016E44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6484 mov eax, dword ptr fs:[00000030h]	9_2_016B6484
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8770 mov eax, dword ptr fs:[00000030h]	9_2_016B8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0770 mov eax, dword ptr fs:[00000030h]	9_2_016C0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E674D mov esi, dword ptr fs:[00000030h]	9_2_016E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E674D mov eax, dword ptr fs:[00000030h]	9_2_016E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E674D mov eax, dword ptr fs:[00000030h]	9_2_016E674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734755 mov eax, dword ptr fs:[00000030h]	9_2_01734755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AA740 mov eax, dword ptr fs:[00000030h]	9_2_016AA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173E75D mov eax, dword ptr fs:[00000030h]	9_2_0173E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0750 mov eax, dword ptr fs:[00000030h]	9_2_016B0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F2750 mov eax, dword ptr fs:[00000030h]	9_2_016F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F2750 mov eax, dword ptr fs:[00000030h]	9_2_016F2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172C730 mov eax, dword ptr fs:[00000030h]	9_2_0172C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC720 mov eax, dword ptr fs:[00000030h]	9_2_016EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC720 mov eax, dword ptr fs:[00000030h]	9_2_016EC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E273C mov eax, dword ptr fs:[00000030h]	9_2_016E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E273C mov ecx, dword ptr fs:[00000030h]	9_2_016E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E273C mov eax, dword ptr fs:[00000030h]	9_2_016E273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC700 mov eax, dword ptr fs:[00000030h]	9_2_016EC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0710 mov eax, dword ptr fs:[00000030h]	9_2_016B0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E0710 mov eax, dword ptr fs:[00000030h]	9_2_016E0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D27ED mov eax, dword ptr fs:[00000030h]	9_2_016D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D27ED mov eax, dword ptr fs:[00000030h]	9_2_016D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D27ED mov eax, dword ptr fs:[00000030h]	9_2_016D27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B47FB mov eax, dword ptr fs:[00000030h]	9_2_016B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B47FB mov eax, dword ptr fs:[00000030h]	9_2_016B47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0173E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC7F0 mov eax, dword ptr fs:[00000030h]	9_2_016EC7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017307C3 mov eax, dword ptr fs:[00000030h]	9_2_017307C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B07AF mov eax, dword ptr fs:[00000030h]	9_2_016B07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C266C mov eax, dword ptr fs:[00000030h]	9_2_016C266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA660 mov eax, dword ptr fs:[00000030h]	9_2_016EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA660 mov eax, dword ptr fs:[00000030h]	9_2_016EA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E2674 mov eax, dword ptr fs:[00000030h]	9_2_016E2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CC640 mov eax, dword ptr fs:[00000030h]	9_2_016CC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B262C mov eax, dword ptr fs:[00000030h]	9_2_016B262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CE627 mov eax, dword ptr fs:[00000030h]	9_2_016CE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E6620 mov eax, dword ptr fs:[00000030h]	9_2_016E6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8620 mov eax, dword ptr fs:[00000030h]	9_2_016E8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F2619 mov eax, dword ptr fs:[00000030h]	9_2_016F2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E609 mov eax, dword ptr fs:[00000030h]	9_2_0172E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0172E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0172E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0172E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0172E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017306F1 mov eax, dword ptr fs:[00000030h]	9_2_017306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017306F1 mov eax, dword ptr fs:[00000030h]	9_2_017306F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C26EB mov eax, dword ptr fs:[00000030h]	9_2_016C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C26EB mov eax, dword ptr fs:[00000030h]	9_2_016C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C26EB mov eax, dword ptr fs:[00000030h]	9_2_016C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C26EB mov eax, dword ptr fs:[00000030h]	9_2_016C26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA6C7 mov ebx, dword ptr fs:[00000030h]	9_2_016EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA6C7 mov eax, dword ptr fs:[00000030h]	9_2_016EA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC6A6 mov eax, dword ptr fs:[00000030h]	9_2_016EC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E66B0 mov eax, dword ptr fs:[00000030h]	9_2_016E66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC68B mov eax, dword ptr fs:[00000030h]	9_2_016EC68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B4690 mov eax, dword ptr fs:[00000030h]	9_2_016B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B4690 mov eax, dword ptr fs:[00000030h]	9_2_016B4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F096E mov eax, dword ptr fs:[00000030h]	9_2_016F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F096E mov edx, dword ptr fs:[00000030h]	9_2_016F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016F096E mov eax, dword ptr fs:[00000030h]	9_2_016F096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173C97C mov eax, dword ptr fs:[00000030h]	9_2_0173C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D6962 mov eax, dword ptr fs:[00000030h]	9_2_016D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D6962 mov eax, dword ptr fs:[00000030h]	9_2_016D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D6962 mov eax, dword ptr fs:[00000030h]	9_2_016D6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01730946 mov eax, dword ptr fs:[00000030h]	9_2_01730946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA950 mov eax, dword ptr fs:[00000030h]	9_2_016EA950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173892A mov eax, dword ptr fs:[00000030h]	9_2_0173892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173C912 mov eax, dword ptr fs:[00000030h]	9_2_0173C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8918 mov eax, dword ptr fs:[00000030h]	9_2_016A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8918 mov eax, dword ptr fs:[00000030h]	9_2_016A8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E908 mov eax, dword ptr fs:[00000030h]	9_2_0172E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172E908 mov eax, dword ptr fs:[00000030h]	9_2_0172E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0173E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E29F9 mov eax, dword ptr fs:[00000030h]	9_2_016E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E29F9 mov eax, dword ptr fs:[00000030h]	9_2_016E29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_016BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_016BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_016BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_016BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_016BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BA9D0 mov eax, dword ptr fs:[00000030h]	9_2_016BA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E49D0 mov eax, dword ptr fs:[00000030h]	9_2_016E49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017389B3 mov esi, dword ptr fs:[00000030h]	9_2_017389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017389B3 mov eax, dword ptr fs:[00000030h]	9_2_017389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_017389B3 mov eax, dword ptr fs:[00000030h]	9_2_017389B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B09AD mov eax, dword ptr fs:[00000030h]	9_2_016B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B09AD mov eax, dword ptr fs:[00000030h]	9_2_016B09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173E872 mov eax, dword ptr fs:[00000030h]	9_2_0173E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173E872 mov eax, dword ptr fs:[00000030h]	9_2_0173E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B4859 mov eax, dword ptr fs:[00000030h]	9_2_016B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B4859 mov eax, dword ptr fs:[00000030h]	9_2_016B4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E0854 mov eax, dword ptr fs:[00000030h]	9_2_016E0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D2835 mov eax, dword ptr fs:[00000030h]	9_2_016D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D2835 mov eax, dword ptr fs:[00000030h]	9_2_016D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D2835 mov eax, dword ptr fs:[00000030h]	9_2_016D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D2835 mov ecx, dword ptr fs:[00000030h]	9_2_016D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D2835 mov eax, dword ptr fs:[00000030h]	9_2_016D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D2835 mov eax, dword ptr fs:[00000030h]	9_2_016D2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EA830 mov eax, dword ptr fs:[00000030h]	9_2_016EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173C810 mov eax, dword ptr fs:[00000030h]	9_2_0173C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC8F9 mov eax, dword ptr fs:[00000030h]	9_2_016EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EC8F9 mov eax, dword ptr fs:[00000030h]	9_2_016EC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B28F0 mov eax, dword ptr fs:[00000030h]	9_2_016B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B28F0 mov eax, dword ptr fs:[00000030h]	9_2_016B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B28F0 mov eax, dword ptr fs:[00000030h]	9_2_016B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B28F0 mov eax, dword ptr fs:[00000030h]	9_2_016B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B28F0 mov eax, dword ptr fs:[00000030h]	9_2_016B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B28F0 mov eax, dword ptr fs:[00000030h]	9_2_016B28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DE8C0 mov eax, dword ptr fs:[00000030h]	9_2_016DE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C28D0 mov ecx, dword ptr fs:[00000030h]	9_2_016C28D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0887 mov eax, dword ptr fs:[00000030h]	9_2_016B0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173C89D mov eax, dword ptr fs:[00000030h]	9_2_0173C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ACB7E mov eax, dword ptr fs:[00000030h]	9_2_016ACB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2B79 mov eax, dword ptr fs:[00000030h]	9_2_016C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2B79 mov eax, dword ptr fs:[00000030h]	9_2_016C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2B79 mov eax, dword ptr fs:[00000030h]	9_2_016C2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8B50 mov eax, dword ptr fs:[00000030h]	9_2_016A8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DEB20 mov eax, dword ptr fs:[00000030h]	9_2_016DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DEB20 mov eax, dword ptr fs:[00000030h]	9_2_016DEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172EB1D mov eax, dword ptr fs:[00000030h]	9_2_0172EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0173CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01712BF6 mov eax, dword ptr fs:[00000030h]	9_2_01712BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DEBFC mov eax, dword ptr fs:[00000030h]	9_2_016DEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8BF0 mov eax, dword ptr fs:[00000030h]	9_2_016B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8BF0 mov eax, dword ptr fs:[00000030h]	9_2_016B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8BF0 mov eax, dword ptr fs:[00000030h]	9_2_016B8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8BF0 mov ecx, dword ptr fs:[00000030h]	9_2_016E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8BF0 mov eax, dword ptr fs:[00000030h]	9_2_016E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8BF0 mov eax, dword ptr fs:[00000030h]	9_2_016E8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0BCD mov eax, dword ptr fs:[00000030h]	9_2_016B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0BCD mov eax, dword ptr fs:[00000030h]	9_2_016B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0BCD mov eax, dword ptr fs:[00000030h]	9_2_016B0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0BBE mov eax, dword ptr fs:[00000030h]	9_2_016C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0BBE mov eax, dword ptr fs:[00000030h]	9_2_016C0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172CA72 mov eax, dword ptr fs:[00000030h]	9_2_0172CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172CA72 mov eax, dword ptr fs:[00000030h]	9_2_0172CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECA6F mov eax, dword ptr fs:[00000030h]	9_2_016ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECA6F mov eax, dword ptr fs:[00000030h]	9_2_016ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECA6F mov eax, dword ptr fs:[00000030h]	9_2_016ECA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2A45 mov eax, dword ptr fs:[00000030h]	9_2_016C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2A45 mov eax, dword ptr fs:[00000030h]	9_2_016C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2A45 mov eax, dword ptr fs:[00000030h]	9_2_016C2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0A5B mov eax, dword ptr fs:[00000030h]	9_2_016C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0A5B mov eax, dword ptr fs:[00000030h]	9_2_016C0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6A50 mov eax, dword ptr fs:[00000030h]	9_2_016B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6A50 mov eax, dword ptr fs:[00000030h]	9_2_016B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6A50 mov eax, dword ptr fs:[00000030h]	9_2_016B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6A50 mov eax, dword ptr fs:[00000030h]	9_2_016B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6A50 mov eax, dword ptr fs:[00000030h]	9_2_016B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6A50 mov eax, dword ptr fs:[00000030h]	9_2_016B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6A50 mov eax, dword ptr fs:[00000030h]	9_2_016B6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E0A50 mov eax, dword ptr fs:[00000030h]	9_2_016E0A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECA24 mov eax, dword ptr fs:[00000030h]	9_2_016ECA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECA38 mov eax, dword ptr fs:[00000030h]	9_2_016ECA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D4A35 mov eax, dword ptr fs:[00000030h]	9_2_016D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D4A35 mov eax, dword ptr fs:[00000030h]	9_2_016D4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0173CA11 mov eax, dword ptr fs:[00000030h]	9_2_0173CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8A00 mov eax, dword ptr fs:[00000030h]	9_2_016A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8A00 mov eax, dword ptr fs:[00000030h]	9_2_016A8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EAAEE mov eax, dword ptr fs:[00000030h]	9_2_016EAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016EAAEE mov eax, dword ptr fs:[00000030h]	9_2_016EAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0AD0 mov eax, dword ptr fs:[00000030h]	9_2_016B0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01706ACC mov eax, dword ptr fs:[00000030h]	9_2_01706ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01706ACC mov eax, dword ptr fs:[00000030h]	9_2_01706ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01706ACC mov eax, dword ptr fs:[00000030h]	9_2_01706ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E4AD0 mov eax, dword ptr fs:[00000030h]	9_2_016E4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E4AD0 mov eax, dword ptr fs:[00000030h]	9_2_016E4AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8AA0 mov eax, dword ptr fs:[00000030h]	9_2_016B8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8AA0 mov eax, dword ptr fs:[00000030h]	9_2_016B8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01706AA4 mov eax, dword ptr fs:[00000030h]	9_2_01706AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AEA80 mov eax, dword ptr fs:[00000030h]	9_2_016AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AEA80 mov eax, dword ptr fs:[00000030h]	9_2_016AEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BEA80 mov eax, dword ptr fs:[00000030h]	9_2_016BEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E8A90 mov edx, dword ptr fs:[00000030h]	9_2_016E8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0D59 mov eax, dword ptr fs:[00000030h]	9_2_016B0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0D59 mov eax, dword ptr fs:[00000030h]	9_2_016B0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B0D59 mov eax, dword ptr fs:[00000030h]	9_2_016B0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8D59 mov eax, dword ptr fs:[00000030h]	9_2_016B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8D59 mov eax, dword ptr fs:[00000030h]	9_2_016B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8D59 mov eax, dword ptr fs:[00000030h]	9_2_016B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8D59 mov eax, dword ptr fs:[00000030h]	9_2_016B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B8D59 mov eax, dword ptr fs:[00000030h]	9_2_016B8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01738D20 mov eax, dword ptr fs:[00000030h]	9_2_01738D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CAD00 mov eax, dword ptr fs:[00000030h]	9_2_016CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CAD00 mov eax, dword ptr fs:[00000030h]	9_2_016CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016CAD00 mov eax, dword ptr fs:[00000030h]	9_2_016CAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E4D1D mov eax, dword ptr fs:[00000030h]	9_2_016E4D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A6D10 mov eax, dword ptr fs:[00000030h]	9_2_016A6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A6D10 mov eax, dword ptr fs:[00000030h]	9_2_016A6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A6D10 mov eax, dword ptr fs:[00000030h]	9_2_016A6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ACDEA mov eax, dword ptr fs:[00000030h]	9_2_016ACDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ACDEA mov eax, dword ptr fs:[00000030h]	9_2_016ACDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D0DE1 mov eax, dword ptr fs:[00000030h]	9_2_016D0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DCDF0 mov eax, dword ptr fs:[00000030h]	9_2_016DCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DCDF0 mov ecx, dword ptr fs:[00000030h]	9_2_016DCDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734DD7 mov eax, dword ptr fs:[00000030h]	9_2_01734DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734DD7 mov eax, dword ptr fs:[00000030h]	9_2_01734DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DEDD3 mov eax, dword ptr fs:[00000030h]	9_2_016DEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DEDD3 mov eax, dword ptr fs:[00000030h]	9_2_016DEDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E6DA0 mov eax, dword ptr fs:[00000030h]	9_2_016E6DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D8DBF mov eax, dword ptr fs:[00000030h]	9_2_016D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D8DBF mov eax, dword ptr fs:[00000030h]	9_2_016D8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECDB1 mov ecx, dword ptr fs:[00000030h]	9_2_016ECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECDB1 mov eax, dword ptr fs:[00000030h]	9_2_016ECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECDB1 mov eax, dword ptr fs:[00000030h]	9_2_016ECDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BCC74 mov eax, dword ptr fs:[00000030h]	9_2_016BCC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D0C44 mov eax, dword ptr fs:[00000030h]	9_2_016D0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D0C44 mov eax, dword ptr fs:[00000030h]	9_2_016D0C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E4C59 mov eax, dword ptr fs:[00000030h]	9_2_016E4C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAC50 mov eax, dword ptr fs:[00000030h]	9_2_016BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAC50 mov eax, dword ptr fs:[00000030h]	9_2_016BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAC50 mov eax, dword ptr fs:[00000030h]	9_2_016BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAC50 mov eax, dword ptr fs:[00000030h]	9_2_016BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAC50 mov eax, dword ptr fs:[00000030h]	9_2_016BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAC50 mov eax, dword ptr fs:[00000030h]	9_2_016BAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6C50 mov eax, dword ptr fs:[00000030h]	9_2_016B6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6C50 mov eax, dword ptr fs:[00000030h]	9_2_016B6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016B6C50 mov eax, dword ptr fs:[00000030h]	9_2_016B6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016AEC20 mov eax, dword ptr fs:[00000030h]	9_2_016AEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0C00 mov eax, dword ptr fs:[00000030h]	9_2_016C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0C00 mov eax, dword ptr fs:[00000030h]	9_2_016C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0C00 mov eax, dword ptr fs:[00000030h]	9_2_016C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C0C00 mov eax, dword ptr fs:[00000030h]	9_2_016C0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ECC00 mov eax, dword ptr fs:[00000030h]	9_2_016ECC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734C0F mov eax, dword ptr fs:[00000030h]	9_2_01734C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_016E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_016E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_016E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E2CF0 mov eax, dword ptr fs:[00000030h]	9_2_016E2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016ACCC8 mov eax, dword ptr fs:[00000030h]	9_2_016ACCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2CDC mov eax, dword ptr fs:[00000030h]	9_2_016C2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2CDC mov eax, dword ptr fs:[00000030h]	9_2_016C2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2CDC mov eax, dword ptr fs:[00000030h]	9_2_016C2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8CD0 mov eax, dword ptr fs:[00000030h]	9_2_016A8CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172CCA0 mov ecx, dword ptr fs:[00000030h]	9_2_0172CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0172CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0172CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0172CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0172CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734CA8 mov eax, dword ptr fs:[00000030h]	9_2_01734CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D8CB1 mov eax, dword ptr fs:[00000030h]	9_2_016D8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016D8CB1 mov eax, dword ptr fs:[00000030h]	9_2_016D8CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016A8C8D mov eax, dword ptr fs:[00000030h]	9_2_016A8C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DAF69 mov eax, dword ptr fs:[00000030h]	9_2_016DAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016DAF69 mov eax, dword ptr fs:[00000030h]	9_2_016DAF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E6F60 mov eax, dword ptr fs:[00000030h]	9_2_016E6F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016E6F60 mov eax, dword ptr fs:[00000030h]	9_2_016E6F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F7B mov eax, dword ptr fs:[00000030h]	9_2_016C2F7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F7B mov eax, dword ptr fs:[00000030h]	9_2_016C2F7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F7B mov eax, dword ptr fs:[00000030h]	9_2_016C2F7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F7B mov eax, dword ptr fs:[00000030h]	9_2_016C2F7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F7B mov eax, dword ptr fs:[00000030h]	9_2_016C2F7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F7B mov eax, dword ptr fs:[00000030h]	9_2_016C2F7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F7B mov eax, dword ptr fs:[00000030h]	9_2_016C2F7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F72 mov eax, dword ptr fs:[00000030h]	9_2_016C2F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F72 mov eax, dword ptr fs:[00000030h]	9_2_016C2F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F72 mov eax, dword ptr fs:[00000030h]	9_2_016C2F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F72 mov eax, dword ptr fs:[00000030h]	9_2_016C2F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F72 mov eax, dword ptr fs:[00000030h]	9_2_016C2F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F72 mov eax, dword ptr fs:[00000030h]	9_2_016C2F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F72 mov eax, dword ptr fs:[00000030h]	9_2_016C2F72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAF42 mov eax, dword ptr fs:[00000030h]	9_2_016BAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAF42 mov eax, dword ptr fs:[00000030h]	9_2_016BAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016BAF42 mov eax, dword ptr fs:[00000030h]	9_2_016BAF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F47 mov eax, dword ptr fs:[00000030h]	9_2_016C2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F47 mov eax, dword ptr fs:[00000030h]	9_2_016C2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F47 mov eax, dword ptr fs:[00000030h]	9_2_016C2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F47 mov eax, dword ptr fs:[00000030h]	9_2_016C2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F47 mov eax, dword ptr fs:[00000030h]	9_2_016C2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F47 mov eax, dword ptr fs:[00000030h]	9_2_016C2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_016C2F47 mov eax, dword ptr fs:[00000030h]	9_2_016C2F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734F40 mov eax, dword ptr fs:[00000030h]	9_2_01734F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01734F40 mov eax, dword ptr fs:[00000030h]	9_2_01734F40

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_0049647E GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

16_2_0049647E

Source: C:\Users\user\Desktop\New purchase order.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_0049DCAA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

16_2_0049DCAA

Source: C:\Users\user\Desktop\New purchase order.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe"
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe"
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\New purchase order.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x14CA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x1B9A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x14CA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x1B9A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\New purchase order.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 4004
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 4004

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: C50000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 490000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\New purchase order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: C09008	Jump to behavior

Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe"	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: explorer.exe, 0000000A.00000000.2115007420.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4559956397.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 0000000A.00000000.2119045152.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2115007420.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4559956397.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2115007420.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4559956397.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2112893628.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4559036140.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 0000000A.00000000.2115007420.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4559956397.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000002.4565119704.00000000098E3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076180952.00000000098C4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2979316978.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetUserDefaultLCID,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,	16_2_0049AADC
Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetLocaleInfoW,wcsncmp,	16_2_004A7E85
Source: C:\Windows\SysWOW64\cscript.exe	Code function: GetLocaleInfoW,	16_2_0049AB35

Source: C:\Users\user\Desktop\New purchase order.exe	Queries volume information: C:\Users\user\Desktop\New purchase order.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\New purchase order.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Queries volume information: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_0049DC00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

16_2_0049DC00

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_00497490 RegOpenKeyExW,RegOpenKeyExW,SysFreeString,RegCloseKey,RegCloseKey,WideCharToMultiByte,__alloca_probe_16,WideCharToMultiByte,RegOpenKeyExA,GetLastError,RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,

16_2_00497490

Source: C:\Windows\SysWOW64\cscript.exe

Code function: 16_2_0049A9C0 InitializeCriticalSection,GetVersionExA,

16_2_0049A9C0

Source: C:\Users\user\Desktop\New purchase order.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.New purchase order.exe.3564624.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.5c10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.5c10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.3564624.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.33427f4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.3289e88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2134617071.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136893760.0000000005C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133550897.0000000003284000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.New purchase order.exe.3564624.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.5c10000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.5c10000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.3564624.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.33427f4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New purchase order.exe.3289e88.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2134617071.0000000004179000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2136893760.0000000005C10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2133550897.0000000003284000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_004A5880 CreateBindCtx,MkParseDisplayName,		16_2_004A5880
Source: C:\Windows\SysWOW64\cscript.exe	Code function: 16_2_0049CD6C CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,		16_2_0049CD6C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	712 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	4 Obfuscated Files or Information	NTDS	224 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	331 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	712 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New purchase order.exe	36%	Virustotal		Browse
New purchase order.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
New purchase order.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://www.onitoring-devices-34077.bond/a01d/www.irlypods.shop	0%	Avira URL Cloud	safe
http://www.ruaim.online/a01d/	0%	Avira URL Cloud	safe
http://www.limbtrip.net	0%	Avira URL Cloud	safe
http://www.nline-advertising-58573.bond/a01d/	0%	Avira URL Cloud	safe
http://www.hbvc.xyz/a01d/	100%	Avira URL Cloud	phishing
http://www.ommbank.video/a01d/www.ruaim.online	0%	Avira URL Cloud	safe
http://www.ustonehuman.info	0%	Avira URL Cloud	safe
http://www.nlinecraps.xyz	0%	Avira URL Cloud	safe
http://www.228080a0.buzz/a01d/www.uxemasculine.store	0%	Avira URL Cloud	safe
http://www.d8ns7gu.skin/a01d/www.nline-advertising-58573.bond	0%	Avira URL Cloud	safe
http://www.228080a0.buzz	0%	Avira URL Cloud	safe
http://www.onitoring-devices-34077.bond	0%	Avira URL Cloud	safe
http://www.hesweettray.store/a01d/www.228080a0.buzz	0%	Avira URL Cloud	safe
http://www.ommbank.videoReferer:	0%	Avira URL Cloud	safe
http://www.228080a0.buzzReferer:	0%	Avira URL Cloud	safe
http://www.irlypods.shopReferer:	0%	Avira URL Cloud	safe
http://www.ustonehuman.infoReferer:	0%	Avira URL Cloud	safe
http://www.hbvc.xyzReferer:	0%	Avira URL Cloud	safe
http://www.ejigghq.company/a01d/	0%	Avira URL Cloud	safe
http://www.chtm.infoReferer:	0%	Avira URL Cloud	safe
http://www.hesweettray.storeReferer:	0%	Avira URL Cloud	safe
http://www.d8ns7gu.skin/a01d/	0%	Avira URL Cloud	safe
http://www.uxemasculine.store	0%	Avira URL Cloud	safe
http://www.hesweettray.store/a01d/	0%	Avira URL Cloud	safe
http://www.ustonehuman.info/a01d/www.limbtrip.net	0%	Avira URL Cloud	safe
http://www.uxemasculine.store/a01d/	0%	Avira URL Cloud	safe
http://www.chtm.info/a01d/	0%	Avira URL Cloud	safe
http://www.d8ns7gu.skin	0%	Avira URL Cloud	safe
www.ustonehuman.info/a01d/	0%	Avira URL Cloud	safe
http://www.hesweettray.store	0%	Avira URL Cloud	safe
http://www.limbtrip.net/a01d/www.ejigghq.company	0%	Avira URL Cloud	safe
http://www.ejigghq.company/a01d/www.d8ns7gu.skin	0%	Avira URL Cloud	safe
http://www.uxemasculine.storeReferer:	0%	Avira URL Cloud	safe
http://www.ruaim.onlineReferer:	0%	Avira URL Cloud	safe
http://www.nlinecraps.xyz/a01d/	0%	Avira URL Cloud	safe
http://www.irlypods.shop/a01d/	0%	Avira URL Cloud	safe
http://www.ejigghq.company	0%	Avira URL Cloud	safe
http://www.nline-advertising-58573.bond	0%	Avira URL Cloud	safe
http://www.ejigghq.companyReferer:	0%	Avira URL Cloud	safe
http://www.limbtrip.netReferer:	0%	Avira URL Cloud	safe
http://www.hbvc.xyz/a01d/www.usinessoverpleasure.shop	100%	Avira URL Cloud	phishing
http://www.uxemasculine.store/a01d/www.nlinecraps.xyz	0%	Avira URL Cloud	safe
http://www.onitoring-devices-34077.bondReferer:	0%	Avira URL Cloud	safe
http://www.nline-advertising-58573.bond/a01d/www.hbvc.xyz	0%	Avira URL Cloud	safe
http://www.hbvc.xyz	100%	Avira URL Cloud	phishing
http://www.nline-advertising-58573.bondReferer:	0%	Avira URL Cloud	safe
http://www.nlinecraps.xyz/a01d/www.ustonehuman.info	0%	Avira URL Cloud	safe
http://www.irlypods.shop/a01d/www.chtm.info	0%	Avira URL Cloud	safe
http://www.ommbank.video/a01d/	0%	Avira URL Cloud	safe
http://www.ruaim.online/a01d/www.onitoring-devices-34077.bond	0%	Avira URL Cloud	safe
http://www.usinessoverpleasure.shopReferer:	0%	Avira URL Cloud	safe
http://www.ruaim.online	0%	Avira URL Cloud	safe
http://www.limbtrip.net/a01d/	0%	Avira URL Cloud	safe
http://www.usinessoverpleasure.shop/a01d/	0%	Avira URL Cloud	safe
http://www.usinessoverpleasure.shop	0%	Avira URL Cloud	safe
http://www.onitoring-devices-34077.bond/a01d/	0%	Avira URL Cloud	safe
http://www.chtm.info	0%	Avira URL Cloud	safe
http://www.d8ns7gu.skinReferer:	0%	Avira URL Cloud	safe
http://www.chtm.info/a01d/www.hesweettray.store	0%	Avira URL Cloud	safe
http://www.ustonehuman.info/a01d/	0%	Avira URL Cloud	safe
http://www.irlypods.shop	0%	Avira URL Cloud	safe
http://www.ommbank.video	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.uxemasculine.store	unknown	unknown	true	unknown
www.onitoring-devices-34077.bond	unknown	unknown	true	unknown
www.ustonehuman.info	unknown	unknown	true	unknown
www.228080a0.buzz	unknown	unknown	true	unknown
www.ruaim.online	unknown	unknown	true	unknown
www.nlinecraps.xyz	unknown	unknown	true	unknown
www.ommbank.video	unknown	unknown	true	unknown
www.hesweettray.store	unknown	unknown	true	unknown
www.irlypods.shop	unknown	unknown	true	unknown
www.chtm.info	unknown	unknown	true	unknown
www.ejigghq.company	unknown	unknown	true	unknown
www.limbtrip.net	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.ustonehuman.info/a01d/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.228080a0.buzz/a01d/www.uxemasculine.store	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ommbank.video/a01d/www.ruaim.online	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.onitoring-devices-34077.bond/a01d/www.irlypods.shop	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/DataSet1.xsd	New purchase order.exe, DjsaCPLWOz.exe.0.dr	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000002.4564685923.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nlinecraps.xyz	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comM	explorer.exe, 0000000A.00000000.2136477465.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4567724151.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980918529.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ruaim.online/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nline-advertising-58573.bond/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.d8ns7gu.skin/a01d/www.nline-advertising-58573.bond	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hbvc.xyz/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.ustonehuman.info	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/e	explorer.exe, 0000000A.00000003.2979316978.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565119704.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2132453518.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076449895.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	New purchase order.exe, 00000000.00000002.2133550897.0000000003186000.00000004.00000800.00020000.00000000.sdmp, DjsaCPLWOz.exe, 0000000C.00000002.2164910003.00000000028E9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.limbtrip.net	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.228080a0.buzz	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hesweettray.store/a01d/www.228080a0.buzz	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.onitoring-devices-34077.bond	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000000A.00000002.4562814874.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.irlypods.shopReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ustonehuman.infoReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ommbank.videoReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ejigghq.company/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chtm.infoReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hbvc.xyzReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.228080a0.buzzReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.d8ns7gu.skin/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hesweettray.store/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hesweettray.storeReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uxemasculine.store	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uxemasculine.store/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000000.2136477465.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.come	explorer.exe, 0000000A.00000000.2136477465.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4567724151.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980918529.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.chtm.info/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000000A.00000003.2979316978.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2132453518.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3076449895.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ustonehuman.info/a01d/www.limbtrip.net	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.d8ns7gu.skin	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ejigghq.company/a01d/www.d8ns7gu.skin	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hesweettray.store	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.limbtrip.net/a01d/www.ejigghq.company	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/I	explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.uxemasculine.storeReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ruaim.onlineReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nlinecraps.xyz/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nline-advertising-58573.bond	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ejigghq.company	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 0000000A.00000002.4563775247.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2115248877.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2122412017.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.irlypods.shop/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ejigghq.companyReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hbvc.xyz/a01d/www.usinessoverpleasure.shop	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.limbtrip.netReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nline-advertising-58573.bond/a01d/www.hbvc.xyz	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uxemasculine.store/a01d/www.nlinecraps.xyz	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.onitoring-devices-34077.bondReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hbvc.xyz	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4562814874.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nline-advertising-58573.bondReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.usinessoverpleasure.shopReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.irlypods.shop/a01d/www.chtm.info	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com-	explorer.exe, 0000000A.00000000.2136477465.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4567724151.000000000C087000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2980918529.000000000C086000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ruaim.online/a01d/www.onitoring-devices-34077.bond	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 0000000A.00000002.4562814874.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.nlinecraps.xyz/a01d/www.ustonehuman.info	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ommbank.video/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ruaim.online	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comEMd	explorer.exe, 0000000A.00000002.4567536413.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2136477465.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.limbtrip.net/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.usinessoverpleasure.shop/a01d/	explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.onitoring-devices-34077.bond/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.usinessoverpleasure.shop	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.d8ns7gu.skinReferer:	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ommbank.video	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chtm.info	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/	explorer.exe, 0000000A.00000002.4564685923.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2128744833.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.irlypods.shop	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ustonehuman.info/a01d/	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.chtm.info/a01d/www.hesweettray.store	explorer.exe, 0000000A.00000003.2979612580.000000000C4DB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4568898596.000000000C474000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3075027160.000000000C4D6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	explorer.exe, 0000000A.00000003.3076602811.0000000007414000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4563219020.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2120424345.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590626
Start date and time:	2025-01-14 11:42:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	New purchase order.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@418/15@12/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 149 Number of non-executed functions: 319
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.245.163.56, 2.22.50.144, 2.22.50.131, 2.23.77.188, 13.95.31.18, 199.232.210.172, 20.242.39.171, 52.165.164.15, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, e3913.cd.akamaiedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:42:52	API Interceptor	1x Sleep call for process: New purchase order.exe modified
05:42:53	API Interceptor	24x Sleep call for process: powershell.exe modified
05:42:56	API Interceptor	1x Sleep call for process: DjsaCPLWOz.exe modified
05:43:00	API Interceptor	10108024x Sleep call for process: explorer.exe modified
05:43:38	API Interceptor	8824501x Sleep call for process: cscript.exe modified
11:42:54	Task Scheduler	Run new task: DjsaCPLWOz path: C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	ProductBOMpq_v4.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	ProductBOMpq_v4.xlsm	Get hash	malicious	Unknown	Browse	13.107.246.45
	RFQ____PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	Signature Required_ Retail Technology Asia Employee Benefit for eddie.chan@rtasia.com.hk.eml	Get hash	malicious	Unknown	Browse	13.107.246.45
	RFQ____PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://Rtasia-sharepoint.zonivarnoth.ru/ITb4aThU/#Deddie.chan@rtasia.com.hk	Get hash	malicious	Unknown	Browse	13.107.246.45
	RFQ____PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	RFQ____PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	yTRd6nkLWV.exe	Get hash	malicious	LummaC	Browse	13.107.246.45
	009.vbe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
bg.microsoft.map.fastly.net	35491083472324549.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	28236151432955330765.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	ProductBOMpq_v4.xlsm	Get hash	malicious	Unknown	Browse	199.232.214.172
	17201670993971103.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	Scanned-IMGS_from NomanGroup IDT.scr.exe	Get hash	malicious	FormBook	Browse	199.232.210.172
	12.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	UoEDaAjHGW.exe	Get hash	malicious	PureLog Stealer, Quasar	Browse	199.232.210.172
	PRODUKTY.EXE.exe	Get hash	malicious	AsyncRAT, PureLog Stealer	Browse	199.232.210.172
	2330118683179179335.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	199.232.210.172

Process:	C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New purchase order.exe.log

Download File

Process:	C:\Users\user\Desktop\New purchase order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379401388151058
Encrypted:	false
SSDEEP:	48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:fLHxvIIwLgZ2KRHWLOug8s
MD5:	AF15464AFD6EB7D301162A1DC8E01662
SHA1:	A974B8FEC71BF837B8E72FE43AB43E447FC43A86
SHA-256:	103A67F6744C098E5121D2D732753DFA4B54FA0EFD918FEC3941A3C052F5E211
SHA-512:	7B5B7B7F6EAE4544BAF61F9C02BF0138950E5D7D1B0457DE2FAB2C4C484220BDD1AB42D6884838E798AD46CE1B5B5426CEB825A1690B1190857D3B643ABFAB37
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_104cqqod.bbb.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f25ezsac.a1h.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqjglvcv.s2y.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgzddzji.e0v.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbvinzpe.yvb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rinueunc.stt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_um0iwhe5.ydb.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyv3cszo.ldy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp96C3.tmp

Download File

Process:	C:\Users\user\Desktop\New purchase order.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	5.100903750522086
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL8Gxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTYKv
MD5:	21C5DEA2FB4CD6A119DC1DA0435ACC08
SHA1:	AEA5CDB31EC21B0C6A77A94B438ACAAE5B617C38
SHA-256:	1CE30FEB191262A687C3134EEDFB5354A56CF3108090DEBE6555C1A435A2F27A
SHA-512:	5E8E48847D37965FD6B70E6DCEC10CE9A98F21EEEEE120F4AA40004CF736566BC7B1EE1C007F388D95B4CD192BE70D06955C39144296FE5E9A56F903EF66F6AF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Local\Temp\tmpA46F.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1597
Entropy (8bit):	5.100903750522086
Encrypted:	false
SSDEEP:	24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL8Gxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTYKv
MD5:	21C5DEA2FB4CD6A119DC1DA0435ACC08
SHA1:	AEA5CDB31EC21B0C6A77A94B438ACAAE5B617C38
SHA-256:	1CE30FEB191262A687C3134EEDFB5354A56CF3108090DEBE6555C1A435A2F27A
SHA-512:	5E8E48847D37965FD6B70E6DCEC10CE9A98F21EEEEE120F4AA40004CF736566BC7B1EE1C007F388D95B4CD192BE70D06955C39144296FE5E9A56F903EF66F6AF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe

Download File

Process:	C:\Users\user\Desktop\New purchase order.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	665600
Entropy (8bit):	7.697006384978434
Encrypted:	false
SSDEEP:	12288:kYRxA4Y5lyA/BxSPC3NMl2v/wXb5DDH6dcW6f8HtdJqT6B2zJxWVqHU:bRB2XM5UN60STUAJE
MD5:	1B507DF9A13477B647DA450A1B79B2E7
SHA1:	B0DE85855B3462FE0B37C79831B391EEB044E437
SHA-256:	A3AF3DCFD89B655982B6E044B681B140DCEFBE0606D69B0B7839B8CDA28CCC91
SHA-512:	37DCC8DD92A84009F81EBF394001DE49BCF75818227BDBE135578F8F1DC57F4119C4CB6EFD91EC70FE12202854CA472EC7435D3C0F713BF770F09967D61FE6A7
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c................0..............=... ...@....@.. ....................................@.................................4=..O....@.......................`......d%..p............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B................h=......H.......hK..\=......9...................................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....(".....0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.J...(%...o&...tJ.......('..........9.....s.........s(...s)...o.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\New purchase order.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.697006384978434
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	New purchase order.exe
File size:	665'600 bytes
MD5:	1b507df9a13477b647da450a1b79b2e7
SHA1:	b0de85855b3462fe0b37c79831b391eeb044e437
SHA256:	a3af3dcfd89b655982b6e044b681b140dcefbe0606d69b0b7839b8cda28ccc91
SHA512:	37dcc8dd92a84009f81ebf394001de49bcf75818227bdbe135578f8f1dc57f4119c4cb6efd91ec70fe12202854ca472ec7435d3c0f713bf770f09967d61fe6a7
SSDEEP:	12288:kYRxA4Y5lyA/BxSPC3NMl2v/wXb5DDH6dcW6f8HtdJqT6B2zJxWVqHU:bRB2XM5UN60STUAJE
TLSH:	F5E40255261AD803C4921B700872D3F946799D99AA12C317CFEE3FFFBD367562A403A2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c................0..............=... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a3d86
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xED1B63D8 [Sat Jan 21 14:40:24 2096 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa3d34	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa2564	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa1d9c	0xa1e00	5484a60a53c776b7d4076ac395786451	False	0.9101064792471042	data	7.70487272734604	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x5e0	0x600	295d103648ee9093fb72ebaf35e5cf96	False	0.4309895833333333	data	4.157689678764174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	39190973817c2af081a26ee474bdc851	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa4090	0x350	data			0.4257075471698113
RT_MANIFEST	0xa43f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:42:48.686280012 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 11:42:48.686408043 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 11:42:49.014467001 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 11:42:58.295586109 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 11:42:58.295587063 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 11:42:58.679641962 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 11:43:00.252603054 CET	443	49698	173.222.162.64	192.168.2.6
Jan 14, 2025 11:43:00.252738953 CET	49698	443	192.168.2.6	173.222.162.64

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 11:43:30.687491894 CET	57989	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:43:30.702136993 CET	53	57989	1.1.1.1	192.168.2.6
Jan 14, 2025 11:43:52.468172073 CET	55187	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:43:52.479485035 CET	53	55187	1.1.1.1	192.168.2.6
Jan 14, 2025 11:44:11.686760902 CET	56111	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:44:11.702593088 CET	53	56111	1.1.1.1	192.168.2.6
Jan 14, 2025 11:44:31.733732939 CET	62040	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:44:31.742515087 CET	53	62040	1.1.1.1	192.168.2.6
Jan 14, 2025 11:44:52.124460936 CET	54802	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:44:52.133249998 CET	53	54802	1.1.1.1	192.168.2.6
Jan 14, 2025 11:45:12.537143946 CET	50539	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:45:12.550299883 CET	53	50539	1.1.1.1	192.168.2.6
Jan 14, 2025 11:45:32.976911068 CET	58919	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:45:32.986035109 CET	53	58919	1.1.1.1	192.168.2.6
Jan 14, 2025 11:45:53.577265024 CET	53961	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:45:53.586429119 CET	53	53961	1.1.1.1	192.168.2.6
Jan 14, 2025 11:46:13.921433926 CET	63141	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:46:14.072789907 CET	53	63141	1.1.1.1	192.168.2.6
Jan 14, 2025 11:46:34.296287060 CET	52924	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:46:34.305629969 CET	53	52924	1.1.1.1	192.168.2.6
Jan 14, 2025 11:46:54.656585932 CET	64409	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:46:54.666099072 CET	53	64409	1.1.1.1	192.168.2.6
Jan 14, 2025 11:47:15.499228954 CET	57941	53	192.168.2.6	1.1.1.1
Jan 14, 2025 11:47:15.514313936 CET	53	57941	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 11:43:30.687491894 CET	192.168.2.6	1.1.1.1	0x6c0d	Standard query (0)	www.ommbank.video	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:43:52.468172073 CET	192.168.2.6	1.1.1.1	0x7b68	Standard query (0)	www.ruaim.online	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:44:11.686760902 CET	192.168.2.6	1.1.1.1	0x45a3	Standard query (0)	www.onitoring-devices-34077.bond	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:44:31.733732939 CET	192.168.2.6	1.1.1.1	0x105d	Standard query (0)	www.irlypods.shop	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:44:52.124460936 CET	192.168.2.6	1.1.1.1	0x781b	Standard query (0)	www.chtm.info	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:45:12.537143946 CET	192.168.2.6	1.1.1.1	0xcc0c	Standard query (0)	www.hesweettray.store	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:45:32.976911068 CET	192.168.2.6	1.1.1.1	0xb8d0	Standard query (0)	www.228080a0.buzz	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:45:53.577265024 CET	192.168.2.6	1.1.1.1	0x22a	Standard query (0)	www.uxemasculine.store	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:46:13.921433926 CET	192.168.2.6	1.1.1.1	0xb9de	Standard query (0)	www.nlinecraps.xyz	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:46:34.296287060 CET	192.168.2.6	1.1.1.1	0xe0e1	Standard query (0)	www.ustonehuman.info	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:46:54.656585932 CET	192.168.2.6	1.1.1.1	0xc1cf	Standard query (0)	www.limbtrip.net	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:47:15.499228954 CET	192.168.2.6	1.1.1.1	0x65a8	Standard query (0)	www.ejigghq.company	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 11:43:02.025127888 CET	1.1.1.1	192.168.2.6	0xed1	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 11:43:02.025127888 CET	1.1.1.1	192.168.2.6	0xed1	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:43:11.985702991 CET	1.1.1.1	192.168.2.6	0x595e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:43:11.985702991 CET	1.1.1.1	192.168.2.6	0x595e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:43:30.702136993 CET	1.1.1.1	192.168.2.6	0x6c0d	Name error (3)	www.ommbank.video	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:43:52.479485035 CET	1.1.1.1	192.168.2.6	0x7b68	Name error (3)	www.ruaim.online	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:44:11.702593088 CET	1.1.1.1	192.168.2.6	0x45a3	Name error (3)	www.onitoring-devices-34077.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:44:31.742515087 CET	1.1.1.1	192.168.2.6	0x105d	Name error (3)	www.irlypods.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:44:52.133249998 CET	1.1.1.1	192.168.2.6	0x781b	Name error (3)	www.chtm.info	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:45:12.550299883 CET	1.1.1.1	192.168.2.6	0xcc0c	Name error (3)	www.hesweettray.store	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:45:32.986035109 CET	1.1.1.1	192.168.2.6	0xb8d0	Name error (3)	www.228080a0.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:45:53.586429119 CET	1.1.1.1	192.168.2.6	0x22a	Name error (3)	www.uxemasculine.store	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:46:14.072789907 CET	1.1.1.1	192.168.2.6	0xb9de	Name error (3)	www.nlinecraps.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:46:34.305629969 CET	1.1.1.1	192.168.2.6	0xe0e1	Name error (3)	www.ustonehuman.info	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:46:54.666099072 CET	1.1.1.1	192.168.2.6	0xc1cf	Name error (3)	www.limbtrip.net	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 11:47:15.514313936 CET	1.1.1.1	192.168.2.6	0x65a8	Name error (3)	www.ejigghq.company	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:42:51
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\New purchase order.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New purchase order.exe"
Imagebase:	0xda0000
File size:	665'600 bytes
MD5 hash:	1B507DF9A13477B647DA450A1B79B2E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2134617071.0000000004179000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2136893760.0000000005C10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2133550897.0000000003284000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2134617071.00000000043B3000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2134617071.0000000004197000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:42:52
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\New purchase order.exe"
Imagebase:	0x790000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:42:52
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:42:52
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe"
Imagebase:	0x790000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:42:52
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	05:42:53
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmp96C3.tmp"
Imagebase:	0xa10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:42:53
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	05:42:53
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xb80000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	05:42:53
Start date:	14/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.4569837606.0000000010DCB000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	05:42:54
Start date:	14/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff717f30000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	05:42:54
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\DjsaCPLWOz.exe
Imagebase:	0x3c0000
File size:	665'600 bytes
MD5 hash:	1B507DF9A13477B647DA450A1B79B2E7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2206993982.0000000003B14000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	05:42:56
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DjsaCPLWOz" /XML "C:\Users\user\AppData\Local\Temp\tmpA46F.tmp"
Imagebase:	0xa10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	05:42:56
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	05:42:57
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xc90000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	05:42:57
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\cscript.exe"
Imagebase:	0x490000
File size:	144'896 bytes
MD5 hash:	CB601B41D4C8074BE8A84AED564A94DC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4559329863.0000000003150000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4559442787.0000000003180000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	05:42:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\chkdsk.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\chkdsk.exe"
Imagebase:	0xc50000
File size:	23'040 bytes
MD5 hash:	B4016BEE9D8F3AD3D02DD21C3CAFB922
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.2189898844.0000000000140000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	05:43:01
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	05:43:01
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	99.1%
Signature Coverage:	2.2%
Total number of Nodes:	318
Total number of Limit Nodes:	19

Executed Functions

Function 07CF4668 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a343743799d4f50a5d5b532059c1d88e67ad516ec2283a12b2897afb233a5b
Instruction ID: f38bb63c62bb245dee26174030fae919e16c29a84101941c22e2930e85297260
Opcode Fuzzy Hash: e7a343743799d4f50a5d5b532059c1d88e67ad516ec2283a12b2897afb233a5b
Instruction Fuzzy Hash: 8A71F8F19016958FDB18DF69D880AAEBBF6EF86300F558069D104E72A1DB70AF45CB50

Function 01704204 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a304b439a6c7f042ce872027102535f0a00d132db6045e99aaf59a23b28d5a
Instruction ID: f7029669205564d218eef3238ee9417efc73a66e887d052c27ef022a4282fffe
Opcode Fuzzy Hash: 19a304b439a6c7f042ce872027102535f0a00d132db6045e99aaf59a23b28d5a
Instruction Fuzzy Hash: E7818074E00209DFDB55DFAAD984A9DBBF2FF88300F20912AE519A7365DB346945CF40

Function 01707018 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a773d539bc31cc939efdbd3719c0928e2d8542d67bbf079a1df9482bffaa2951
Instruction ID: fa0b51e55c0ad87b37456a940cbd1be3c01135551a2a89cabbc7019c85602494
Opcode Fuzzy Hash: a773d539bc31cc939efdbd3719c0928e2d8542d67bbf079a1df9482bffaa2951
Instruction Fuzzy Hash: B4819E74E00209DFDB15DFA9D980A9DBBF2FF88300F20912AE819A7365DB346945CF40

Function 07CF1070 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb85ee341c23fd38c7f6550235bfde826014e6ec6b7c0ec5b69dab4813dbe159
Instruction ID: e3352125cbe61100547127151e8064727ee3e12738419c3dcee396e68826902b
Opcode Fuzzy Hash: bb85ee341c23fd38c7f6550235bfde826014e6ec6b7c0ec5b69dab4813dbe159
Instruction Fuzzy Hash: 244127B4D2924CCBDB44CFAAD5847EDBBFABB4A300F18E026D10AA7255DB345946CF10

Function 07CF3D44 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed25285801e73a5aba118c7f3acf6dae65ad18a5792d59bf4432efdafd37349
Instruction ID: cda0fa3bd453ceef0a184a61b91d42d81d175c7d18d48b69b02438b56047a2b9
Opcode Fuzzy Hash: 3ed25285801e73a5aba118c7f3acf6dae65ad18a5792d59bf4432efdafd37349
Instruction Fuzzy Hash: 23C092A6EEE088D28AC82C8674401FAE33D928B4A2F453062C71EA31025110C7AE9149

Function 07CF04F4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CF0736

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 24e8828035e89e00b0643ef2c5d94cf4f63f3a9c40a073e18935a2cdb784711c
Instruction ID: e04002e880c2aeb6accacb6ed17cf3c62f99a6f89b2c467042d13e9fc98a3809
Opcode Fuzzy Hash: 24e8828035e89e00b0643ef2c5d94cf4f63f3a9c40a073e18935a2cdb784711c
Instruction Fuzzy Hash: EAA14EB1D0061ADFDF54CF68C8817EDBBB2BF48710F1485AAE908A7241DB749A85CF91

Function 07CF0500 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07CF0736

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6cdb2ca3c06c589937cc8f05e88f71c93ca295b9fc0a15ed3f5917790dd22b14
Instruction ID: 11838969a5bd9446691ca95fca4a5e28a7bac09ba07913c05c7e0372cf08c68a
Opcode Fuzzy Hash: 6cdb2ca3c06c589937cc8f05e88f71c93ca295b9fc0a15ed3f5917790dd22b14
Instruction Fuzzy Hash: 2E914DB1D0061ADFDF54CF68C8817EDBBB2BF48710F1485AAE908A7241DB749A85CF91

Function 0170B3C1 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0170B626

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf14aac849b4886a9df3c794cc58d4a9dfec4965e294068a099533403db85738
Instruction ID: 6ef30fc37b2f50c526c46c5584e2921f2e07b2f2d6c194ebf2011d15973394a1
Opcode Fuzzy Hash: cf14aac849b4886a9df3c794cc58d4a9dfec4965e294068a099533403db85738
Instruction Fuzzy Hash: 83814474A00B05CFE725DF29D54479ABBF1FF88204F00892EE58AD7A91DB74EA05CB91

Function 0170590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017059C9

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d7f7c41eda50fa40f8baa1ee7d4b96b3aa2d0e465608bbdb43409deac4998747
Instruction ID: 6a60dee2eb7d7d518d5eb11c098bc30a5df8f960a892a40bf5abdc19d487c234
Opcode Fuzzy Hash: d7f7c41eda50fa40f8baa1ee7d4b96b3aa2d0e465608bbdb43409deac4998747
Instruction Fuzzy Hash: 0C41EFB0C00719CBDB25CFA9C985B9DFBF5BF49704F20806AD408AB251DB756945CF50

Function 017044F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 017059C9

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eff646def067a7d00f48f24d7eeb28ed50efe4999a089b1e5316695508ee0335
Instruction ID: 78086e3e3182d760e2e7494e76205e9b2b84490e444f3296b11960c68889e7c8
Opcode Fuzzy Hash: eff646def067a7d00f48f24d7eeb28ed50efe4999a089b1e5316695508ee0335
Instruction Fuzzy Hash: 2241CDB0C00719CBDB25CFA9C985B9EBBF5BF89704F20816AD408AB251DBB56945CF90

Function 057BD410 Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,057BD3FD,?,?), ref: 057BD4AF

Memory Dump Source

Source File: 00000000.00000002.2136358504.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_New purchase order.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: bc24affdbe70d080ca9e256c84aa837c36c51b966dac95c2d27f4d4a59e82142
Instruction ID: 334e496208075a533e1ef6e14a328e8d95997243cf542f40c4eeecbcc3ebc7dd
Opcode Fuzzy Hash: bc24affdbe70d080ca9e256c84aa837c36c51b966dac95c2d27f4d4a59e82142
Instruction Fuzzy Hash: B331E0B59002099FDB10CF99D884BEEBBF5BF58320F14842AE919A7210D3B5A544CFA1

Function 057BC04C Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,057BD3FD,?,?), ref: 057BD4AF

Memory Dump Source

Source File: 00000000.00000002.2136358504.00000000057B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_57b0000_New purchase order.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: b44d45efb24ba83a25173bf7e4b186f37ca99c60f1dbbcfecfb41e0b54297123
Instruction ID: dd90ec822485795f1d87ae2e85ee5dcdcdc9206f46b490179d234992ae2674c4
Opcode Fuzzy Hash: b44d45efb24ba83a25173bf7e4b186f37ca99c60f1dbbcfecfb41e0b54297123
Instruction Fuzzy Hash: 3F31E4B59002099FDB10CF9AD8847DEBBF5FB48310F14842AE919A7310D7B4A944CFA1

Function 05D7FAA2 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05D7FB38

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8fcd7c84e8a086ed673b3a78f276367c73cd33807e6d7e2df04d7eac2dee4a5a
Instruction ID: 0b2d5a6d99a4a94c20a957265afffcd59aa567ae98cf2ac9d27e524e3e5c20fa
Opcode Fuzzy Hash: 8fcd7c84e8a086ed673b3a78f276367c73cd33807e6d7e2df04d7eac2dee4a5a
Instruction Fuzzy Hash: F621267590034ADFDB10CFA9C981BEEBBF5FF48310F10842AE919A7240D7789955CBA5

Function 05D7FAA8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05D7FB38

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 54d6679cc5fd282ef5f3a1896f606d370485a99934c6a9db510cea59c5b581df
Instruction ID: 38b607e58bad6797b75b9e1241207962691db2ea7dccf3d32994d87998c08bf2
Opcode Fuzzy Hash: 54d6679cc5fd282ef5f3a1896f606d370485a99934c6a9db510cea59c5b581df
Instruction Fuzzy Hash: D621F47590034ADFDB10CFAAC985BEEBBF5FF48310F10842AE919A7240D7789954CBA5

Function 05D7F4D1 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D7F556

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 52375905ae14b4f16c8d6c170891bc37dcd85d8ffc990dc30e857527990b4444
Instruction ID: fec271af10e7641cbf48bf05d361c9fca524c253be2c9a351306b5aa10b39c54
Opcode Fuzzy Hash: 52375905ae14b4f16c8d6c170891bc37dcd85d8ffc990dc30e857527990b4444
Instruction Fuzzy Hash: E1213A7190030A9FDB10DFAAC8857EEBBF4FF48324F54842AD519A7240DB78A945CFA5

Function 0170B3B0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0170D586,?,?,?,?,?), ref: 0170DA4F

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2565d561ed618feda4ae51781edd210d5a353443fe53c758eefd519e0062cee4
Instruction ID: fc6ee29ec15770bc2f277a322bd9c074ef280bc3ddbe3fd6db7e600d6baf1b33
Opcode Fuzzy Hash: 2565d561ed618feda4ae51781edd210d5a353443fe53c758eefd519e0062cee4
Instruction Fuzzy Hash: CA21D4B5904309EFDB10CF9AD984AEEFBF5EB48310F14841AE918A3350D374A950CFA0

Function 05D7FB92 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D7FC18

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 2f06725fbe62adc4ec8e548bb87e39d7defd4720f0c3e870cd70c94ff8b1e90d
Instruction ID: 83ff5c400e64ced4108354fccc2b093aaeca6f6f53a77aaa204eb040224c8a17
Opcode Fuzzy Hash: 2f06725fbe62adc4ec8e548bb87e39d7defd4720f0c3e870cd70c94ff8b1e90d
Instruction Fuzzy Hash: 42212AB190035A9FDB10CFAAC881BDEFBF5FF48310F14842AE919A7240D7789554CBA5

Function 05D7F4D8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D7F556

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9210c58c88bbec78e3d0620c9b8c6544d5d56ae9b386a6a2a1895d9521076951
Instruction ID: 1cb05c096f2b23318df10102de148810489666851482d3ff4f2c0fa2ec8173fb
Opcode Fuzzy Hash: 9210c58c88bbec78e3d0620c9b8c6544d5d56ae9b386a6a2a1895d9521076951
Instruction Fuzzy Hash: 7221387190030A8FDB10DFAAC4857AEBBF4FF88324F14842AD519A7240DB789944CFA5

Function 05D7FB98 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05D7FC18

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: b7d0e1db482491db65f79136fef711d482d9b94f9215790ce46eee01650f7536
Instruction ID: ad51dcfd8c57f3a222735a44d7c8d06edfe90af8a7d65139b62097c134eb326e
Opcode Fuzzy Hash: b7d0e1db482491db65f79136fef711d482d9b94f9215790ce46eee01650f7536
Instruction Fuzzy Hash: E92128B190034A9FDB10CFAAC881BEEFBF5FF48310F14842AE919A7240D7789550CBA5

Function 0170D9C1 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0170D586,?,?,?,?,?), ref: 0170DA4F

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 918e88c65595da15d13c4dc58a8049f681c005fa023a89c823baa63ac506db63
Instruction ID: 313ec62d99375a3120a8f519ecaca963c10048286686b659a88dab552c120a88
Opcode Fuzzy Hash: 918e88c65595da15d13c4dc58a8049f681c005fa023a89c823baa63ac506db63
Instruction Fuzzy Hash: DD21B0B5D00309DFDB11CFA9D985AEEBBF5EB48320F14841AE918A3350D378AA54CF61

Function 05D7F9E0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D7FA56

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4387424343a56c00c45e072839f9f139b998904a81973b39af851686c8e38d40
Instruction ID: 3860cefa1be604bcee11b08e9c3d8669e064405708871cdc66e13e5e55a611d9
Opcode Fuzzy Hash: 4387424343a56c00c45e072839f9f139b998904a81973b39af851686c8e38d40
Instruction Fuzzy Hash: 9B11447690024ADFDF20DFA9C845BDEBBF1AF88320F20881AE519A7250C7759550CF90

Function 05D7F9E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05D7FA56

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a9f554bbfd14edef85a1fc509740b6dffe67e5a6c0277ea70a636eebd289947b
Instruction ID: 37e9ab1fd35826f49ee8ccf548bdf8f8c3d4e2f7b9273539529bb5683aa8268a
Opcode Fuzzy Hash: a9f554bbfd14edef85a1fc509740b6dffe67e5a6c0277ea70a636eebd289947b
Instruction Fuzzy Hash: 8E11267290024ADFDB20DFAAC845BDEBBF5EF88320F14841AE519A7250C775A550CBA1

Function 05D7F420 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05D7F48A

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d1c98a8c4e8bc1c44612fed1b7c685ee23da791fef8d63e07e54f450386ceea2
Instruction ID: f6dc88b4367cea690610197e30813971f39a775c3e9c608e855e7e40ebc2fb6d
Opcode Fuzzy Hash: d1c98a8c4e8bc1c44612fed1b7c685ee23da791fef8d63e07e54f450386ceea2
Instruction Fuzzy Hash: 7A115B719003498FDB20DFAAC8457DEFBF4EF88324F148419D519A7240C779A544CB94

Function 05D7F428 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 05D7F48A

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0fbf536d7fa2db850ed6fd239010659ff1c60d32041fb448d979909db3706d2f
Instruction ID: 461d41ec77d70d024aa5b249e1a5b4073df45ddeec2b8cdf0bcf761d829736f2
Opcode Fuzzy Hash: 0fbf536d7fa2db850ed6fd239010659ff1c60d32041fb448d979909db3706d2f
Instruction Fuzzy Hash: 44113A719003498FDB20DFAAC44579EFBF5EF88724F24841AD519A7240DB75A540CB95

Function 07CF0154 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07CF49B5

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: cdfc3f8d3be65520dbb8cbd2f7401660bc5e2a6657e748e00e1b7bcce70f69d6
Instruction ID: 0db27b28c11bc6ea3845aec362eba675d45df9c25de5b04aa6cbb4b225073150
Opcode Fuzzy Hash: cdfc3f8d3be65520dbb8cbd2f7401660bc5e2a6657e748e00e1b7bcce70f69d6
Instruction Fuzzy Hash: 751106B5900349DFDB50CF9AC585BDFBBF8EB48324F108459E618A7210D3B5AA54CFA1

Function 07CF4950 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 07CF49B5

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: af341e2af44877ae47066acfe87d715476436e0b60dd1b0acf57a677adc11436
Instruction ID: d8d51c4dc0479ef85363b275a13e1dd7c2cc8a0e8a1d35cb6ecb7df906a91a12
Opcode Fuzzy Hash: af341e2af44877ae47066acfe87d715476436e0b60dd1b0acf57a677adc11436
Instruction Fuzzy Hash: 981103B5900349DFDB10CF99D985BDEBBF8EB48320F10881AD558A7610D375A654CFA1

Function 0170B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0170B626

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: d87f4ba7b287a5b282dd5a09080be62113cfef7e7f846e6bdf39c434b0dbaac0
Instruction ID: 73735977c2312ed99371512f2877a89fbd7ecb9eb18bf3bab019490e928cde72
Opcode Fuzzy Hash: d87f4ba7b287a5b282dd5a09080be62113cfef7e7f846e6bdf39c434b0dbaac0
Instruction Fuzzy Hash: 5811C0B5C00749CFDB10CF9AD844A9EFBF4AF88724F10841AD519A7250D375A545CFA5

Function 0141D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131199265.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e06ecada3bf8c4b5f13dabec2ae5917df6d98acde6910cfd7bfdb5da1404a8a
Instruction ID: ea0bc079dc912464b823ed568d52aaee4e943eea3a5a7c35cd33fa654986a6c4
Opcode Fuzzy Hash: 9e06ecada3bf8c4b5f13dabec2ae5917df6d98acde6910cfd7bfdb5da1404a8a
Instruction Fuzzy Hash: 5C2125B2904240EFDB15DF58D9C4B27BF65FB88318F20C56EE9090B26AC336D456CAA1

Function 0141D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131199265.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f09ec5ce6e707b03f08c9392008b1d03d7ceaef9a7ebe139777edd5cd1cb9f7
Instruction ID: a7417734384a3ec1aa4f8e8f9b1e549c7053430a0bca5a3825c69521b36f7d6a
Opcode Fuzzy Hash: 5f09ec5ce6e707b03f08c9392008b1d03d7ceaef9a7ebe139777edd5cd1cb9f7
Instruction Fuzzy Hash: D62136B2940204DFDB05DF44D9C4B67BF65FB88324F20C17EE90A0B26AC336E456CAA1

Function 0162D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132410908.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86b3823a04f0d4c4d9de517bc3c6d9e9ebcdcd7013fdb6753843172af3c72ad
Instruction ID: 2795e2fee754478f520726cf58ef295f3432c76b8fd727eb31394dab8251f5b3
Opcode Fuzzy Hash: d86b3823a04f0d4c4d9de517bc3c6d9e9ebcdcd7013fdb6753843172af3c72ad
Instruction Fuzzy Hash: 61213471504600EFDB05DF94D9C0B26BBA5FB85324F20C56DEA0A4B352C776D406CE61

Function 0162D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132410908.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1242d22caaa67994403e2adbf2f0f3cd567b415c320f8191c2747b017f3fbb
Instruction ID: 3b40e0f2f59ca19b5da8532de036871f8ea11933c3ad48f0381f04785b022533
Opcode Fuzzy Hash: ee1242d22caaa67994403e2adbf2f0f3cd567b415c320f8191c2747b017f3fbb
Instruction Fuzzy Hash: BA212275604640EFDB15DF54D9C0B26BB61FB84314F20C56DD90A0B3A2C77AD447CE61

Function 0162D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132410908.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febb27e000bf5d9e94dee07e6b4ffd37fd8657e1843936f961e01ba7a31c139d
Instruction ID: 5bd2ca6f56363c3f8e9b9aabc59f9f26a9aa7295df30a44bab75a25f07b54b31
Opcode Fuzzy Hash: febb27e000bf5d9e94dee07e6b4ffd37fd8657e1843936f961e01ba7a31c139d
Instruction Fuzzy Hash: 822180755087809FCB02CF64D994B15BF71EB46314F28C5DAD8498F2A7C33AD816CB62

Function 0141D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131199265.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 818dfd632f233fad9344a301b7dd0f58dd8eced2990188baeeb1847e41622307
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 1511D2B6844240CFCB16CF44D5C4B56BF71FB84314F24C6AAD8090B26BC33AD456CB91

Function 0141D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2131199265.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_141d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 62babc0454a8edae168882f0920daea0202ccc035885ab345f3092313440cf8b
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: FC11B1B6904280CFCB16CF54D9C4B16BF71FB84318F24C6AAD8490B66BC33AD456CBA1

Function 0162D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2132410908.000000000162D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0162D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_162d000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: 87001a9ecaacf8c8d08e75a7adc3f3ae26c81133536f106e9863ff9e046e6c3c
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: 3D11BB75504680DFDB02CF54C9C0B15BBA1FB85224F24C6A9D9494B3A6C33AD40ACF62

Non-executed Functions

Function 05D7CF88 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

pv, xrefs: 05D7CFE3

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID: pv
API String ID: 0-2349736466
Opcode ID: 6e2340e5c97e0a8d9d205a86daef0fd6b7641129a49472dc6d7e2c826fa82f7a
Instruction ID: b0f1b7ac5be3d4d6c624306844b941e723380ded5aee529fded410ab1fb4175e
Opcode Fuzzy Hash: 6e2340e5c97e0a8d9d205a86daef0fd6b7641129a49472dc6d7e2c826fa82f7a
Instruction Fuzzy Hash: 99E1E874E042598FDB14DFA9C580AAEBBB2FF89304F24816AD415AB355D731A942CF60

Function 07CF69E8 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2138018942.0000000007CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7cf0000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5404d622de4d3d5403f461e11c6025f2196006c2d9452636e5d3e065996adce3
Instruction ID: c3f117c67ef2520ec82780087ca6521965e20188dbf28012b11711ef4dd67fbf
Opcode Fuzzy Hash: 5404d622de4d3d5403f461e11c6025f2196006c2d9452636e5d3e065996adce3
Instruction Fuzzy Hash: A0D1ADB07017058FDB69DF75C8947AEB7F6AF89300F1484AAD246AB394CB35EA01CB51

Function 05D7F5B0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32610f7666df52c67adf63fc76a00f919019de48e1f7ca7f2220588455926c2
Instruction ID: d1f997009d1f6066ff7c226c14afcc364864bf9bbe68d84c6f90ddf08b8c3ec6
Opcode Fuzzy Hash: e32610f7666df52c67adf63fc76a00f919019de48e1f7ca7f2220588455926c2
Instruction Fuzzy Hash: DFE1F874E0425ADFDB14DFA9C580AAEBBF2FF49304F24826AD415A7355D730A982CF60

Function 05D7E7C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79fef3d13056eb3c64bd9d933d56a54ed456e96bfb74fb7ddd1d964ce81989ca
Instruction ID: 9391a3d8c5ca7c2670c82f94d54972a228969cb75f4d57caa02702acc6080ce2
Opcode Fuzzy Hash: 79fef3d13056eb3c64bd9d933d56a54ed456e96bfb74fb7ddd1d964ce81989ca
Instruction Fuzzy Hash: 66E10974E04259CFDB14DFA9C580AAEBBB6FF88304F24826AD415A7355D730A942CF61

Function 05D7E390 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87318cca6c169e5a6ad8473e1a88d522c37a5de6862a11f4879fe66f6b5c41e7
Instruction ID: 587d1ffd2a5012a86fc22560eaa2583fd9716e58de6e4a44eeb53393e393e8a5
Opcode Fuzzy Hash: 87318cca6c169e5a6ad8473e1a88d522c37a5de6862a11f4879fe66f6b5c41e7
Instruction Fuzzy Hash: A1E1E874E00259CFDB14DFA9C580AAEBBB6FF89304F2482AAD455A7355D730AD42CF60

Function 05D7EC00 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44268d9746eacb9ed16ddce56b7e933ff8f99dfd832f4c05c380424010cce307
Instruction ID: fbe41bc4ea1936f594722e5684d6cfa9108947bb7fe356fc8903e31051c89212
Opcode Fuzzy Hash: 44268d9746eacb9ed16ddce56b7e933ff8f99dfd832f4c05c380424010cce307
Instruction Fuzzy Hash: 59E1E874E002598FDB14DFA9C580AAEFBF6FF89304F24826AD415A7355D730A982CF61

Function 0170D8EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2133042656.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1700000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89601bcb12db582d1d0bad9ba1880381be1e15cd5569b2cd0b3385e060145129
Instruction ID: 0a397bfe10f537ae81cd2542ee88ecc3a524584a02802e53220378bc89265baf
Opcode Fuzzy Hash: 89601bcb12db582d1d0bad9ba1880381be1e15cd5569b2cd0b3385e060145129
Instruction Fuzzy Hash: 27A14B32A1030ACFCF16DFB4C84459EBBF2FF85300B15856AE905AB2A5DB75E956CB40

Function 05D75180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29010a12dcd884844c130151469ccadabee006a895128ee727a43ac879ec757c
Instruction ID: 2c4641301bab0c9be62d0ba8855407c0be7ad9f671a3af0a6f4050e6efee0b93
Opcode Fuzzy Hash: 29010a12dcd884844c130151469ccadabee006a895128ee727a43ac879ec757c
Instruction Fuzzy Hash: AD91E274D0621CCFDB14CFA9E884BEDBBB6FB49305F10806AD819A7291EB704985CF51

Function 05D73F48 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388061469d1cb012099ff984b22881990c35beff6158d1f45983342d13809a2
Instruction ID: 65556683dd70334d717d3f4d9e61fd6d0378093a3bc4f780bdc67a88cce04516
Opcode Fuzzy Hash: 8388061469d1cb012099ff984b22881990c35beff6158d1f45983342d13809a2
Instruction Fuzzy Hash: 83714770A1120ACFD749DF6AE84569ABFF6FBC8300F04C56AD014AB2A8EF745946CB51

Function 05D73F70 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec62b4c6524666a1967b01ed4d1e8e2efea7898ed605d4f708976697813295a5
Instruction ID: 2682f40270d170d30f58397754f6a90aad93dca7411625198db33f6fc13f878a
Opcode Fuzzy Hash: ec62b4c6524666a1967b01ed4d1e8e2efea7898ed605d4f708976697813295a5
Instruction Fuzzy Hash: B5613870A1120ACFD748DF6BE84569ABFF6FBC8300F04C56AD014AB268EF7419469B51

Function 05D7C008 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1abee447f890f57533a125e4459b55d2e1171483d2af62daf2748e8fa46a3a1
Instruction ID: 0ff3326fbb4fa23cad1361ec695b8ead51aef950a4ec08d2b55907b536723fc0
Opcode Fuzzy Hash: a1abee447f890f57533a125e4459b55d2e1171483d2af62daf2748e8fa46a3a1
Instruction Fuzzy Hash: E551B374E2921DCFCB04CFAAD8449EDBBF6BB89300F149026D459A7221E7749D81CF90

Function 05D7EBF0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f024da284f93f67544eba0f6eaaff46f1009613d8143019c46e12ca5528ec5e
Instruction ID: d60118978be3ce4daf14f373deb6aa23868a74e243679dd886283f08dee44091
Opcode Fuzzy Hash: 7f024da284f93f67544eba0f6eaaff46f1009613d8143019c46e12ca5528ec5e
Instruction Fuzzy Hash: D6510C74E002198BDB14CFAAC9806AEFBF6FF89304F24816AD418A7355D7359E42CF61

Function 05D7BFC8 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ad1e156c19df8feba15112363fe82d8a0dcbce88b79fd549991091edd655cc
Instruction ID: dfa35527937f0101393da4903e59834894d105944142b76112bfc33d47f9c7a6
Opcode Fuzzy Hash: 21ad1e156c19df8feba15112363fe82d8a0dcbce88b79fd549991091edd655cc
Instruction Fuzzy Hash: A2411675D2921DCFCF04CFAAD9456EDBBB6BB89300F04906BD859A2221E7748981CF90

Function 05D7BFF8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2137696981.0000000005D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d70000_New purchase order.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6196592d051244972ef5971c6ce79e447dd7273eef48292666635728b8c4fc45
Instruction ID: 894cfaeb876d8f0d5598b79409c2f86bd16b0a449909c543a3bc3676003a17c1
Opcode Fuzzy Hash: 6196592d051244972ef5971c6ce79e447dd7273eef48292666635728b8c4fc45
Instruction Fuzzy Hash: E641E574D2921DCFDB04CFAAC8446EEBBB6BB89300F04D12AD459B3221E7749981CF94

Analysis Process: MSBuild.exePID: 7152, Parent PID: 3064COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	54.1%
Total number of Nodes:	37
Total number of Limit Nodes:	3

Executed Functions

Function 016F2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01720DBD,?,?,?,?,01714302), ref: 016F2B6A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f203dfac195c99f07c12ee5ffa6ef632538847f4f83a02e0f51aeabde100d4a3
Instruction ID: e8dca5e6fab4b8ab50af48ac0dd59699911768a58bf1836421786e4fedc6e60e
Opcode Fuzzy Hash: f203dfac195c99f07c12ee5ffa6ef632538847f4f83a02e0f51aeabde100d4a3
Instruction Fuzzy Hash: 6E9002A160690083420671584414616804A97E0201B55C031E10145E4DC5258AD16226

Function 016F2C1D Relevance: 1.5, APIs: 1, Instructions: 11
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0170FD4F,000000FF,00000024,017A6634,00000004,00000000,?,-00000018,7D810F61,?,?,016C8B12,?,?,?,?), ref: 016F2C24

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce3321e5bad54b70ca8e3e706bb28d51d5e9d9b7798c9065a57f5ea519cde920
Instruction ID: da0e1b0dee31d3088e79f7c9b20c804db924790feab6062f79cb0ba9bef62cd8
Opcode Fuzzy Hash: ce3321e5bad54b70ca8e3e706bb28d51d5e9d9b7798c9065a57f5ea519cde920
Instruction Fuzzy Hash: 17C08C3185098482C219E56408807CF1249A7C8380F10C418E70293219CB328269A572

Function 016F2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0170FD4F,000000FF,00000024,017A6634,00000004,00000000,?,-00000018,7D810F61,?,?,016C8B12,?,?,?,?), ref: 016F2C24

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a7584d6defc969be29050ce8a3b62e9b1c47c718f31a1d5deaa9d897f9b7c574
Instruction ID: aa38b05a7782c29f7607efbf86d3d6f1b75b431111ed83386d45e11f0c2234ef
Opcode Fuzzy Hash: a7584d6defc969be29050ce8a3b62e9b1c47c718f31a1d5deaa9d897f9b7c574
Instruction Fuzzy Hash: 13B09B71D059C5C5DB52E7644A087177940B7D0701F15C075D3030695F8738C1D1E676

Function 016F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01707BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 016F2BFA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efc1fdb7164d8dd1cc6bc9d7b71a8bbb116b944f8b130ee8d1163192aafcc62f
Instruction ID: 1ab52deab2beecaf87029faa6d603028a77101b576e477620b03d6c40b87cb69
Opcode Fuzzy Hash: efc1fdb7164d8dd1cc6bc9d7b71a8bbb116b944f8b130ee8d1163192aafcc62f
Instruction Fuzzy Hash: 3190027160590882D2817158440464A404597D1301F95C025A00256A8DCA158B9977A2

Function 016F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01729864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,016F034A,?,?,?,00000003), ref: 016F2ADA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d33d38951b98a0dc93cb7ee7af104c655c24328f21fd4185940d321f81c8229
Instruction ID: c2f9209bc12d980ee07a57542a193140a26222c6c83ff420e2ae59e0c1b4c57b
Opcode Fuzzy Hash: 4d33d38951b98a0dc93cb7ee7af104c655c24328f21fd4185940d321f81c8229
Instruction Fuzzy Hash: 86900265615900830206B5580704507408697D5351355C031F10155A4CD6218AA15222

Function 016F2D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(016DA52A,000000FF,?,017A67F8,0178C9A0,00000020,016DA460,017A689C,00000000,0000001D,?,01222D38), ref: 016F2D3A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 370dcc4ab8681aa871c7aa80168c6a771332558598e8097c505a64ebf627873e
Instruction ID: 96a842e8a4b845c12bc488e073cf4cb98f83ef9456c66e50b18fa2af4697724c
Opcode Fuzzy Hash: 370dcc4ab8681aa871c7aa80168c6a771332558598e8097c505a64ebf627873e
Instruction Fuzzy Hash: F690026170590083D241715854186068045E7E1301F55D021E04145A8CD9158A965323

Function 016F2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0173B508,00000004,000000FF,0000001E,00000000,00000000,00000000,C0000409,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 016F2D1A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 17bfe9ec43dbd19c2c591d53445cbe745d39b159d4b5ffd8df9e9342989ff5aa
Instruction ID: ec3b88e60026a0ee89e37b7efda33f9fad7692c578fd6549bac6111c73c37fe4
Opcode Fuzzy Hash: 17bfe9ec43dbd19c2c591d53445cbe745d39b159d4b5ffd8df9e9342989ff5aa
Instruction Fuzzy Hash: 0290026961790082D2817158540860A404597D1202F95D425A00155ACCC9158AA95322

Function 016F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0172E73E,0000005A,0178D040,00000020,00000000,0178D040,00000080,01714A81,00000000,?,?,00000002,00000000,?,?,016FAE00), ref: 016F2DFA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3d5460362d7a89b4d7fc2c6ab63bee15c119e670aa951fe22f235ff395d8703
Instruction ID: 531615a4ab58a55fdb606e5f41427efcf994ec39f82a25a4c571eda4161b3cab
Opcode Fuzzy Hash: e3d5460362d7a89b4d7fc2c6ab63bee15c119e670aa951fe22f235ff395d8703
Instruction Fuzzy Hash: 3090027160590493D21271584504707404997D0241F95C422A04245ACDD6568B92A222

Function 016F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(017091A3,00000000,00000000,?,?,?,016B8A1A,0178C2B0,00000018,016A8873), ref: 016F2DDA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 07a08c25a8c8814080c8cd08dc0073c37a196c37b9c63bdebc8609d2abdd3ccd
Instruction ID: 50085cc9d3bf30bf361638b683272a878c5a5979fd5cfbb549ac5498ca07fa17
Opcode Fuzzy Hash: 07a08c25a8c8814080c8cd08dc0073c37a196c37b9c63bdebc8609d2abdd3ccd
Instruction Fuzzy Hash: 73900261646941D25646B15844045078046A7E0241795C022A14149A4CC5269A96D722

Function 016F2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(016AFB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,01707BE5,00001000,00004000,000000FF,?,00000000), ref: 016F2C7A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed350a60fe868cdc9cfcb9f4cc66f7fe78d09855a76007f3494e4c06e1d7143a
Instruction ID: 1ed1285e819e9cf34cc02a8c74e7440d302d3df904a94a453ac2a0bd3b0b3884
Opcode Fuzzy Hash: ed350a60fe868cdc9cfcb9f4cc66f7fe78d09855a76007f3494e4c06e1d7143a
Instruction Fuzzy Hash: 7790027160598882D2117158840474A404597D0301F59C421A44246ACDC6958AD17222

Function 016F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(016D3999,000000FA,00000001,?,00000050,?,?), ref: 016F2CAA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c2c0a2002cfba2f5f691b5a6fd7ec3658ebbbfdbd7a4120f844b01434b3ffa1
Instruction ID: 67f31bd6951a539418d7a030af51d121f91ff2f828327df84d4f69ca4cf0aabd
Opcode Fuzzy Hash: 1c2c0a2002cfba2f5f691b5a6fd7ec3658ebbbfdbd7a4120f844b01434b3ffa1
Instruction Fuzzy Hash: 7B90027160590482D20175985408646404597E0301F55D021A50245A9EC6658AD16232

Function 016F2F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0173B4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000000,00000000,00000000,00000058), ref: 016F2F3A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69c6ab61b401eff7525adbc9460e9116594b991a5a925e4b1304c4694ad9e57a
Instruction ID: 82279ec4145fa7e43d72dca620af9445d0439af735af77b4a7f9a94d3d327b14
Opcode Fuzzy Hash: 69c6ab61b401eff7525adbc9460e9116594b991a5a925e4b1304c4694ad9e57a
Instruction Fuzzy Hash: B29002A1745904C2D20171584414B064045D7E1301F55C025E10645A8DC619CE926227

Function 016F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(016F17E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 016F2FEA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac38c27a85515f21edd33839486a88e1c0363666e746dffa5e9872c961409dee
Instruction ID: 7e7ecef83b65812855ee01ff89e6e7bbaa8a02b1e667a0bfc52d34eac94ef606
Opcode Fuzzy Hash: ac38c27a85515f21edd33839486a88e1c0363666e746dffa5e9872c961409dee
Instruction Fuzzy Hash: 54900261615D00C2D30175684C14B07404597D0303F55C125A01545A8CC9158AA15622

Function 016F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(016F05E3,00000000,00000000,00000001,00000000,00000000,00000000,?,016F2380,016F03B6,00000000,00000000,?,00000000,?), ref: 016F2FBA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ee23fc68916e4635958e57d0dc4f8c6b24196e5f2aed283b3618719d886ec02
Instruction ID: fed207c869ca3838545dd06613b6e846ad3e793452c31a5bfd6c0a2fe30fb2cf
Opcode Fuzzy Hash: 3ee23fc68916e4635958e57d0dc4f8c6b24196e5f2aed283b3618719d886ec02
Instruction Fuzzy Hash: 80900261A05900C24241716888449068045BBE1211755C131A09985A4DC5598AA55766

Function 016F2F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0172CF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 016F2F9A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 915baea17b64359a1911a2f3ea63ee645d6b7baf5daeddd905d49ab5fde6de0a
Instruction ID: c4ea6913189d35e75657156598d583949916064ae197a4d8ba9a97e059d6916a
Opcode Fuzzy Hash: 915baea17b64359a1911a2f3ea63ee645d6b7baf5daeddd905d49ab5fde6de0a
Instruction Fuzzy Hash: 35900271605D0482D2017158481470B404597D0302F55C021A11645A9DC6258A916672

Function 016F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01711B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 016F2EAA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 147d69b3cd9de16168547194ac8c3664b746cc8199d9a4118958a795361f2ecb
Instruction ID: dbf0ecec2b5c2371fd992b721415faeabb7e384876bca36b73782f5a358d8564
Opcode Fuzzy Hash: 147d69b3cd9de16168547194ac8c3664b746cc8199d9a4118958a795361f2ecb
Instruction Fuzzy Hash: BD9002B160590482D24171584404746404597D0301F55C021A50645A8EC6598FD56766

Function 016F2E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0173809B,?,?,?,?,?), ref: 016F2E8A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49cfe5974ab38c4fc2838453afdd2f5f24011305575a26a3d6349019eca114c2
Instruction ID: 71908aca904e7f22f6e5d567c107199485844b128b0c02f77b9b434b053cb5eb
Opcode Fuzzy Hash: 49cfe5974ab38c4fc2838453afdd2f5f24011305575a26a3d6349019eca114c2
Instruction Fuzzy Hash: 50900261A0590582D20271584404616404A97D0241F95C032A10245A9ECA258BD2A232

Function 0041F0C9 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183404585.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860c6c292330ed9701495fd1c740c0e76179173b83d900957f45c574397d5bf4
Instruction ID: 1ab65c22e78c82588381bfe4b6ce12795e7c96d766b948bdcd15bf1f27b74f1c
Opcode Fuzzy Hash: 860c6c292330ed9701495fd1c740c0e76179173b83d900957f45c574397d5bf4
Instruction Fuzzy Hash: FBB0927190520C2B842035BE9A0E4A6771CD69565CB400699ED89069027E43746301E6

Function 0041F0D0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2183404585.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2407458f35ca21ca506e0c24118f177990cacd1bea0c120035e7637a72cd4c26
Instruction ID: 71cd0b4ea5b82251a8dfacf4b4f4a81eb47669f17a6830740459b1cdfa128c40
Opcode Fuzzy Hash: 2407458f35ca21ca506e0c24118f177990cacd1bea0c120035e7637a72cd4c26
Instruction Fuzzy Hash: C7A022A0C0830C03002030FA2B03023B30CC000028F0003EAAE8C022023C02A83200EB

Non-executed Functions

Function 01734755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01734809

Strings

LdrpCheckRedirection, xrefs: 0173488F
minkernel\ntdll\ldrredirect.c, xrefs: 01734899
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01734888

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 10081ebfc816d779745c65bd8e56cfd45fe9d916f6e9811433d32e72dd45b265
Instruction ID: 72d6991f9b74d4f998a062f5cdea0a6f3278a2b9a88515384d17ac2d675297e9
Opcode Fuzzy Hash: 10081ebfc816d779745c65bd8e56cfd45fe9d916f6e9811433d32e72dd45b265
Instruction Fuzzy Hash: EB41D132A542619FCB2ACF28D840A66FBE5EFC9750F0506A9ED4A97313D730D800CB91

Function 016F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 016F2DF0: LdrInitializeThunk.NTDLL(0172E73E,0000005A,0178D040,00000020,00000000,0178D040,00000080,01714A81,00000000,?,?,00000002,00000000,?,?,016FAE00), ref: 016F2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016F0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016F0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016F0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 016F0D74

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: e8f5fe306a51438cef1de379fcd7b4c581649a62d135f26cc29a3869ffc276ba
Instruction ID: d6c12b0fd712b6b4a7bb2838e3aa4a1631047470c4832059b6568d23c5e7b013
Opcode Fuzzy Hash: e8f5fe306a51438cef1de379fcd7b4c581649a62d135f26cc29a3869ffc276ba
Instruction Fuzzy Hash: 44423A71900715DFDB21CF68C880BAAB7F5FF44314F1445ADEA89AB242E770AA85CF60

Function 016BEA80 Relevance: 6.1, Strings: 4, Instructions: 1073COMMON

Download Yara Rule

Strings

{, xrefs: 01714643
T, xrefs: 016BEB4E
R, xrefs: 016BEB62
, xrefs: 016BF299

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: $R$T${
API String ID: 0-4276472446
Opcode ID: c7350ab773b3e05fead83eb0b8445580ee3c5597df80f27343d94976a4f42513
Instruction ID: 1832f3da20beb91132160ff57333f8cc02def8bb6532217b2dfbbc1aba60648b
Opcode Fuzzy Hash: c7350ab773b3e05fead83eb0b8445580ee3c5597df80f27343d94976a4f42513
Instruction Fuzzy Hash: 2EA23674A0562A8FDB64CF29CC887E9BBB5AF45304F1442E9D90AA7365DB319EC1CF40

Function 016E4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 016E4C96
0, xrefs: 016E4CC3

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 158a9c674a0a5e5d110e20bc2f92cbba658f4eed4388ad897dabd7a3b65c701f
Instruction ID: f08a29ac195c727b5bf8c6765b678f8f61bf21d27e680520d399b3fafe784876
Opcode Fuzzy Hash: 158a9c674a0a5e5d110e20bc2f92cbba658f4eed4388ad897dabd7a3b65c701f
Instruction Fuzzy Hash: 28518CB2E01214CBDF26CFA9C888669FBF5FF84714F14812ED149DB251EB759986CB80

Function 01734F40 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

\, xrefs: 01734F66
/, xrefs: 01734F6D
.DLL, xrefs: 017350C7, 0173519C
.Local, xrefs: 01735170

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\
API String ID: 0-80926707
Opcode ID: 270cbb45609dc402c573fe467f0e46cde9a616bef18c24ebe637e354ca75ddac
Instruction ID: 3bd45c813f6b5a080f9b32816435b10b24aadcb9f8f2acf33b87b3fdf8240084
Opcode Fuzzy Hash: 270cbb45609dc402c573fe467f0e46cde9a616bef18c24ebe637e354ca75ddac
Instruction Fuzzy Hash: 0E91B172D0061A8BCB25CFACC880AAEF7B5FF88310F5941A9E911E7351D735D901CB91

Function 016CAD00 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 017180B7
LdrpInitializeDllPath, xrefs: 017180AD
DLL search path passed in externally: %ws, xrefs: 017180A6

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: DLL search path passed in externally: %ws$LdrpInitializeDllPath$minkernel\ntdll\ldrutil.c
API String ID: 0-109579469
Opcode ID: 6c3537694a19b0c140f393734e2d443c4e9f129d15a77fb12def323fd1a7238f
Instruction ID: af575d7cd33bb50f46ed16bed7d1855b2984f862a5f681985a54cd94eeeb3eac
Opcode Fuzzy Hash: 6c3537694a19b0c140f393734e2d443c4e9f129d15a77fb12def323fd1a7238f
Instruction Fuzzy Hash: 2212EE71A093468BD321DF68CC81BBAB7E5FF84B14F084A1DF9858B291E730D945CB92

Function 016D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

, xrefs: 0171CA51
@, xrefs: 016D6C24

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 079c1de373d3435dab6d45fb258b1840381deb96083832fdfe99d55c13aa5fd4
Instruction ID: bcb4e456941b9ff4d117f6a0da1ba461817242cc42f977c481447dc101f573cf
Opcode Fuzzy Hash: 079c1de373d3435dab6d45fb258b1840381deb96083832fdfe99d55c13aa5fd4
Instruction Fuzzy Hash: 3AC28F71A083419FD726CF69C881BABBBE5AF88718F04892DF989C7341D774D845CB92

Function 016B04E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016B055E

Strings

kLsE, xrefs: 016B0540

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: ac226920c1f774c23da80b1c8802c82c123966d4783e242b4d3296f3c12e6de0
Instruction ID: 22da41da0b8912bc80ef51ce427f37b1cfd4c0bba76a27beb98a068b6aa164ae
Opcode Fuzzy Hash: ac226920c1f774c23da80b1c8802c82c123966d4783e242b4d3296f3c12e6de0
Instruction Fuzzy Hash: DA51AE725047428BD724DF68C9806E7BBF8AF84304F10893EF69A87641E770E585CB91

Function 01732349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01732B74
@, xrefs: 01732942

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 659159885575e7c8965b708de4c7b3ff58e761cb3ae79e694372e005220edcb9
Instruction ID: eb2a56bdb9e0ba094372d07ffeb0c477d6ae2757bef85862ddba78602c3654be
Opcode Fuzzy Hash: 659159885575e7c8965b708de4c7b3ff58e761cb3ae79e694372e005220edcb9
Instruction Fuzzy Hash: 08928A71608342ABE721CE28CC84B6BFBE9BBC4754F04492DFA95D7252D770E844CB96

Function 016E4D1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016E4D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01723640, 0172366C

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3711822496
Opcode ID: 0042b7935ca577d42d0cd0fde00efacfacc411de1e8a1969f65757a2a37ff0a2
Instruction ID: 8fc42681705da6158e8efa1c109f3b5c926931f20ca4eca50535d078e0cff653
Opcode Fuzzy Hash: 0042b7935ca577d42d0cd0fde00efacfacc411de1e8a1969f65757a2a37ff0a2
Instruction Fuzzy Hash: 73310733902221DBDF329A2CCC4CA75B6E4BB41664F06422AE609D7351DFA69C808785

Function 016E2CF0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

@, xrefs: 016E2E4D
.Local\, xrefs: 016E2D91

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 1162c1300686df3d944c9a477ddb5c29820bee41b21df2445a1765fea0f8bc05
Instruction ID: efae45166fe183d2788f461186e8933cbb2ce195266597564a92b2708991f7fd
Opcode Fuzzy Hash: 1162c1300686df3d944c9a477ddb5c29820bee41b21df2445a1765fea0f8bc05
Instruction Fuzzy Hash: AF81E1725093029FDB11CF18C8A4A6BBBE9EF95700F048A5DFA85CB346D771D904CBA2

Function 016B6A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0916d72978c147d1d037ef5a37212e10ce2202b939c9ed1f953f40792f6e8297
Instruction ID: bf7bbadb4457c8ecaa6aec3649fa8bc76dad28b41eb32e146e9b3708b748c968
Opcode Fuzzy Hash: 0916d72978c147d1d037ef5a37212e10ce2202b939c9ed1f953f40792f6e8297
Instruction Fuzzy Hash: F4327B71A05215CFDB25CF6CC880BAABBF1FF48310F548569EA56AB395D734E882CB50

Function 016C0770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5acb70d332f7ebf2807618205259670e749cc915a2e966a28eef0d914a29e25e
Instruction ID: 033e1bea7641a58d4fde18b5882311c12eb4f78a0ca69261baf44d72b3116387
Opcode Fuzzy Hash: 5acb70d332f7ebf2807618205259670e749cc915a2e966a28eef0d914a29e25e
Instruction Fuzzy Hash: DFF1AB75A00606DFEB29CF6CC894BBAB7B5FB85B04F14816CE5169B385D730E981CB90

Function 016BCC74 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

9, xrefs: 016BCBA1

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2473173378
Opcode ID: f65521398eb5b9c4dc25ab7c53261cb905daab21876b6a8f53da08530940f332
Instruction ID: f114697f41a9eb210c4f8b863f9be9c7e081c6cba21c73d163fce72e26d92305
Opcode Fuzzy Hash: f65521398eb5b9c4dc25ab7c53261cb905daab21876b6a8f53da08530940f332
Instruction Fuzzy Hash: 71424675E012588FEB25CFA8C8C0BEDBBB1BF48354F148169E919AB351D734AD82CB54

Function 016DE5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a7908f2262a720f641075b88dcc339e2dfbae985cf82a13b28296d399df2a4
Instruction ID: 45f083d2dd516e82304638b189c45aa1a13141af4ae27d7a986723355f816090
Opcode Fuzzy Hash: e0a7908f2262a720f641075b88dcc339e2dfbae985cf82a13b28296d399df2a4
Instruction Fuzzy Hash: 1EA13531E006699FEB22DFACCC48BAEBBB5BB01714F050159EA10AB2C5D774AD45CBD1

Function 016BAF42 Relevance: 1.7, Strings: 1, Instructions: 457COMMON

Download Yara Rule

Strings

#, xrefs: 0171363D

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 53139dadbe123e5d7a6a0c3865e6308a4e034fe7b0c68cf12bc90e21b01765a0
Instruction ID: f99253e4997754dc2fedcbb365d37aaf3cce6ed543b5529556f3863f27dc9422
Opcode Fuzzy Hash: 53139dadbe123e5d7a6a0c3865e6308a4e034fe7b0c68cf12bc90e21b01765a0
Instruction Fuzzy Hash: E9029D75A002698BEF328A18CCD4BFEB7B9BF44350F1441EAD949A7251DB719EC28F44

Function 016ECDB1 Relevance: 1.7, APIs: 1, Instructions: 197timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016ECE7D

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ba5b8791948144a480941f63d0f25e8533867635e2ddf104bdf183cefb716b32
Instruction ID: ff5cf636599555d6401907b7d8af4072fdfa6476afb0460f041bd23acde4b9bc
Opcode Fuzzy Hash: ba5b8791948144a480941f63d0f25e8533867635e2ddf104bdf183cefb716b32
Instruction Fuzzy Hash: DE61DD71A01216DFCB19DF68C894AAEB7F5FF48314F10826DE612EB291DB329902CB55

Function 016C03E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01714D8A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 7d01af52474d547facabaf5951394d8b180d882bcda1f19c7e5210f7251f0292
Instruction ID: be26209dbee873d6587370949c56be14760426c96e0b039b39383244a3d3f7ac
Opcode Fuzzy Hash: 7d01af52474d547facabaf5951394d8b180d882bcda1f19c7e5210f7251f0292
Instruction Fuzzy Hash: 12712772A0014ADFDB05DFA8C994BAEBBF8FF48704F144069E905E7255EB34AD41CBA4

Function 016E29F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0172259B

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 225cb95fb7a7a35b9235e46769957073d282bdd9d436988398b863e9db386743
Instruction ID: 4ecfcb9be4fd078a1cdd2488338dda62af11aa4f208d69bbdeb7e0d7dadf1699
Opcode Fuzzy Hash: 225cb95fb7a7a35b9235e46769957073d282bdd9d436988398b863e9db386743
Instruction Fuzzy Hash: 1D029FB1D012299BDB71DB54CC84BAAF7B9AF44704F0041DEE609A7242EB30AF95CF59

Function 016D0C44 Relevance: 1.7, APIs: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016D0CDC

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 22380424803cd492c437cbd9f638e853d1f4796426d5196db0707006868affb7
Instruction ID: 53b0d95f77a2d82e5d7715eb36ad4bd549ca8485775a9c2d70259ce639a25816
Opcode Fuzzy Hash: 22380424803cd492c437cbd9f638e853d1f4796426d5196db0707006868affb7
Instruction Fuzzy Hash: A651BE74A00206DFDB24DF6CCD81ABEB7F5EF88614F54806DE90697255E631AA42CB50

Function 016EC720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016EC7BF

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e5947d11862079e262f5e90727ddb6d10893d6eb0c081dfe7b41e7c01d9b6cd3
Instruction ID: 0ffc5f8970d3ef4761b7157fd220cee3c019c7e289d713622ffe0b5c997d8b62
Opcode Fuzzy Hash: e5947d11862079e262f5e90727ddb6d10893d6eb0c081dfe7b41e7c01d9b6cd3
Instruction Fuzzy Hash: 2F412771545311ABCB20EF68DC44B6BBBE8EF95760F44862EF945D3290E770D800CB95

Function 016DEBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a0393540d074a22b45805293aa3675bc95683385c65a882efea4fab8f909f0
Instruction ID: 25c5141179b786c581d8dec61a02d628c7cbd986f89584a2b70ea24d37558d08
Opcode Fuzzy Hash: 90a0393540d074a22b45805293aa3675bc95683385c65a882efea4fab8f909f0
Instruction Fuzzy Hash: 9E41D4726043019FD724DF28CC94A2BB7E6FF88224F44482DE9A7CB715DB32E8498B54

Function 016A64BA Relevance: 1.6, APIs: 1, Instructions: 123timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016A656C

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 312b28df9feaa4eca278b913a8f0b5cf569f940440473333483b7450114b63c1
Instruction ID: 178247c8e5c6c9d8dccd8ee69294c1f651fe5aa77a3133dcdae53d742db2e413
Opcode Fuzzy Hash: 312b28df9feaa4eca278b913a8f0b5cf569f940440473333483b7450114b63c1
Instruction Fuzzy Hash: 8341D5B1208301EFDB21DE24DC91BABB7E9FB84A58F84451DEA8A67195D630ED40CB52

Function 016B262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016B2710

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: eec286eb88d6e748f9c5ef320291de058e332b0df6bc0ad0ebfb769849859215
Instruction ID: 952846efa7dc5b27d0d58f46dece626b4095f57c3792cfa3a15f6093124c6128
Opcode Fuzzy Hash: eec286eb88d6e748f9c5ef320291de058e332b0df6bc0ad0ebfb769849859215
Instruction Fuzzy Hash: 914192B1501705CFCB22EF28CD907A9B7F6FF98710F1482ADD5169B2A1EB30A981CB55

Function 017307C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0173083C

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 631dea9a7c388bceabf7462c8658492eeb99c8faf9ad29fdc12c880dc57fef85
Instruction ID: 5ecf158d2b7f5fd0d877382eb93c6d7c71991de25c2c5e03919bc7928087d150
Opcode Fuzzy Hash: 631dea9a7c388bceabf7462c8658492eeb99c8faf9ad29fdc12c880dc57fef85
Instruction Fuzzy Hash: D7419CB25043059FD720DF28C844B9BFBE8FF88624F008A2EF998C7251D7309804CB92

Function 016D245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a041617e4caa74057aa23256386b460e21d33434451052f21e0f41c7ede66c8
Instruction ID: 564d5db3b6d0590504a640fed0fd963e68a12ae6a886b8ec9336304cbbf2164c
Opcode Fuzzy Hash: 9a041617e4caa74057aa23256386b460e21d33434451052f21e0f41c7ede66c8
Instruction Fuzzy Hash: 4C314872A41242EBDB319F5DCC85AAAFBB9FBC0B20F55805DF9016B249C7705981CB80

Function 016B4859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016B48F7

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: c92a4a1b30ae6fecedc3c67b3b1fa679dd4f693901454aec590dc089a636c568
Instruction ID: 755c4d86f14dd4638de5335fd2e7dcc27a54dd3294e48a5a0628f03c6ab919f6
Opcode Fuzzy Hash: c92a4a1b30ae6fecedc3c67b3b1fa679dd4f693901454aec590dc089a636c568
Instruction Fuzzy Hash: BA41A2302043019BD725EF18DCD4BAABBEAEF80764F14442DEA568B392DF30D991CB91

Function 016A8A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016A8A8B

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6052de595f80133ee7554efd8d0fd4959793d6305326f92259d7720bfcd4ee19
Instruction ID: d5ebece6dbd7277c169759e694b5a03e5759373511d7bb5a3fc13bd2809f5690
Opcode Fuzzy Hash: 6052de595f80133ee7554efd8d0fd4959793d6305326f92259d7720bfcd4ee19
Instruction Fuzzy Hash: 4F31EEB6600B06EFCB26DF64D950BADB7B1FF48310F044159EA0253691C735AD90CBA1

Function 0173892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81f649ef79e44749200025a9ab307cca47eaf25864d28d37dbbdcc869392a63e
Instruction ID: 3b2be471ed6873d55ef973e26fdc849d903f05cab8a218a6f8f055d06c667991
Opcode Fuzzy Hash: 81f649ef79e44749200025a9ab307cca47eaf25864d28d37dbbdcc869392a63e
Instruction Fuzzy Hash: 0D0126722082019BE7246F59DCC4AAAFB79EFC1264B44022CF7821A193CB70AC81C797

Function 0173A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0173A51A

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e0d6bf0029c226595e28cbe5008bb7ea2d6c121798a4e5d7882c47eedcf389a0
Instruction ID: a82136c0047ad1429ff51d950cc7146ed026d22b191dde918963b556c5a8a8a6
Opcode Fuzzy Hash: e0d6bf0029c226595e28cbe5008bb7ea2d6c121798a4e5d7882c47eedcf389a0
Instruction Fuzzy Hash: 3F01853610020DABCF129F84D841EDA7F66FB8C6A4F068101FE19A6261C332E970EB81

Function 01738D20 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01738D6A

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0c17ee9e61413374799e2b0cc37e2da5efcc6b1e42e3eb2366554336136a2ccc
Instruction ID: 309642f080fb5fd279a075389b781d4042c60968319d264a66325dc429a74aa1
Opcode Fuzzy Hash: 0c17ee9e61413374799e2b0cc37e2da5efcc6b1e42e3eb2366554336136a2ccc
Instruction Fuzzy Hash: 23F0B4725182446BD7216A1CEC88BDAFB6DFBD8720F894629F949271A286306CC0C780

Function 01736420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 017365C1

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7e0c6b13b4397c65c441868c7ed629992df46d7566727ded3c484900db417e4d
Instruction ID: f366a52606609cda2cb1e327bad53efdbf76f481a999a779c30e79d4f0d7133d
Opcode Fuzzy Hash: 7e0c6b13b4397c65c441868c7ed629992df46d7566727ded3c484900db417e4d
Instruction Fuzzy Hash: AF9174B1900219BFEB21DF95CC85FAEBBB9EF58B50F154069F600AB191D774AD00CB64

Function 016E8402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 016E8591

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 98684454559e146f71f55b4df8b5bb9b3211ffbc7fc8efa554d66add91859106
Instruction ID: 214b880b4cbaac5c4b46be2291b6279773d1bc683873127a957d9e57ae620e9f
Opcode Fuzzy Hash: 98684454559e146f71f55b4df8b5bb9b3211ffbc7fc8efa554d66add91859106
Instruction Fuzzy Hash: E9919871509345AFD722EF65CC84EABBAEDFF88644F400A2EFA8493151E730D9058B66

Function 016E273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 016E28D8

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local
API String ID: 0-5346580
Opcode ID: 3d9dbbd908ad535f881915302ef2559230e57a1041b0a73be5b94ca0fbb70cde
Instruction ID: 23bf8d4f8b8b38a29686d1848007d6ae6450baf4b29fd03471c5f2a8a740c596
Opcode Fuzzy Hash: 3d9dbbd908ad535f881915302ef2559230e57a1041b0a73be5b94ca0fbb70cde
Instruction Fuzzy Hash: 6BA1BF319012299BDB24CF59CC98BA9B3FABF59314F2542EDD908AB351D7309E81CF94

Function 016AA197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0170C1E4

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: \??\
API String ID: 0-3047946824
Opcode ID: ed6e6b34368243f55a886ee1970de1cc9d3bf94a5b7514420432a3dcaee1b55b
Instruction ID: a0ec26698fdad7b8b80ed843e30e43ab958266f6e7e473b64d5808ccb0eaf408
Opcode Fuzzy Hash: ed6e6b34368243f55a886ee1970de1cc9d3bf94a5b7514420432a3dcaee1b55b
Instruction Fuzzy Hash: 03A17E719112299BDB32DF64CC88BAAF7B8FF44700F1141EAEA09A7250D7359E84CF54

Function 016E8620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 017252E3

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 864b8a8c6012b534d38724164a8adadc72e9e4509340b22ab08652a3fe704b83
Instruction ID: 8e68d8ffa3f4f88ea9b12d5125dc7ab2bbb7c8c3e9c48a40f3e364c749523f1d
Opcode Fuzzy Hash: 864b8a8c6012b534d38724164a8adadc72e9e4509340b22ab08652a3fe704b83
Instruction Fuzzy Hash: B1818AB1A01368AFDF20CF9ACC45BAEBBB9EB49B14F204159F505B7241D375A941CBA0

Function 016E8BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(, xrefs: 016E8D3B

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: f44babff4afe37fb1ec43c6b335942e43ce3bb6fed486c6fd7b88854ebbca907
Instruction ID: 5a98f4b00a0fc1306150cad1a9c8cf8a8dbd693cdf850d91c951aeb085a0cbd1
Opcode Fuzzy Hash: f44babff4afe37fb1ec43c6b335942e43ce3bb6fed486c6fd7b88854ebbca907
Instruction Fuzzy Hash: DD916871D01649CFDB11CFA8C884ADEBBF6BF59310F20426AE816AB391D771A942CF54

Function 016C2F7B Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

, xrefs: 016C31A3

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5bfa7ea05fd26f989555a058eb3e63978f28bb62ef15378fc7e05bff7c46014e
Instruction ID: b44be3848afa179f39a77c01c103cd0101f100b8c7607096421e52b0f2d9373c
Opcode Fuzzy Hash: 5bfa7ea05fd26f989555a058eb3e63978f28bb62ef15378fc7e05bff7c46014e
Instruction Fuzzy Hash: 1C919931A002489FDB26CF68D884BBCBBB1FF45B10F18C06DE95AAB752D735A940CB50

Function 016C2F47 Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

, xrefs: 016C31A3

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5071983af1a9341326bf2895fee2c806ed7677bcaa648f88fb8516154092abc2
Instruction ID: 3af47c8a5efe1da0e9fbe55a288df8ec6116d55e516bcafb5b255ec456b61df1
Opcode Fuzzy Hash: 5071983af1a9341326bf2895fee2c806ed7677bcaa648f88fb8516154092abc2
Instruction Fuzzy Hash: F6817931A042889FDB26CF68D884BBCBBB1FF45B10F18C06DE956AB752D735A941CB50

Function 016C2F72 Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

, xrefs: 016C31A3

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2544c7929e984f2c01f8f60cfa2ec6f30b55b4fcf92246f55ff08ececd3a6de6
Instruction ID: 1662bb158f3db2b0477dbdbfa53c006d958e6269c7e70afad12b354de59408ea
Opcode Fuzzy Hash: 2544c7929e984f2c01f8f60cfa2ec6f30b55b4fcf92246f55ff08ececd3a6de6
Instruction Fuzzy Hash: 2A818B31A042889FDB26CF68D884BBCBBB1FF45B10F18C06DE956AB752D735A941CB50

Function 016C2A45 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

u)j, xrefs: 016C2C2D

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: u)j
API String ID: 0-1146774532
Opcode ID: 5e7a945185624cdc28d8a2ada0edb9702c4b2533a8b3ebb4cb467abac4946d0d
Instruction ID: 48bba18b159f6d76cfedb76ac1a53eb9db3d728ffc67ae43ec0c725aa35a2aa7
Opcode Fuzzy Hash: 5e7a945185624cdc28d8a2ada0edb9702c4b2533a8b3ebb4cb467abac4946d0d
Instruction Fuzzy Hash: 95510372A046158FEB25CF5DCCA47BABBB1FB44B14F14405EED059B391D336A842CBA0

Function 016ACCC8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 016ACD63

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2d9c1900cafe748ce042677f68c995bbe9e9fb4f146742af40b983182b34e94a
Instruction ID: fe0f65e8267ce51e15670c123389b05b740d1061e06aaf6ad692178da31b6bc9
Opcode Fuzzy Hash: 2d9c1900cafe748ce042677f68c995bbe9e9fb4f146742af40b983182b34e94a
Instruction Fuzzy Hash: 9551D4BA504356DBC711EF68C844B6BB7E8AF88714F46092EFA85D7240E730DD04CBA6

Function 016AA580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(, xrefs: 016AA668

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 06160e97f67d8df696a131f0503f5f770f4e6a2e08fa7eb569bc39d9f0f4269a
Instruction ID: 30cf0c7f4458168bc23f01c61542fc2784474d3f8dc63ac7ba575467be2f4333
Opcode Fuzzy Hash: 06160e97f67d8df696a131f0503f5f770f4e6a2e08fa7eb569bc39d9f0f4269a
Instruction Fuzzy Hash: 855117B0A1135ADFCB11CF98C880A9EBFF5FF08714F10826AE505A7251D774A941CF94

Function 016B2140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(, xrefs: 016B2253

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 2ba471babd5815dfdbeaeacca77c982b0fbc42b97e90a173afe1981d6f35956f
Instruction ID: 7edef37c01962cd6a95942213ce6b42e41279d16faf786263a82b51f0cfaf789
Opcode Fuzzy Hash: 2ba471babd5815dfdbeaeacca77c982b0fbc42b97e90a173afe1981d6f35956f
Instruction Fuzzy Hash: C351FAB190161AEFCB11CF99C8906DDFBF1BF08710F50862EE918E7680D375A991CBA4

Function 016C28D0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

twj, xrefs: 016C28FA

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: twj
API String ID: 0-1637908201
Opcode ID: f3625bf469942756152dcb2796e9513b87949f4b81ff56e4307d83fef2b4d836
Instruction ID: a4d340151efb2e2af9d587f84e5be3ce0501beabf1265aec6f8f0f0b9b2e63a5
Opcode Fuzzy Hash: f3625bf469942756152dcb2796e9513b87949f4b81ff56e4307d83fef2b4d836
Instruction Fuzzy Hash: 51518371A003459BEF25DB99CC54BBEFBB6EF80B54F24401DE9056B288DB759841CB50

Function 016EC6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01728181, 017281F5

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrredirect.c
API String ID: 0-3694840737
Opcode ID: 6824f9562a3653f70d3da842d366dd18fc097fa082b3ab33e7de8659d679fe22
Instruction ID: 5fe22ce091e41ca08bbf4ca2f898aef24c16d6faf5ec574398d8ed4ac81fed7c
Opcode Fuzzy Hash: 6824f9562a3653f70d3da842d366dd18fc097fa082b3ab33e7de8659d679fe22
Instruction Fuzzy Hash: BF3104716443129BC320EF28DC4AE2BBBD5EF94B20F04065CF945AB291D620EC05CBA3

Function 01734DD7 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 01734E06

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrutil.c
API String ID: 0-4055692389
Opcode ID: d79a156417919afcb4ce056f028e1d4554ce5d73a585394543a8c7c0825bf9d8
Instruction ID: 5b19173d587623cad123d75d46f5636534695328b068775aad0339d24380fc9d
Opcode Fuzzy Hash: d79a156417919afcb4ce056f028e1d4554ce5d73a585394543a8c7c0825bf9d8
Instruction Fuzzy Hash: 42216B731C81067BE72C9A6C8C49D36FB6CFBC9A74F140108F61396656C950DE00C635

Function 016D8DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26a2a57fb56c43ca389adc484d5b39ac1ef2e4605fe693f46d991364f2373123
Instruction ID: f7fefc90fffae08720b8ed16acf8ddc96471e2c1a5bc9d7711a930416c01cb1c
Opcode Fuzzy Hash: 26a2a57fb56c43ca389adc484d5b39ac1ef2e4605fe693f46d991364f2373123
Instruction Fuzzy Hash: F5225E70E0021ADBCF25CF99C8849BEFBF6BF48714B54809AE945AB245E734ED41CB64

Function 016B28F0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7578769247557b2f963bdd945ae9d9e48cae786aede34c6f50fa7aa73d7b5b8b
Instruction ID: 085f2d7db8b801b5afb4ef1d29329121b49ac8e542908e4469fd803274b405e9
Opcode Fuzzy Hash: 7578769247557b2f963bdd945ae9d9e48cae786aede34c6f50fa7aa73d7b5b8b
Instruction Fuzzy Hash: EDF1E3716083518BE725CF29CCA07ABBBE1BFC4750F08892DE98587391D775E885CB92

Function 016D4A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction ID: d831ad4cccbfedf75d44dd4cab305760f82006fcfd6ccff4dc1c7e6c81ab5f15
Opcode Fuzzy Hash: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction Fuzzy Hash: 7CF17171E0021A9BDB15CFA9C980BAEFBF6BF48710F048169E905AB754EB74DC42CB50

Function 016BA9D0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798c1d74f35f01d594969a9f4b6c9e2625f674f36f4dabe9a9b589dae673918d
Instruction ID: bb92661e5f6dfc42d8cac72a4344f6e437ccf7f4356c3047bce4d5c2798fc469
Opcode Fuzzy Hash: 798c1d74f35f01d594969a9f4b6c9e2625f674f36f4dabe9a9b589dae673918d
Instruction Fuzzy Hash: 68E16E71E00219ABEB22CEDDCD84BEEBBBAFF04310F14456AE911E7255E7749981CB50

Function 016A8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c38f2aef55ecef6e1b456d0727ef74aff4d22902b91d6a5fdfcf63e18f48fd
Instruction ID: 0df9d2025b90750afe724de0e37f083242e419c389d962b07b55d188461e1633
Opcode Fuzzy Hash: c5c38f2aef55ecef6e1b456d0727ef74aff4d22902b91d6a5fdfcf63e18f48fd
Instruction Fuzzy Hash: C9D1BC75A00606DBDB15DF68CC80ABEBBEAAF54305F45462DE9129B280EB30EE51CF50

Function 016B65D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc50ed78422dc85ce84f21371398149fa8d498d72f30c93ce895f420b68f425c
Instruction ID: af34570dd7b98c81d7c7cf122cbc94f2c147563523ee07615982de7b71e8718f
Opcode Fuzzy Hash: fc50ed78422dc85ce84f21371398149fa8d498d72f30c93ce895f420b68f425c
Instruction Fuzzy Hash: 04E19F71508342CFC715DF28C8D0AAABBE1FF89308F45896DE99587352EB31E945CB92

Function 01738243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction ID: 984d1404ec261e9095e3a751aa59f65013c1e1126e16a5fc227628ac9333e9a4
Opcode Fuzzy Hash: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction Fuzzy Hash: 76B1B076A00605AFDF24DF98C944AABFBB9EFC4304F10461DBA0297796DA30E905CB11

Function 016C0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction ID: 6d07969c888ad60c41f4c7ba7b4bfa0ea7bae67562dd902e4647ea7f59cd077b
Opcode Fuzzy Hash: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction Fuzzy Hash: 4AB1E135600646EFDB25DBA8C954BBEBBFAEF84700F18015CE6529B385D730E942CB90

Function 016D0DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8affa789f5301fdf3f13db3c5f9bad9bb99f4c0f5d8c8bb60f58dd66830e5048
Instruction ID: 40cfae0ed376d1dd954ebd714b65067c1b623858822521a8922637b9780e8e55
Opcode Fuzzy Hash: 8affa789f5301fdf3f13db3c5f9bad9bb99f4c0f5d8c8bb60f58dd66830e5048
Instruction Fuzzy Hash: D8C14C70E0525ADFDB25DFA9CC84AAEBBB6FF88304F10412DE505AB345DB71A841CB90

Function 016B83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcf1104a5be9eb35c7679047bf1102ce37aa9741724dc09cd14fb147b108586
Instruction ID: 50aca704b6bb78d2c47859ec8f724af05f86b0c8b620f0cfc924b8d4d1f9ff4a
Opcode Fuzzy Hash: 1dcf1104a5be9eb35c7679047bf1102ce37aa9741724dc09cd14fb147b108586
Instruction Fuzzy Hash: A4C158711083418FD764DF28C894BABB7E9BF88304F44496DEA898B391D774E948CF92

Function 016AC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddfa22054daee89b501ece36079a230774076001f2373a765c1b9b092fbf4eb
Instruction ID: f51701175f2b8e13ffac2f29127dc4d894eedebd35e2e42bb55759f25f75fa36
Opcode Fuzzy Hash: 2ddfa22054daee89b501ece36079a230774076001f2373a765c1b9b092fbf4eb
Instruction Fuzzy Hash: CEB16170A002668BDB25DF58CC90BA9B7F6EF44700F4485E9E54AE7281EB749D86CF24

Function 016F0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63dc1f4ec8ba645fb2b68e6717b0eb625512ff5b1219fc3b430b1398f2c3e713
Instruction ID: b221d4358f36f09a20559c2c22f1d4895c32d952c5d4739b213f660e07ea4c65
Opcode Fuzzy Hash: 63dc1f4ec8ba645fb2b68e6717b0eb625512ff5b1219fc3b430b1398f2c3e713
Instruction Fuzzy Hash: C3A1AF71B01626DBDB25DF69CD90BAAB7A2FF54314F14412DEB0597382EB34E812CB90

Function 017360E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d03cab724cc3f4f0d7ba673030c7d936b3af3b328a6bcee1ddc04102217e21e4
Instruction ID: b6e45d40f7eba7ae255d8fd1a37c2c5658a13cbbe53b93432196b6993eae94f8
Opcode Fuzzy Hash: d03cab724cc3f4f0d7ba673030c7d936b3af3b328a6bcee1ddc04102217e21e4
Instruction Fuzzy Hash: AD916271D04216BFDB15CF68D884BBEFBB5AB88710F154169F610EB342D734EA009BA4

Function 016E63FF Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff9185fc85cb90b18bab7e9e56709d2c6f564c446de00ee8c64a94ac37affd2
Instruction ID: dde3b854c8c87802e6b080a4cf22c934fa9b574c658331a7e55af2bfb1bc6393
Opcode Fuzzy Hash: 2ff9185fc85cb90b18bab7e9e56709d2c6f564c446de00ee8c64a94ac37affd2
Instruction Fuzzy Hash: AC915B71B02325DBDB35DF18DC98BADBBE1BB91B24F54822CE5066B285D7709842C7D0

Function 016CE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdedeed13bfbdee1f112442ac0521162ef0fb9391bb4941bc1cfeb197b2c2786
Instruction ID: cd9005845ab3ffdf279d1e75d4de871e07185a9ee3b53a9eb8dd78617aa9840b
Opcode Fuzzy Hash: cdedeed13bfbdee1f112442ac0521162ef0fb9391bb4941bc1cfeb197b2c2786
Instruction Fuzzy Hash: E8911572A016168BEB249B5CCC54B7AFBB2EFA4B14F05806DEE059B384E736D902C751

Function 016C0C00 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a1baa40806ebefe0f44fb22c5e254fa5d04c6e6d86519b6bc1048c4b5819e06
Instruction ID: 572360532bfcfbc3210539e840160bd4ce1f4ad22641a1c20a24153084c4f993
Opcode Fuzzy Hash: 9a1baa40806ebefe0f44fb22c5e254fa5d04c6e6d86519b6bc1048c4b5819e06
Instruction Fuzzy Hash: CCA1DE79600206DBD729CF28C890BBAFBE2EF45B00F14856DE5968B786D734F845CB91

Function 017389B3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f924cb65a90d908230d377e9928452708172306de6dfaacff65b7de2b9d9bc
Instruction ID: 2fda5e676a07621388dfaa23674921255288b68d57e4c7b35b65523b361cd81c
Opcode Fuzzy Hash: 71f924cb65a90d908230d377e9928452708172306de6dfaacff65b7de2b9d9bc
Instruction Fuzzy Hash: 3B9135B2645302AFD721EF688C90B5BFBA5ABD4724F44465CFA416B282C7709D01CB97

Function 016E4AD0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c55a8172bb31a4147372386f54f9f89c5470f663c533b48f1f20d440014545
Instruction ID: a6f0e7597e82315bbe4b555a31de0e4d255a64f773237c59fc4856d543f0fc73
Opcode Fuzzy Hash: 62c55a8172bb31a4147372386f54f9f89c5470f663c533b48f1f20d440014545
Instruction Fuzzy Hash: 5B6112326017129BDB228E2DCC45B3AF7E5AF84A50F14869DE955DB340CB34E802CB95

Function 01706ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978a1a688aa726a2fa7b9f6c7bd9434505075bb7566bf3bcb402308a4316a59f
Instruction ID: 55ea95998be58dd6f19877b916d8f82de81e7f7afa4843f52b2b6506d1b2c581
Opcode Fuzzy Hash: 978a1a688aa726a2fa7b9f6c7bd9434505075bb7566bf3bcb402308a4316a59f
Instruction Fuzzy Hash: 0A819EB1A007169BDB25CF69C850ABEFBF9FB48700F14852EE545D7680E734E950CBA4

Function 016A6D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e821fc342c56a34c1302151c4103258085479647a1624961981c02eda009243
Instruction ID: f492b89e5303df305244dc1c7b5d8e3b65210bf8006e9d576e3549280249deaa
Opcode Fuzzy Hash: 8e821fc342c56a34c1302151c4103258085479647a1624961981c02eda009243
Instruction Fuzzy Hash: B5717772A44702EBDB22CE29C940B6BF7D4BB44358F044929EB59D7282D730EC84CB92

Function 016EE284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87fd124c5b5ee4a3c336d1a3a7cab82118cebabde4930405222679af4dc35888
Instruction ID: 9ef8f9d4936bb86e3bbd0d417207723f678921055f0f6e073b2352700cc35c10
Opcode Fuzzy Hash: 87fd124c5b5ee4a3c336d1a3a7cab82118cebabde4930405222679af4dc35888
Instruction Fuzzy Hash: AC818D71A01609AFDB21CFA9C884BEEBBFAFF48314F14852DE655A7250D731AC05CB60

Function 016B64AB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aae32320c27834b0424eb203e40db8103f7c9fe760a1a666c8fa4b6fc50f0fb7
Instruction ID: 1f80de914fc80f91f0328b4a5e8f0af9e73c753fc4e5e445ac14cc7f0594d71b
Opcode Fuzzy Hash: aae32320c27834b0424eb203e40db8103f7c9fe760a1a666c8fa4b6fc50f0fb7
Instruction Fuzzy Hash: 6C71BDB29043059FCB21DF18CCC5B9BBBA9AF94764F40046CF9498B28AD734D599CBD2

Function 016CC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1e813c4ef87ee45ba93b940b3e2be20bbab58e02b68f7fac511cf9e0c0eb586
Instruction ID: 970c433f923774114b30178c35e9cfb820bac6fbf83055916d730468ea680a8a
Opcode Fuzzy Hash: a1e813c4ef87ee45ba93b940b3e2be20bbab58e02b68f7fac511cf9e0c0eb586
Instruction Fuzzy Hash: E371DD75D00229DBCB258F59C990BBEFBB1FF88B10F54815EE986AB354D3309841CBA1

Function 016EA660 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 504caaabef2dcef5cfc3e321491274c7c793c636a7c2c868d09d307c4795c6a1
Instruction ID: 362f50929e603e7c2e1375ea1c9eae1765ddb49af0ffcfbaa5df1c95886ab703
Opcode Fuzzy Hash: 504caaabef2dcef5cfc3e321491274c7c793c636a7c2c868d09d307c4795c6a1
Instruction Fuzzy Hash: 99716DB5E0022A8FDF28CF98D9906ADFBB2BF48710F14816EE905A7345E7709942CB50

Function 0173035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction ID: 09e06c16cccd77a4c7dfff647468220c2941d5dbd4510c11274d66addfa761f5
Opcode Fuzzy Hash: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction Fuzzy Hash: 8B715E71A00619AFDB11DFA9C984EEEFBB9FF88700F104569E505E7291DB34EA01CB54

Function 016B8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6c0d05b27b5e00fd74a1478294203eba99f8d75a14d8131b78ab0f08f90fbd9
Instruction ID: f5c38ea599946257c932c2cdb3535294507de905e3ed764296c4288371bdee91
Opcode Fuzzy Hash: f6c0d05b27b5e00fd74a1478294203eba99f8d75a14d8131b78ab0f08f90fbd9
Instruction Fuzzy Hash: CD81B472A08305CFDB28CF5CD884BEDB7B9BB88320F6A412DD9016B286D7759D41CB94

Function 016BA471 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbaaccaa778a7143fd7195938a557d3b816165dccc343f69a42379f0dda0214e
Instruction ID: 44f17abb27de82d8453865ea5c36edb655eb975e857d0d8d36f97d52554dc956
Opcode Fuzzy Hash: bbaaccaa778a7143fd7195938a557d3b816165dccc343f69a42379f0dda0214e
Instruction Fuzzy Hash: 437180751083469FD711CF98C880BAAB7E5FF84704F00882EFA85D7254E738DA8ACB56

Function 016C0A5B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e50342b93411f12e745b3c56a91278769b5f4be0ae8ff076044a10367e83c72
Instruction ID: bcdc87bffdbb24c9036475519642845da29eaf8f79d7486ec8ab917bde957e9c
Opcode Fuzzy Hash: 4e50342b93411f12e745b3c56a91278769b5f4be0ae8ff076044a10367e83c72
Instruction Fuzzy Hash: 30619D74600305EFDB29CF28C884B6ABBE1FF45B08F14855DE85A8B296D771E881CB91

Function 016C61D1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb639025cd0eb1bd9a62b9334040de8e034eb44ca5a9240e94a78040c57dd21a
Instruction ID: ecfa1ba3d94f09e63277f8f1fae01d546a5ba69e5d1f7b5271531030cb501540
Opcode Fuzzy Hash: fb639025cd0eb1bd9a62b9334040de8e034eb44ca5a9240e94a78040c57dd21a
Instruction Fuzzy Hash: 4B718C34A016268FDB26CF98C8507BDF7B2FF85B04F24855CD956AB341DB74A942CB84

Function 0172E6F2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef0a7c141c3a5cce8b6942847947d8cc63a19e3317090fe97fff9fe87f3d7741
Instruction ID: ecc47a2f04e08d55b3bdd17f49f344b1407978366dfc086f9fea0d2ec0902681
Opcode Fuzzy Hash: ef0a7c141c3a5cce8b6942847947d8cc63a19e3317090fe97fff9fe87f3d7741
Instruction Fuzzy Hash: 1B616D71E403299FDB24DFA9C840BAEFBB9FB48700F14406DE649EB291DB71A941CB54

Function 016BAC50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c95f4b938b66571551700b0f0410aae690e21bda642ecb522e6919c1bbc30b
Instruction ID: 95e6174ba5699fb21c7d7d6afb5d65afe22ecee1913cc3cdabd33137c6b2e14d
Opcode Fuzzy Hash: 32c95f4b938b66571551700b0f0410aae690e21bda642ecb522e6919c1bbc30b
Instruction Fuzzy Hash: 6C61CE72A046459FEB22DFACC880BEDBBB5FF54711F04456AE901AB391D774D980C760

Function 016F2160 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 644b335a334a56b57ae05515f8cea2679369ddf2a4c08bb21727ceb1c9a2e865
Instruction ID: 863bd9fb2286817338a7a18df1b69b99a09f045fdb7113656ad6478a417b6411
Opcode Fuzzy Hash: 644b335a334a56b57ae05515f8cea2679369ddf2a4c08bb21727ceb1c9a2e865
Instruction Fuzzy Hash: A2512B75A006199FDB10CFA8CC507EDBBF5AF48324F25822EEA25EB684D734E9418F54

Function 016DEDD3 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f360f01e573d5bf61b8daaae375b700c315a55e12fdd055472d09304bbec2b12
Instruction ID: 2f23b4bb2d0c6164a9a48d096d36a3c97c5bcbed15fcdf0e15dfd36ac1f1048a
Opcode Fuzzy Hash: f360f01e573d5bf61b8daaae375b700c315a55e12fdd055472d09304bbec2b12
Instruction Fuzzy Hash: BB51DB71A007419FDB31DF5DCC84B6BB7AAFB94719F50482EE1028BA51CB75E889CB80

Function 016DCDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: 3ac04b27f22b29ba51de3cfe077dfb7c8e125b60e13bb3e6e3ca72e2bfa77ac6
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: 80516E75E0060ADFCB15CF9CCD806EDFBB2FB88210F198169DD15B7249DA34AA41CB94

Function 016C2CDC Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948c4c58393c67a0bd3230382b8d2dea412a3fba20703058d630c0e76aa85500
Instruction ID: 9c9e974deab55c212bf382fedd59b38264f105834633e29801201eede6361e47
Opcode Fuzzy Hash: 948c4c58393c67a0bd3230382b8d2dea412a3fba20703058d630c0e76aa85500
Instruction Fuzzy Hash: 7271AD71A046599FEB25CF68C9547B9BBF0FB04B14F18809DD849AB392C379A886CF50

Function 016EE443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5193c9e506a15bd28df1b06075c9eb85aec31e6326390d5eafb571258a984ff
Instruction ID: 9f0290b612e69ced619c58eed5069e0febcfcd575ac78aecc61f21cf3c5f829d
Opcode Fuzzy Hash: e5193c9e506a15bd28df1b06075c9eb85aec31e6326390d5eafb571258a984ff
Instruction Fuzzy Hash: B1518A71201A15DFCB22EFA9CD84EAAB3FAFF14784F54056EE64287260E735E941CB50

Function 016D45B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction ID: 077cc773100d04a52176d77be3a05e3389597ed3b635fa56a78064016c469833
Opcode Fuzzy Hash: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction Fuzzy Hash: 7F519E71E0021AABDF15DF98C840BFEBBB5AF49750F058069EA05AB740DB34DD45CBA4

Function 0173E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction ID: 004323dbd4a3afd5b528d5b3fded5025f888ff6a2123ac73ce9778dc7643be9f
Opcode Fuzzy Hash: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction Fuzzy Hash: 4851A971D0021AEFEF169F94CC95FAEFB75AF80314F154669DA1267192DB309E408BA0

Function 016CE627 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47253e4a4a3348f28855c699cf24d69dbff6b4e5528fe707f88bde34c08a6b2
Instruction ID: d618b19e5c413f1e47c7e7f6f5abcde7b81990f53a06da0de6dc1455da32d957
Opcode Fuzzy Hash: d47253e4a4a3348f28855c699cf24d69dbff6b4e5528fe707f88bde34c08a6b2
Instruction Fuzzy Hash: A141B3725083129BD720DA75CC40B7BBBE9EF88B04F440A2EF685E7240EB75D905C7A6

Function 0173CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9202e5335404f092d15f1305cd33633317f983c823d67fa5bd3c0602980901
Instruction ID: e1845bd778534082dc94805439954a16108156f8786bb68b075738140138361f
Opcode Fuzzy Hash: 5f9202e5335404f092d15f1305cd33633317f983c823d67fa5bd3c0602980901
Instruction Fuzzy Hash: 9E51907190021ADFCB22DFA9C9849AEFBB9FF88314B55851AE506B7302D735AD41CF90

Function 016ECC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2562343c42cedb98dfaedc3e763be09ecdbaa04771ff7f7597cdd05201f8bb
Instruction ID: 53f629ae28b02cf48de9011b024b5ec9cbb09435a766388282f836adc1b3f003
Opcode Fuzzy Hash: ae2562343c42cedb98dfaedc3e763be09ecdbaa04771ff7f7597cdd05201f8bb
Instruction Fuzzy Hash: 32512930202207CBDB298E2CDD5C736BBD1EB42A54F18976DF906CB251D772D4A2D752

Function 016EA430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c73fc039a05b7332a8d0f9693bd96c280634e8fd771de01e22672864f0ea8f0a
Instruction ID: 54da281c531d441dc65b45f03ff3473ad7f460dcad4918c35e0beac2c9060af2
Opcode Fuzzy Hash: c73fc039a05b7332a8d0f9693bd96c280634e8fd771de01e22672864f0ea8f0a
Instruction Fuzzy Hash: 1A4166716462129BCB39EFA89C84B7A77A6EBD4718F40412DFE029B281D7719811C794

Function 016E01F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921734b39f6173df2978f7f309c35e5882034d6e73a88b8756efa8336b1223be
Instruction ID: b67b5a4915200f18fb73f735d33b845650f242d6cbc0556f2cbea68f57a9905e
Opcode Fuzzy Hash: 921734b39f6173df2978f7f309c35e5882034d6e73a88b8756efa8336b1223be
Instruction Fuzzy Hash: 1441BC35A022169BDB11DFA8C844AEEB7F5AF48600F14825EF815A7340D7749C42CBA8

Function 016ACDEA Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507e2c8e0956ccb7f31e30cfc58e9b82afa8bd19cd7e3e97a1839e73772a016d
Instruction ID: dadeabdc8fbcb5f3ff1258bd546146e9dd7125a21d5909f07cdde2b8f2ad1ba6
Opcode Fuzzy Hash: 507e2c8e0956ccb7f31e30cfc58e9b82afa8bd19cd7e3e97a1839e73772a016d
Instruction Fuzzy Hash: 02418076900319EADF26DB98CC80AEEFBF9FF44610F65415EE612A7290D7709E41CB50

Function 016F2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction ID: 85e24b8e4b6d66c19111ce24f53784a3d031986160e7f0cb9591453a1cc3060d
Opcode Fuzzy Hash: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction Fuzzy Hash: F5513675A006258FCB15CF9CC580AAEF7B2FF84710F2881A9D915A7752D770EE82CB90

Function 016B6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36fe06ab3a2bbf8362883890f829d0203774144e45bb44723ae36e179a322663
Instruction ID: d16a6ff1c37189197b5e9f53b5e3474c78ad0226b707a5a2c598b03bc7dc7da6
Opcode Fuzzy Hash: 36fe06ab3a2bbf8362883890f829d0203774144e45bb44723ae36e179a322663
Instruction Fuzzy Hash: 6551E2709402069BEB258B2CCC50BE8BBB6FF15314F14C2ADE529A72C1DB3499C1CF84

Function 016B0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe244aeddab3d989ae05b5fcac9be84da486b11f2ca1fad53dcf362b8f2effb
Instruction ID: 57595eb1d9d625af687c428eb67c81ad66f62417aa566639549a17aceca2eeb4
Opcode Fuzzy Hash: 9fe244aeddab3d989ae05b5fcac9be84da486b11f2ca1fad53dcf362b8f2effb
Instruction Fuzzy Hash: 58418331A40328DBDB21DF68CD80BEABBB5EF45750F0504A9E908AB241DB749E81CF95

Function 016B0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d43fc632cc137842f95cb99f1d2a0c8c84a1b847cef5ad47280106a6906778
Instruction ID: 8f2efeda97853b729d2de14ae77081cced5a947c8cc3b7e6201ea8b6dc78161f
Opcode Fuzzy Hash: 82d43fc632cc137842f95cb99f1d2a0c8c84a1b847cef5ad47280106a6906778
Instruction Fuzzy Hash: 7241B4756003149FEB32DF28CC80BABBBBAAB55710F04449DF9459B281D770ED81CB55

Function 016E6F60 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcd53a2afbecdb508ac32a3fd90bd5f1436c8da61d1b1beb5c0955da83f5c9d
Instruction ID: 7c9634c045905e989dedd6058bd652f6872c3947d75b7ba203fa824f689800e2
Opcode Fuzzy Hash: 6dcd53a2afbecdb508ac32a3fd90bd5f1436c8da61d1b1beb5c0955da83f5c9d
Instruction Fuzzy Hash: D95155B5A01709CFDB11CF69C884B9ABBF2BF48310F14862ED96A9B350D731A901CF90

Function 0172C730 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2767b5476bdc46e489d6c6e5e21f29793f1e766f26a80fed1626e236a1d992
Instruction ID: 97d84af80379fba892f7276265e7c7dd7a6997a7a1bd3b2f8786c90e9c2537c6
Opcode Fuzzy Hash: 6e2767b5476bdc46e489d6c6e5e21f29793f1e766f26a80fed1626e236a1d992
Instruction Fuzzy Hash: 7E4166B1D0052DABDB21DA50CC85FDEB77DAB55714F0085E9EB08AB140DB709E89CFA8

Function 016B0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be317a2441e60aadb028b15fd6f0ebb45ad04c412ba06e583cdf518797b844e
Instruction ID: b134e2f5c88d74988a0251907b19fa6ad44c08219981c8d7adbc97a30a342b86
Opcode Fuzzy Hash: 7be317a2441e60aadb028b15fd6f0ebb45ad04c412ba06e583cdf518797b844e
Instruction Fuzzy Hash: E741E2706007019FE725DF28CC80A63BBF9FF48314B149A6EE54787A51EB30E886CB94

Function 016DA470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38818d0d82fbc9a8486bbfe1426ca1e5bc7a8dce3ed6a7fe2c0bd686b41a99c1
Instruction ID: c8ba316cf95f4963d7cc2f87984e176a0c1df98be8bbabfce1f1b7759e91215b
Opcode Fuzzy Hash: 38818d0d82fbc9a8486bbfe1426ca1e5bc7a8dce3ed6a7fe2c0bd686b41a99c1
Instruction Fuzzy Hash: CE41F032D05204CFDB21CFACC894BEDBBB5FB88720F984199D412AB385DB759901CBA4

Function 016B8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bc5dafa8de43d95b5d66022399e8bf9454e75d2737b7bc9baf00aa40d36935b
Instruction ID: 58b7446163cf485b573d759e829603d56c4a7a1ce2ed35457d931a8207f09859
Opcode Fuzzy Hash: 2bc5dafa8de43d95b5d66022399e8bf9454e75d2737b7bc9baf00aa40d36935b
Instruction Fuzzy Hash: 0F410772900202CBD724DF4CCC80A9ABBBEFBD4714F68812ED9125B255D775D982CF90

Function 016A8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a266a34dc86aa70eb6c16680103f34a85d1b73018c38119cc6b51e7a35956c21
Instruction ID: 7928c18f7e89fcb8995be7c757086b58429fd7e576d03c5b96e57be12445660c
Opcode Fuzzy Hash: a266a34dc86aa70eb6c16680103f34a85d1b73018c38119cc6b51e7a35956c21
Instruction Fuzzy Hash: C2413A759083069ED312DF69CC40A6BF6E9EF88B54F40092EF984D7250E730DE458B97

Function 016AA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 5148fefe7e89be3fa9c7440db421741577d263e6ba572c5db8969ef0625b83ca
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 32412E35A00311DBDB12DEA98840BB9FBA2EB50759F95806FE9459B280D732AE41CF90

Function 016B09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66bd530eb08152ec5996faf10b3d8c2f368e8f456fb0e0f85396ea2c82cd87e
Instruction ID: e826cbfaf118636d44b1dd2402b6449fc302f8378f8793ca8de53d6f532bf222
Opcode Fuzzy Hash: c66bd530eb08152ec5996faf10b3d8c2f368e8f456fb0e0f85396ea2c82cd87e
Instruction Fuzzy Hash: EA416B71640601DFD321DF18C880BA6BBF5EF54714F248A6EE8498B352E771E9828B94

Function 016E0710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction ID: 1beedfcd287e0e1483cd82145bca176547a3043050b0159e4eb91717bbbfd763
Opcode Fuzzy Hash: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction Fuzzy Hash: D3415971A01705EFDB24CF98C994AAABBF9FF18700B104A6DE556D7290D370EA45CF90

Function 016AC156 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fe977dd45fcdf98b8240c00ce4ea31696b5c551622c56443df0109bd0851a9
Instruction ID: 419ccf43fd43b149a864ca413c5d3f148b0e0410703fa8c47f12d03cacf83230
Opcode Fuzzy Hash: 00fe977dd45fcdf98b8240c00ce4ea31696b5c551622c56443df0109bd0851a9
Instruction Fuzzy Hash: B441E771900301CBCB21EF98CC80BE9B7B5FF55304F94816DE9469F382EA759986CB94

Function 016BA2C3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14531a462e9a3b25fa3ec525060c1de325aca7f60bcd5d6ce4bec8715e706197
Instruction ID: 59bd3eedb15079c861f9106aefca61fe065bd4478c1838508c84f35fb88c615b
Opcode Fuzzy Hash: 14531a462e9a3b25fa3ec525060c1de325aca7f60bcd5d6ce4bec8715e706197
Instruction Fuzzy Hash: 0141E231A05659DBDB21DF9DC880BAEBBB5FF84700F2440A9E901DB396E375D981CB40

Function 016EC8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eace6f118aed6fab3851c76bf9d26b8b56f47b44d870110632474bfa5e03454a
Instruction ID: ebb1d7ce28d64c2909e2a2ae6e42e0a2917ec25900605628cde752099a9cc6f9
Opcode Fuzzy Hash: eace6f118aed6fab3851c76bf9d26b8b56f47b44d870110632474bfa5e03454a
Instruction Fuzzy Hash: 2231A9B2A01345DFDB12CFA8D840799BBF0FB08724F2081AED519EB291D3369902CF94

Function 016A80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bad1a613b281e996d896f4f16c1d526e0621ef089b5eaff44c4a79ca066bdf
Instruction ID: 8c455853da926bcd00ba428221944bb82c3a1dcfbea0d6a69823bbd478d07447
Opcode Fuzzy Hash: d5bad1a613b281e996d896f4f16c1d526e0621ef089b5eaff44c4a79ca066bdf
Instruction Fuzzy Hash: BB41C071A05617EFDB01DF18CC80AA9B7B9FB54762FA48229D815A7280DB34FD428FD0

Function 016A8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a75caaf7e9e5146fdc4cb6a3a9a0dfef386a14e557e32e2a50c568e0d63c8ac3
Instruction ID: b276c3d624435b790b5bc40fca082a2bb01f9eab34f9473e7a28df67469d0b82
Opcode Fuzzy Hash: a75caaf7e9e5146fdc4cb6a3a9a0dfef386a14e557e32e2a50c568e0d63c8ac3
Instruction Fuzzy Hash: A0419CB1A01205CFCB15CF69CD809ADBBF6BF98321B50862ED466A73A0DB30AD41CF50

Function 016E2674 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b44a849ea7847aa25eeb6b9eee1f0df9fedd61021992b03a8719eabe8e3dd18
Instruction ID: 9b03b5d749482c6d5abd1010f828b79abfaed3d16092fd8aa92ee021ac73fb56
Opcode Fuzzy Hash: 5b44a849ea7847aa25eeb6b9eee1f0df9fedd61021992b03a8719eabe8e3dd18
Instruction Fuzzy Hash: 0E315B76F4122177FB119A958C49F6BBBADDB60A50F15015CFA01AB201D370DE02C6A1

Function 0172CCA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96021d3fff5424e085168e09b26ebc3bc7e93b107a5a82a80522457accb14a0
Instruction ID: 459d08cbc68033816105db1d779b5ddb72c19ea4d3b2cc9a6fa04cff8aff5d07
Opcode Fuzzy Hash: d96021d3fff5424e085168e09b26ebc3bc7e93b107a5a82a80522457accb14a0
Instruction Fuzzy Hash: FA31A632940129BFDB229B94CC50FEFBB7DEF64750F054069FA00AB250D6309D42CB94

Function 016A8CD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91b475293a607d483a9e513eee8b7713d21fc860792c8ecc19a96bf394a0d745
Instruction ID: 7cb2d463b18ffc2ed4b58eab48e83909b2d3f617897f5ace327bbba0d91ad78f
Opcode Fuzzy Hash: 91b475293a607d483a9e513eee8b7713d21fc860792c8ecc19a96bf394a0d745
Instruction Fuzzy Hash: 5131D572901205DFDB21EF18CC405AAF7F6FF64321B54856ED555A7390CB30AD418F94

Function 016C02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction ID: 2509828407f3a15ac5c27bbbbd0423cc7aefafba27b2970e55d3d78a00840127
Opcode Fuzzy Hash: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction Fuzzy Hash: C3310431A04245EBDB118F6CCC84BEABBE9EF14750F0441A9F81AD7352C7749884CBA4

Function 016C26EB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction ID: d20dbe95dc68d6230fdc7b2d58a5670e8ab93a8bddf916bbb6ebd4f4a1b33d75
Opcode Fuzzy Hash: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction Fuzzy Hash: 2641BF357042428BD716DF1CC8A4B7AB7E6EF84A10F0484ADEC548B355DB34DC46CBA5

Function 016B4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39398f7f211d376e8285132e24ef21b92846dc5634b7638a752a266fe7b7023e
Instruction ID: 027386588ef3d61ab3309eab46d327a61d6dd8cd934b935e5a043b3c10bf9ed6
Opcode Fuzzy Hash: 39398f7f211d376e8285132e24ef21b92846dc5634b7638a752a266fe7b7023e
Instruction Fuzzy Hash: F741BF31204B45DFD722DF28C885FD6BBE5AF59714F14842DF69A8B251CB74E881CB50

Function 0172EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272d887484087b8de6bdc473d051766159e296a02d20d404ac773515b3846943
Instruction ID: af9de8d1689f90f29f7af79b4e7bc4a9a56cb64b348422279aa8daf7fdf88f06
Opcode Fuzzy Hash: 272d887484087b8de6bdc473d051766159e296a02d20d404ac773515b3846943
Instruction Fuzzy Hash: 4D31D2326016A29BF322579CCD48F65FBD9FB44B40F1D00A8EA459B6D2DF28D882C224

Function 016B6484 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 445e980da78f85b86320b2ed0b8a7513974de732acb3001815b3b4d379162450
Instruction ID: febc6cece45b1a15979d780f702d304cf0f3b0249626d3fb11c58adaa4390516
Opcode Fuzzy Hash: 445e980da78f85b86320b2ed0b8a7513974de732acb3001815b3b4d379162450
Instruction Fuzzy Hash: 5D31F4726007458FDB32CF1CC9C1BE6B7A9EB04B60F448479E9488B68BC725E585CB90

Function 016DEB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162b200508f7bd1d982cad8a14e6e652db39629f0c9ff7115467a3ddcae8e5d7
Instruction ID: 1bad8ccc200495dddeb2e9d4768c28e0cbce53f10ea9b04cf601f71e3732951b
Opcode Fuzzy Hash: 162b200508f7bd1d982cad8a14e6e652db39629f0c9ff7115467a3ddcae8e5d7
Instruction Fuzzy Hash: 3931C972E00215AFDB21DFADCD40AAEBBF9EF44750F014469E555DB250D771AE408BA0

Function 016B07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 904084026ffc12b3d2aa3c1fb9190aa055e2436f37a5ebd9dec4d4fa56a26fa0
Instruction ID: e5e1bcc1a8da6d22469d88fad31077b02c57aa1281cd59740b899b59ff13fd9d
Opcode Fuzzy Hash: 904084026ffc12b3d2aa3c1fb9190aa055e2436f37a5ebd9dec4d4fa56a26fa0
Instruction Fuzzy Hash: 0F31D476A04712EBCB12DE288CD0AABBFB6AF94650F02452DFD56A7310DB30DD4187E5

Function 0172CA72 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf545468e3236c4abceec2b19038ece4652a9f1ece95ac853e9cff2e856374b1
Instruction ID: 5797d1bcfe563ecf9ba55adb3dc3f5e5e05da121159f7c62a71a5f032c9c8c1f
Opcode Fuzzy Hash: cf545468e3236c4abceec2b19038ece4652a9f1ece95ac853e9cff2e856374b1
Instruction Fuzzy Hash: 3631033690056AAFEB16DA58CC51E7FFB75EBA0760F01416DEA05A7250D7309E02EBE0

Function 016DAF69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99268dc59ccd844fa0fc017be90bba83bd4893716af5344f1d1376c6a17c431a
Instruction ID: f4d4bd05cbb5b8a78eb251c19f8baa76306e2abcdc4a3ed2db6142c59a8b9aa9
Opcode Fuzzy Hash: 99268dc59ccd844fa0fc017be90bba83bd4893716af5344f1d1376c6a17c431a
Instruction Fuzzy Hash: F6318F31E011299BDB219F298C48FAFB7B9EF45640F0640EAE909E7254DA349E81CF91

Function 016EA6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction ID: 12a08c6592d3354cb3e36f3f617ca5d5230f1330235cd37da11ffc88e0c277ad
Opcode Fuzzy Hash: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction Fuzzy Hash: 97312CB6B41711AFDB61CFA9CD44B67BBF8BB08A50F04052DA59AC3751E730E9008B64

Function 016D438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e12789efa051e6a1a7a6026e59cddde8385fbb30261a69ae1832a5e1ae6a4943
Instruction ID: 4b84f64967a6e31de1e9c3e999e55b8358aebf3e796ec885a2305ddb5deae274
Opcode Fuzzy Hash: e12789efa051e6a1a7a6026e59cddde8385fbb30261a69ae1832a5e1ae6a4943
Instruction Fuzzy Hash: BA31D472F012059FDB20DFA8CD81A6EBBFAEB94704F008529D505D7A54DB30ED81CB90

Function 016ACB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction ID: 8fea4bad12d15441dd4dac4c3c55ca99a0ebf1ec61145a184c26fcf88e54d9bf
Opcode Fuzzy Hash: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction Fuzzy Hash: 0E210436E4035AAADB119BB98800BEFFBB6AF14740F0580759E15E7380E270CD008BA0

Function 016AE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85d50102e704597547cb9ecc056b9453f7f057681f3fe68c0abdf33104ca808
Instruction ID: d2e2cfd60a57bef2a44320627dc448085dc8fa587c084741ba40d0bdbc68bc89
Opcode Fuzzy Hash: c85d50102e704597547cb9ecc056b9453f7f057681f3fe68c0abdf33104ca808
Instruction Fuzzy Hash: 0731F532A0152C9BDB31DF18DC41FEEB7BEEB15740F4100A9E645A7290D775AE818FA0

Function 016E4588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction ID: 330da339369a0e4d8f97b414ae38bab8898a7958c7f825a9329f933824c60bee
Opcode Fuzzy Hash: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction Fuzzy Hash: 63219131A01619EBCB11CF68CD84A8EBBF6FF48714F108569EE15DB242DA74EA05CF90

Function 016E44B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae814c7407214844d89ad6ed95d1cc999d2a100dfff63ce6b597bfc832760b65
Instruction ID: afe3d361644f672a18d58d0e3e693d1f1a5560a4327f6fc579e05f4ddbc4fb50
Opcode Fuzzy Hash: ae814c7407214844d89ad6ed95d1cc999d2a100dfff63ce6b597bfc832760b65
Instruction Fuzzy Hash: 2D21A0726097459BC721CF68CC84B6BB7E5FB88760F01861DF9549B681DB34E901CBA2

Function 016AE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction ID: ec353d08943961fa2bdf1a850cd31df6ae6bf57e7461d45534f3aa4acf5ce43d
Opcode Fuzzy Hash: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction Fuzzy Hash: 16318931600605EFEB21CFA8C984F6AB7F9FF85354F1045A9E9528B291E771EE02CB50

Function 0172E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b147af1ee8e3fd12797eec996c8a00d2f7420e0b907fd2ce638704925298275e
Instruction ID: ce336413a8551f6af14e8da40d98effb68abb9aa293b859d886f2a9ed360d649
Opcode Fuzzy Hash: b147af1ee8e3fd12797eec996c8a00d2f7420e0b907fd2ce638704925298275e
Instruction Fuzzy Hash: 8831AE75A00256DFCB24CF1CC884DAEB7B6FF84304B198459F8099B391EB71EA52CB94

Function 016D8CB1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction ID: 8d7098004fae4a36541e6fa9aecc4cb2b46a9acc8b8504d24d3c2f6267ca3edf
Opcode Fuzzy Hash: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction Fuzzy Hash: DA214F37901215ABDB329A8DCC48FAFBB7DEF95690F154065FA059B244C734DD01CB90

Function 016B8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 4638eb0d473c7fd667e9815783e458993d6c01b3773669053bcee10fb72b51b2
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: BD2145327406819BE726972CDD58BB5BBBCEF40B50F2940A9DE42877D3E364DC41C260

Function 017306F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be19f804ebd41d66484c6f0c14fcc4e6f03f370cfccc85ad0d960d971a2dfdcd
Instruction ID: 6ba2bae935728fb9f0d659001c0ea86cceafd9db0fe35434ca75c33046192d89
Opcode Fuzzy Hash: be19f804ebd41d66484c6f0c14fcc4e6f03f370cfccc85ad0d960d971a2dfdcd
Instruction Fuzzy Hash: 932191719001299BCF11DF59CC81ABEB7F9FF48740B514069F941A7241D738AD42CFA4

Function 0173019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85d8a5259c25c90e264644cca44afe1da49fae74ed9b9508b90d1ab640c3458b
Instruction ID: 126c68d1cf9f7c5d772ff0a18094293e5722fc22399ef238c9a101cce6c176f1
Opcode Fuzzy Hash: 85d8a5259c25c90e264644cca44afe1da49fae74ed9b9508b90d1ab640c3458b
Instruction Fuzzy Hash: 25218972600645ABD715DB6CCD84A6AB7A8FF88B40F14406DF904DB7A2D634ED40CBA8

Function 01730283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e712abe0d90965fe03148294eac2c4840326eabae48df280f28a9b7142af5cc0
Instruction ID: 5dad5c48ae2916ac7cf3caf65ee84daaf28501a8a9249bcd130dad85612b8afe
Opcode Fuzzy Hash: e712abe0d90965fe03148294eac2c4840326eabae48df280f28a9b7142af5cc0
Instruction Fuzzy Hash: 7121AF729082469FD711EF69CD48BABFBDCEFD1640F08445EB98087252D734D904C7A6

Function 016D2835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64bd2d788f028294e4b4c6a3bcbecf18752c6c781c12e43fea1a3c70f58add07
Instruction ID: e0335410bc9c8f7d4dc9a1ef2691818e42344d1ae09c6cb74b579ab9a8ef49b6
Opcode Fuzzy Hash: 64bd2d788f028294e4b4c6a3bcbecf18752c6c781c12e43fea1a3c70f58add07
Instruction Fuzzy Hash: 77213E32B05AC19BE323572C8D19F247B95EF41B70F2903ACF9709B7D6DB68D8428254

Function 016B6C50 Relevance: .1, Instructions: 73timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016B6D8C

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: f3d96470a2c70ec155412cf33efb45ddb5820ca6a8176bcc6181f0d9f31cf51b
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: CA318875601600CFC721CF6CC480B66BBE9FB88714F2484ADEA498B756DB31ED82CB90

Function 016EA30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ae299fc123972116c588dfc07c15c2a520cadab53db190fc57dfd47a58e8e
Instruction ID: 6d9e938641e2e8a53b647e9a233403af2532c9ce8954b79366caf06d66972ca6
Opcode Fuzzy Hash: af4ae299fc123972116c588dfc07c15c2a520cadab53db190fc57dfd47a58e8e
Instruction Fuzzy Hash: 70219875241A119BC725DF69CC00B56B7E6EF48B04F24856CE509CBB62E371E842CB98

Function 01730946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af591cfb2e6d5b9d8f0c006822662ec8e25e7d05d9d54ef910123be701e2fd5
Instruction ID: e93e1e9d18966d5a6a067d9f38e6ffc4bb57fe17a5114c18d9509bd230f8e993
Opcode Fuzzy Hash: 5af591cfb2e6d5b9d8f0c006822662ec8e25e7d05d9d54ef910123be701e2fd5
Instruction Fuzzy Hash: 6021E5B1E01249AFCB24DFAAD891AAEFBF9FF98610F10012FE505A7241DA709941CF54

Function 016C0BBE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69f4241e00a3ad9eb09b93fc90bf6c9fa7e6f95e9c03497c24141396e2d63e
Instruction ID: f392f4826811b8618ffc47bad20b28f88a91d0dc544f90735468e2769974b5f7
Opcode Fuzzy Hash: 0c69f4241e00a3ad9eb09b93fc90bf6c9fa7e6f95e9c03497c24141396e2d63e
Instruction Fuzzy Hash: DE11CD39394142DFDB29DA18C855B7AF3A5EF82A15F18815DF8068B259DB30D881CB54

Function 016E0124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction ID: 30560f4e1bfc5785ac8982b511cbb1de0907efd96c76f928c022f23366bb5f48
Opcode Fuzzy Hash: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction Fuzzy Hash: E711E273602605BFD7269F94CC84F9ABBB9EB80755F10012DF6008F280D6B1ED44CB54

Function 016B8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14fd61afd372dd27cec6cff7b5d20bba2dac0671b10ec2035849835ef3ae5e3
Instruction ID: 8e2f037538c22324bd404d10b4e187c819e9888b85654db9e2342ec57b6d07b1
Opcode Fuzzy Hash: b14fd61afd372dd27cec6cff7b5d20bba2dac0671b10ec2035849835ef3ae5e3
Instruction Fuzzy Hash: D611B2717116119BDB11CF4DC8C0AEABBEDAF8A715B1940BDEE089F304D7B2D9428790

Function 016EAAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction ID: 61d842b767e2ededb9da01dcfdf970f12c4e6f314c5e79b3f13e09006ac63bf4
Opcode Fuzzy Hash: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction Fuzzy Hash: AF218E71601641DFDB318F89C948A66FBE7EB94B50F148A3DE94687710C730EC02CB40

Function 016B80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88bb7655c411362eef079986abbbfe7444fa9efe135857a3159ae8b40e56765a
Instruction ID: a0e6470552ead2b9c0d3e9c12f9dcaeb59c54def34553683aa2d49988b62de83
Opcode Fuzzy Hash: 88bb7655c411362eef079986abbbfe7444fa9efe135857a3159ae8b40e56765a
Instruction Fuzzy Hash: 7E216D75A01206DFCB14CF98C981AAEBBB9FB88719F24416DD105AB351CB71AD46CBD0

Function 016E674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d90dc6762a523a227d848bc95e1998bfe9c2c6893954a63df03b1374cb7ec7
Instruction ID: 8531d45c3161b236ea4698026082b9e4b1fb00bad48d61cfa2a08476a0dd5f4c
Opcode Fuzzy Hash: 23d90dc6762a523a227d848bc95e1998bfe9c2c6893954a63df03b1374cb7ec7
Instruction Fuzzy Hash: BD218C71641A01EFDB208F68CC80B76B7E9FF94650F44892DE5AAC7251EB70E841CB64

Function 016AEA80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30d54c5fc2799f518ac342c0b5fe61ca8f60b70b38c163c7bb3cfb4be493ff34
Instruction ID: e26bca8eafbd44b7885e04bfbca2b78a396b5a9f64e7b79c1baf5a28098630af
Opcode Fuzzy Hash: 30d54c5fc2799f518ac342c0b5fe61ca8f60b70b38c163c7bb3cfb4be493ff34
Instruction Fuzzy Hash: B3117CB1501741AFE3319F66CD84A57BBF8FF58784B40892DE54A87621E771E804CFA4

Function 016DE8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 635177b941854d6df9dd7d564d63827bf73bcdf52d208460b621a8408439aeac
Instruction ID: 22fa074927b1b604dc74c7fe9bbdfa26d3df37580c411cf6c651f9d9228ae87f
Opcode Fuzzy Hash: 635177b941854d6df9dd7d564d63827bf73bcdf52d208460b621a8408439aeac
Instruction Fuzzy Hash: 771148327051109BCB19CB29CC80A7BB757EFD1270B28853CE922CF380E931C802C690

Function 016C2B79 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction ID: 6a21f14ee13ee2c45b166b1523d74c2bf55c38f1beb281d5375495e3a4ca81b3
Opcode Fuzzy Hash: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction Fuzzy Hash: FD116D72A056589BDB22CF99DC94BBEBBB8FB04B54F09409EED04A7341C374AC41CB90

Function 016E66B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9c24f6d64ce25a8c224571dff82ff0e07c23e45a8464ef18faf4dd51eb4475
Instruction ID: 5c00f7b5346fd9096843597eb5af2615f097b977a2b6b653365a3711e80f5b88
Opcode Fuzzy Hash: 1a9c24f6d64ce25a8c224571dff82ff0e07c23e45a8464ef18faf4dd51eb4475
Instruction Fuzzy Hash: 5C11BC76A42205DBCB29CF59C988A6ABBE9EBA4610F05817DE9059B310EB30DD00CB94

Function 016B0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction ID: 6958a4ae0fb1c8d45b32f0479d16152669e4249375b907960589847763759307
Opcode Fuzzy Hash: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction Fuzzy Hash: 7A21E3B5A00B059FD3A0CF29C880B52BBF4FB48B10F10492EE98AC7B40E371E854CB94

Function 0173E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 974ae55d81a0a5094b80b71119c969365b937abbc4f004badbf74c46f26e29df
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: A611A072A40605EFE7219F48CC44B9AFBE6EF85754F05942CEA099B1A2DF31EC40DB90

Function 016D27ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59de7919d2142b9dcdef64c6ac87f689a956e2e7c9529beb08c98e3e94f986b0
Instruction ID: e0882029ce1019c91238224fe4e27f2d434572e5da508c3a4dca3f177509b8ce
Opcode Fuzzy Hash: 59de7919d2142b9dcdef64c6ac87f689a956e2e7c9529beb08c98e3e94f986b0
Instruction Fuzzy Hash: 20014972B06A85AFE326A66DDC98F77BB9DEF80750F06007DF9008B241DA14DC00C2B1

Function 016B4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53dcee232b463db8b7910bbce02ad26279233721ba9b713f85f67eeca3b8c7b5
Instruction ID: d319093e7bba9c36b2d9d850902b43173069bf01cc48af82161952a8ce03d45e
Opcode Fuzzy Hash: 53dcee232b463db8b7910bbce02ad26279233721ba9b713f85f67eeca3b8c7b5
Instruction Fuzzy Hash: 1B110236240655AFDB21CF59CC84FA67BA4EB86B64F00412AF9068B342CB71E881CF60

Function 016E6620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc78c6e0e3a2bfc446240ca2fc80994e7ab7b0c1f8c1ab7fc674ca404084a1a
Instruction ID: cc0d4a3c5c8c7dae64432cd8d5ab8a77dff92dcc9b2795f76b79d281ae0dcb25
Opcode Fuzzy Hash: 0fc78c6e0e3a2bfc446240ca2fc80994e7ab7b0c1f8c1ab7fc674ca404084a1a
Instruction Fuzzy Hash: 7C110232A02225ABDB22DF59CCC0B9EFBF9EF94740F500118EA01A7300D730AD008F55

Function 016DE53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 32f4b82d250dafa4607c1a1bc8d35df94090ec055d93978d0717422d330c4f1a
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 2C11E5726016C29BE723A72CCD48B65BB95EF01B84F1900A4DE41CB742F72AD846C250

Function 0173E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 266514135afb0a36744bab99a98d7163546c006b1cbf4ed2725b539ccbc44518
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: D701B932600115AFE7225F58CC44F67FBA9EFC5B60F058478EA459B162DB71DD80C790

Function 016AC301 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction ID: b711915da18539f6019a8488cd0b675cec3cb30d87e5da863dc49a588bd73d20
Opcode Fuzzy Hash: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction Fuzzy Hash: 05F0B4332416379FD7325A5D8C40B6BAA9A9FD4BA0B554039F3059B744CAA08D02ABD4

Function 016AA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: e36c75b8a7ef6750ce787601baabe814b7dde1ee8be51ce8f0a62b498e2330e5
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: 430126315047229BCB318F59DC40A327BA5EF55B60744C62EFD958B281C331E821CF60

Function 0172E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ee08929a6889f45198cf87983c139e8b595414782871d9c0f84eb1facf727f
Instruction ID: 4a24c7cbedee534321e3c72848400d73450bc044557078bc171472dc5b7eaf1a
Opcode Fuzzy Hash: a5ee08929a6889f45198cf87983c139e8b595414782871d9c0f84eb1facf727f
Instruction Fuzzy Hash: 3411ED32241640EFCB15EF09CC80F56BBB9FF54B44F2000A8FA068B261C631ED01CB94

Function 016B6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee6bfb66c79b0102cacfd0df8b86fe4dd7cbdf41d81da1c41ad7d61a11e4623d
Instruction ID: 98d8ff8fb77efd81f5d04d05e790b5f1e79550bf5862a6ba7a3e667f1d428fb9
Opcode Fuzzy Hash: ee6bfb66c79b0102cacfd0df8b86fe4dd7cbdf41d81da1c41ad7d61a11e4623d
Instruction Fuzzy Hash: 3F115E7054121DABEB25AF68CD51FE9B275BF04714F5081DCA714A61E0D7709E81CF88

Function 016E6DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction ID: 75d4a62e0c3b7d66c50d7b22ee9101c61c46b53a27480cc86d52a0f63bb47686
Opcode Fuzzy Hash: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction Fuzzy Hash: EC014C7260A11567EF259B55CC08BAF7FE5DB50B50F04425DEA065B3C0EB74D881C3E0

Function 01736050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edbbdbfff4bc864ec62c834b5cb1364860f620988109440b8cfdb9c964b36ca
Instruction ID: f7e569ed585b227d7cb53eb932ba11a7f90862154f49f7668f8800f635513f31
Opcode Fuzzy Hash: 0edbbdbfff4bc864ec62c834b5cb1364860f620988109440b8cfdb9c964b36ca
Instruction Fuzzy Hash: 35112973900019BBCB11DB94CC84EEFBBBDEF58254F044166E906E7211EA34EA55CBE0

Function 016B208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 70658ec632f9f70033396bab09972216510eb42bb481d9c28000188a421cd3eb
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 4401F5326002018BDF229A29DCD0B92B7A7BFC4600F1540ADED018F286DA71ACC1C790

Function 0173C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a22e102aefd2bcbe1a99ee1a23a3b806a6420dc65a77dca2d2b651deb481446
Instruction ID: 0dc3ef57042016efb6ad92af891b42bbe30c21e5bf2297c08e292b7802e8e656
Opcode Fuzzy Hash: 9a22e102aefd2bcbe1a99ee1a23a3b806a6420dc65a77dca2d2b651deb481446
Instruction Fuzzy Hash: 1911E8B1A002099BCB04DFA9D545AAEBBF9FF58250F10806AA905E7351D674EE41CBA4

Function 016AC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 7cf37735854ddfd67a02371c006d455f705518318b74c61567ca09693212bfbe
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 0B01DD32140705DFDB3396A9CD04FA7B7E9FFD5614F54841DA95687540DA71E802CB50

Function 016F20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75a513dfaa4df359bc728837a5d8cbbb256c3d610761d86df1514b220d32a29
Instruction ID: e6a1b7addec0584ef45e5ce1fe72fabcaf50e4445c54364b6f6575c685fde2ab
Opcode Fuzzy Hash: e75a513dfaa4df359bc728837a5d8cbbb256c3d610761d86df1514b220d32a29
Instruction Fuzzy Hash: E3116D35A0020DAFCB05DF64CC51FAEBBB6FB45654F10405DEA019B290DA35EE12CB94

Function 016EE5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41f1bb019fe921198e3159c9b104362888558204eb5bf81bc31434cbcaf2532
Instruction ID: 687b1d128e87d8250d14933a7c658820b778327bc3cb13125d4a765d2dc91f2f
Opcode Fuzzy Hash: a41f1bb019fe921198e3159c9b104362888558204eb5bf81bc31434cbcaf2532
Instruction Fuzzy Hash: E201A771241A11BFD311AB79CD40E67F7EDFF95A54B04062DB60583651DB24EC11C6E8

Function 0173C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78399f9cc9d2dda8b95151c76525e7960003bef5d53b1805840c6d1b6626266e
Instruction ID: a94de7247811fa8b632c8458ed38fdff8fa1d31281df8e3942580cdae60e4e50
Opcode Fuzzy Hash: 78399f9cc9d2dda8b95151c76525e7960003bef5d53b1805840c6d1b6626266e
Instruction Fuzzy Hash: EA115B71A00209ABDB15EFA8C844EAEBBB6EB88350F00405AF901A7345DA35E911CB90

Function 0173C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ca8eabf642391e4adb1042b1d2d653537c6fd00a3ad88364a5b8786f14e181
Instruction ID: f1112ca7559300c4150f2b0d3f937f4ac632b715e3ca56ed81fd2d8f2e4185d5
Opcode Fuzzy Hash: 14ca8eabf642391e4adb1042b1d2d653537c6fd00a3ad88364a5b8786f14e181
Instruction Fuzzy Hash: B4113C716183059FC700DF69D841A5BBBE4EF99710F00855FBA98D7351D630E900CB96

Function 0173CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60504a8b5322011576900e440c1c5f577d0860d7da39a6f7e5e6a40b10d60bec
Instruction ID: ec4a6ec7cc6fd9a23c8780db53322d7c4883e30096411dd43a98c83597949737
Opcode Fuzzy Hash: 60504a8b5322011576900e440c1c5f577d0860d7da39a6f7e5e6a40b10d60bec
Instruction Fuzzy Hash: 9D1179B16083089FC300DF69C841A5BBBE4FF99750F00851FBA58D73A1E630E901CB96

Function 01712045 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction ID: cab4de9054d6336408677c732a13c808399a8c15bfd60572836180d8654d9e74
Opcode Fuzzy Hash: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction Fuzzy Hash: 73015A36A083118BE751CF19C840A6AF7E6EB98710F144A6AFA85A7365D731EC44C792

Function 016CE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 7768cfc10826b348c96625c15c13b0a8641b37098003eeaaf2faa140217eb292
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 95017C32300680DFE323861DC948F36BBE8EB55B54F0904AAFA09CB6E2D769DC51C661

Function 016A826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed09c6a2d71e6aa7dbb0185e9ea0117b9f2675f58e4756db669a4dec9be6691f
Instruction ID: a133327bc7e8c9153ee4f4f567c09e39c967bcf4106eb19e35602a36fd13f7e9
Opcode Fuzzy Hash: ed09c6a2d71e6aa7dbb0185e9ea0117b9f2675f58e4756db669a4dec9be6691f
Instruction Fuzzy Hash: C401A731B00505DBD714EF69DC04ABFB7ADFF80620B9580699901A7785DE60DD01CAD0

Function 01734C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3be3984540e4e2f443c66e54f6ebaa07f91019dbdb3e562b9108183fc108a71
Instruction ID: 28906e7bff62fa4b4daee32df3462e679eaf8dcdd36d93c74da1504769eb627c
Opcode Fuzzy Hash: d3be3984540e4e2f443c66e54f6ebaa07f91019dbdb3e562b9108183fc108a71
Instruction Fuzzy Hash: C001F2B2B10306ABDB259F9DC9C0BADFBEDEBD4B50F440128EA0597202E7B4DC048754

Function 016B2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd90691d9d8dcec606c52f8f4aa6d2d15b052f4191f0c76aca3fa9c0d910a27
Instruction ID: d4eb4ef78fae83b0073bda72b66e4b301a460007e426b7558f3452b69b2e7add
Opcode Fuzzy Hash: fdd90691d9d8dcec606c52f8f4aa6d2d15b052f4191f0c76aca3fa9c0d910a27
Instruction Fuzzy Hash: C8F0A433741B11BBC7329B5A8D90F97BAEEEB84E90F15446DE60697640DA30ED41CBA0

Function 016DC073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction ID: 84aa0190b76ca2dd4fe8928dada1b2cd477f228b069803512820cce8cfd9ee7c
Opcode Fuzzy Hash: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction Fuzzy Hash: 0DF0AFB2A00615ABD324CF4D9D40E67FBEADBD5A80F04812CA605C7320EA31ED04CB90

Function 016ECA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 7306d421e07b0f0ffabb2c667470022f86de8d2435ba5b4cad92e8c1fe8b20b8
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 010144322016859BD3229B1CCC0CF99FBD8EF41710F0881A9FE048B7A2D77AC802C211

Function 017320DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ea9f1ddad9bfb5b4ed44cbe36d528a65cb52b07c504df335728bdaec5edf3ac
Instruction ID: 32936b10a3a6239097f0eda9d041387e05b2e07d7739b8a4e7aacc7d798ca9f2
Opcode Fuzzy Hash: 3ea9f1ddad9bfb5b4ed44cbe36d528a65cb52b07c504df335728bdaec5edf3ac
Instruction Fuzzy Hash: 2EF0C875740309BBEB24EA4CCD56FAABB6CEB80B64F50005DF6056B686D5B0A504C691

Function 017363C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction ID: 6f7f8b9b59836c99dd551e5ad99d5dff33cabb9201e2fd9be49ccf2a7347e193
Opcode Fuzzy Hash: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction Fuzzy Hash: 13F0127210001DBFEF019F94DD80DEFBB7EEB55698B104129FA1196160D631DE21A7A0

Function 016AC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac7f2dd838b006d3ba0a7711f763a0429e7de452b4ad1e1c3238f7a6b97afd3
Instruction ID: f7d6dd5680fab4fd0a5b27fb76a1402767ad09320dbff7cf6f3a6c1331949ccd
Opcode Fuzzy Hash: 2ac7f2dd838b006d3ba0a7711f763a0429e7de452b4ad1e1c3238f7a6b97afd3
Instruction Fuzzy Hash: AAF024713043415BF750AA1D9C11B23729AE7D0652FA5806AEB058F7C1EE70EC028BB5

Function 016E656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c62e5f56168340588e2491fc6c55b34d05b3c954d787370079c07a53c9391ad
Instruction ID: 833b1a2b0bcc0af56443e5a1db749307c678b4200eca5a90a28bf19fabfe3382
Opcode Fuzzy Hash: 6c62e5f56168340588e2491fc6c55b34d05b3c954d787370079c07a53c9391ad
Instruction Fuzzy Hash: D201A4703016819BE322972CCD4CF657BE4FB50B04F4842A8FA019B6E7D728D8428614

Function 016EA5D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0f6c4338ec00d002c86ff99042277f9e3779f7d76078e733f5ff53a4180604cc
Instruction ID: 365a9a029a36d12c9a4aa73969b6cdeb51ca10b0fa7f5e536f37d97b1cb6e12a
Opcode Fuzzy Hash: 0f6c4338ec00d002c86ff99042277f9e3779f7d76078e733f5ff53a4180604cc
Instruction Fuzzy Hash: FD012CB2201740AFD321DF64CE09B2277E8F785B25F058A7DB219C7180E330E801CB4A

Function 016C0218 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd544a27501035724fff92d651e066b698364279b8dc1ca24c2a9cf9974d7fa
Instruction ID: 78ff30548ea1840ce882fd453dedec870e23661df9f9b6763a6a4d9fb230d14b
Opcode Fuzzy Hash: 2dd544a27501035724fff92d651e066b698364279b8dc1ca24c2a9cf9974d7fa
Instruction Fuzzy Hash: 8CF09479915601CFE32A9F18CC20730BBA2FB81F20FA1822EE5018B392D73CC845CB51

Function 0173E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction ID: 560edb845f61e9df3888acdcf2cd33a45b5b8272ad02801203bf0c5c61bab640
Opcode Fuzzy Hash: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction Fuzzy Hash: A9F08233F916129BE3319A4ECC80F96F7A9EFD5A60F191079AA049B261CB60EC41C7D0

Function 0173C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8c67742cd94a2274246658a6d095d17231590d32cf5f446d50982764761473
Instruction ID: 791b9fc4ca9e496fc025f6d5cf47f6e2461de7f5991b8cee1e52f31f447d1128
Opcode Fuzzy Hash: 5e8c67742cd94a2274246658a6d095d17231590d32cf5f446d50982764761473
Instruction Fuzzy Hash: 6AF0C8716053049FC310EF38C945A1BB7E4FF98710F40465EB994DB391E634EA00C796

Function 016C266C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a8f62dd483dc2126bb4ef90645147c577306089457323c6210648aa526dea22
Instruction ID: 558a048c297543c6e58f856f3baa093887e2b0bbadb5c9dd546cfece72ab2ad8
Opcode Fuzzy Hash: 1a8f62dd483dc2126bb4ef90645147c577306089457323c6210648aa526dea22
Instruction Fuzzy Hash: AEF090327156418FC312DF6DD840766F3E9FF55211B04417AE945C7205EB78D952CB94

Function 016E0854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: df9faf87b07c053c5964ef0e4f6e294cf784bb0feb2d062668eb21cc786c9f38
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: ABF02472700201AFE714DB21CC04F57B6FAEF98340F258078A545C72A0FAB0ED01C654

Function 0173C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f0c530f3c1c8df6bcd59bb98013594cee980098d7ef07c2816204181ef166b
Instruction ID: 6617b2bcee05cce0a7546b6edaf21bdb3417381fe495da39b7b0941fcf511e7f
Opcode Fuzzy Hash: 33f0c530f3c1c8df6bcd59bb98013594cee980098d7ef07c2816204181ef166b
Instruction Fuzzy Hash: 63F06270A01249DFCB04EF69C515BAEB7B5FF58300F00805AB955EB385DA34EA01CB54

Function 016B47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d54ec047516dc784400605b7153a834d826a88a3cfff227c47f2af286d628b6
Instruction ID: cb9d1443bb366ed218a58c1885c61f659be45bef1a3ba2bc6da2d8ab316df1f0
Opcode Fuzzy Hash: 2d54ec047516dc784400605b7153a834d826a88a3cfff227c47f2af286d628b6
Instruction Fuzzy Hash: 97F0B4319166E19FE732DB5CCCC4BA1BBE4DB01660F0A496AE58B87643CF64D8C0C791

Function 016EC5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55d2fbd540321e24fc6ae4bdf7617f7801c164a7ef681b3377362c6a41ede44f
Instruction ID: 6bbd48167efe7ec40cbebb92280fec2f30d837f4bc06b178cfb9c260114a39e7
Opcode Fuzzy Hash: 55d2fbd540321e24fc6ae4bdf7617f7801c164a7ef681b3377362c6a41ede44f
Instruction Fuzzy Hash: FFF0E2715136719FE3229B1CC94CB23BBE49B857A1F089725D44A87652C364E881CE50

Function 016F2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction ID: 43d47a8f7fda50586a3e89d7eee14acbb919d7220a6ac0ffbc835e1b8974dc58
Opcode Fuzzy Hash: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction Fuzzy Hash: 0DE0D8323006012BE7119E598CD0F577B6FDFD6B10F04007DB6045F252CAE2DC098AA8

Function 0172035C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction ID: 7b840357b168373df11fd16e9897f2e04a463cdeab9be70e94b83f94e42026ab
Opcode Fuzzy Hash: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction Fuzzy Hash: 42F01D31A55AC1DFE3278B1CCC48F657BA4EB01B60F1902D4F522CB6F2D7689842C615

Function 017201DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction ID: ce3bd9ffb05cba84eb10471a112f1aa362b7333121c83f8aa60c14f5ecc2bde6
Opcode Fuzzy Hash: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction Fuzzy Hash: 4AF01F70608B81DFE321CFA8D440B26B7E4FB09300F0086AAF294CB6A1D374E841CB12

Function 016B0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 9aa83a09331188d2edb44a93d6284d58af99676290d531bd2d9819833d1634c7
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 43F0A03A204741DBDB26CF19C490AE6BBE8EB55350B0004A8F8468B341DB31E982CB54

Function 016E49D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: d1eb67d7c0217158937b425b972a653fea1083cf302fa24f613943a20f78c7a7
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 60E09232245145ABD3211A6D8C08B6676E6DBD47B0F150529EA01CB258EF70DC41C79C

Function 016AEC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction ID: a37d9e0208206c2f0d16d93bd4fbac278e8dadb7bd90c4cfc1357ec78fb9a550
Opcode Fuzzy Hash: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction Fuzzy Hash: 4EF0E531184289AFEF18DB04CC04F157799EB04724F84841DF52A8B192CB76DC84CF68

Function 01734CA8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction ID: 7b1f3fff0cb5bad40734537a360b77ad53908e28dee944a38cf928d9c3bcecc1
Opcode Fuzzy Hash: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction Fuzzy Hash: A2E026332001012AEE3563699D08FD3BF96DFC17B0F050029B60A874A1CF21C431C240

Function 016B25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8588fdf70e6a11b697cf3251b9186f5ae95654d19cffd0ec6182796228b142d
Instruction ID: 2dbddf02a0eaece8e7cc7badb2501981d2054d1a550138f4e7c5af7b7f562652
Opcode Fuzzy Hash: a8588fdf70e6a11b697cf3251b9186f5ae95654d19cffd0ec6182796228b142d
Instruction Fuzzy Hash: BAE092721005549BC321BB29DD51FDA7B9BEBA0764F01451DB11657190CB30B850C788

Function 01734000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 279616f50348b54e873b8af36f017f576ecaa1141ba5bba870c29589382a34a0
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: F4E0C2383003058FE719CF19C040B62BBB6FFD5A10F28C0A8A9498F206EB33E842CB40

Function 016ECA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2b55090170c27f44c24eb9eed15c5cb093a92c8fca4f822841cbac43c92af12
Instruction ID: 22f4ca41343392e67c454923a88844c4f0a84728e89fc5f70aa0975036aa615a
Opcode Fuzzy Hash: a2b55090170c27f44c24eb9eed15c5cb093a92c8fca4f822841cbac43c92af12
Instruction Fuzzy Hash: 5CD02B325870206ACB35E11C7C08FA33ADADB84760F018864F90892011D514CC8187C8

Function 0170E1D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction ID: c12110b7e96155a1ba7cbbd495b2d91129080f317e0d761fb12a6f704a83e718
Opcode Fuzzy Hash: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction Fuzzy Hash: 89E0C2723145509FD201D64CE890C3BFBEDFBC8200F500297F884D3610C229DE11CBA1

Function 016A823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction ID: aee8b6367db64d2a1da252a52bee6e3990546b292a0bc597b5a8c4250ea0ac60
Opcode Fuzzy Hash: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction Fuzzy Hash: 19E0C231040A14EFDB322F19DC10F61BAAAFF94B11F20886DE181170A48771AC82CF88

Function 016A8C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction ID: 92b202d0b419df985639c021dfc294567acd48fe7831bb387f8402d4c2d08272
Opcode Fuzzy Hash: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction Fuzzy Hash: E5E08631042621DED7326F16DD04F52B6A6BB50B12F40442DA103075F0C770DC85CE89

Function 016B2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d6421fcf51fc0f2ce81205cad45689cf79449cff53899da0d2709727df72f5
Instruction ID: cf8bf67d0b7791a078dff092abb6d8364e51b5b8c7bf6e1e27801616a6550a0e
Opcode Fuzzy Hash: e2d6421fcf51fc0f2ce81205cad45689cf79449cff53899da0d2709727df72f5
Instruction Fuzzy Hash: 7EE0C2321004606BC311FB5DDD50F9A739FEFA4770F044229F151872D0CA20BC40C798

Function 016E8A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 1d097c3e99036ade0c3005c860e611e76d217701d4cc3d7d5ed0f1c366c80346
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: D1E08633111A1887C728DE1CD915B7277E8EF45720F09473EAA1347791C634E544C794

Function 016B2324 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction ID: de1e031cef5a5963822f3265da410d79611907cd6693bd061cd2422b5f12316c
Opcode Fuzzy Hash: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction Fuzzy Hash: EAE04631800186DFDB27AB59C9A4BEEFBB2FB88304F98005CD800321A0CB346890CB58

Function 016AA740 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction ID: 655250f5ca61615808be86546d75d955ad288f867488ee552de74443372db81c
Opcode Fuzzy Hash: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction Fuzzy Hash: 9FE08C30500545EBDB27AB9ACC94FEAFBB2BB88704F44059DD100265A0C728A8D0CF98

Function 01706AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction ID: 6e82aa29634112922658baaf4b6e07d7cdfccd0034dc5d52c0479bb11caea467
Opcode Fuzzy Hash: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction Fuzzy Hash: 9ED05E36511A50EFC3329F1BEE00C53FBF9FBC4F20705062EA54583A20C670A846CBA0

Function 016EE59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction ID: 9a9263f3b28e74c046fc33a1c48775eaa527be58dcbdfb6197b11608f3186380
Opcode Fuzzy Hash: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction Fuzzy Hash: 98D0A932208620ABD732AA1CFC00FD373E9BB88B20F0A045DF008C7150C360AC82CA88

Function 0172E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction ID: ed1419424b9703532c18cf429dc182b4b4c58e95955d7bd44ab55cee8a9a1db0
Opcode Fuzzy Hash: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction Fuzzy Hash: EEE0EC35A506849FDF12DF59CA40F9EBBB5FB94B40F150058E5485B660C635A901CB40

Function 016AA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction ID: 62591badb98d755b3ff06b62da33e0ee330653ba2ad7c9f826852ec4dc49841a
Opcode Fuzzy Hash: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction Fuzzy Hash: 5CD02232212030A3CB2856956C00FAB6906EF80A94F0A002E340A93A00C1048C43CAE0

Function 016EA830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction ID: 30f4838e3642892b06b76e0483030c64cc7fb32b6570f400db0ee0ce29f84b9a
Opcode Fuzzy Hash: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction Fuzzy Hash: 29D012371D054DBBCB119F66DC01FA57BA9E764BA0F448024B504875A0C63AE950D584

Function 016ECA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 350cac99465ff177df9e19d42dd434c9c867c91baf4da62ed88d98313d714c36
Instruction ID: b8f9af6761c3aabf11a338fd175f41c3d069a4dd96da77a7bbf0a9ea12bd668f
Opcode Fuzzy Hash: 350cac99465ff177df9e19d42dd434c9c867c91baf4da62ed88d98313d714c36
Instruction Fuzzy Hash: 55D0A730502011CBDF16DF0CCE18D7E76F0FB10740B40016CEB0151520D325DC02C600

Function 016C02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: eb00322307471ef32b43e3856a9017608f11166bdc406a45b4581491cc295407
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: FBD09239216A80CFD61A8B0CC9A4B2573A4FB44F44F814494E402CBB22E72CD940CA00

Function 016EC700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction ID: 1a9a4cd45239b05e9e1f122571abaedf26ffac2fb41553e0cc582ec88d6464fe
Opcode Fuzzy Hash: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction Fuzzy Hash: B2C01232290648AFC712AA99CD01F567BAAEBA8B40F004025F2048B670C631E820EA88

Function 016AE0D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df9e894434fcc8d2dd4b6c1bf807ebecda3d68aef3b3137c3c184770ea1aff41
Instruction ID: 26460b640d5b99528ffae38165594e6c41478c9894fbd0ac5ddff6981d00767b
Opcode Fuzzy Hash: df9e894434fcc8d2dd4b6c1bf807ebecda3d68aef3b3137c3c184770ea1aff41
Instruction Fuzzy Hash: C4C04CF7B140A0AA8714DF615804B76A58B93E5212B99C17DB195C2148D93AC8019A64

Function 016D0310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 8c16171356bd3db684a2e340a2ba455b885cb3a5180710aeea3f49d8bd9850bc
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 0BD01236100249EFCB01DF41C890D9A772BFBD8710F108019FD19076108A31ED62DA50

Function 016EC7F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction ID: c2622d9c59b4f498559475e83739eb386b4228c7b45984b5ef66968e5051cae8
Opcode Fuzzy Hash: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction Fuzzy Hash: 23C002353016458FCF12CB29C688A9DB7E4BB45640B4944D4E804DB722D665EC018B00

Function 016B0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 0cf4c8904fa09592c1ca401a9e81b06bf22b33e93162f1094f773881b40529df
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: F7C04C75701641CFCF16DB19D794F5577E4F744740F154894E805CB721E625FC01CA10

Function 016EC68B Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4104ecdd11a365f69b8417b2a1404e322110ede242665c0514157017a146bc99
Instruction ID: 3a471c2c205b50084cfee024330d48f76e7b7539ba7cd9e94566c0fa1d6c5b64
Opcode Fuzzy Hash: 4104ecdd11a365f69b8417b2a1404e322110ede242665c0514157017a146bc99
Instruction Fuzzy Hash: 98C09232151450AFC722EB09CE85F563BAAFB64BA4FC84068B105C26A2C228E820CB58

Function 016EA060 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction ID: 357b9ae71a6f29d1a6ee542246c318cd7c2078d37198924617b0c0855cbe9468
Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction Fuzzy Hash: C7B012730218809BC71A6F04ED40E413766E7D4730F36046CB007478608A25DC51D608

Function 0171634C Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction ID: 743c54f749fe6e3a6f39fca419838d5e249dfa5446e5d37bd539dcce4efcd3ae
Opcode Fuzzy Hash: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction Fuzzy Hash: D5B011B2202880CBC202CB88E8A8B20B3A0FB00A00F0000A8A80283A02C228E8208800

Function 016EA950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction ID: ae9d4c3138aa6fa964cb9698e2db7142be720813fb0b60309e6eb27356cda8a6
Opcode Fuzzy Hash: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction Fuzzy Hash: 2EA011320208808BCB02AB08CE80A00B22ABB00A00F8008A8A00002832822888008A00

Function 01712BF6 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction ID: 79b56af39344125651d59b800b50392623c5eb2293423a4aeabda25fb6e1ef3c
Opcode Fuzzy Hash: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction Fuzzy Hash: DAB011B2202C80CBC202CB88C888B2033A0FB00B00F0008A0A80283A02C22CEAA0CA00

Function 016E0A50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction ID: 9d66f165d8133dd221c86d749209b95cc1f739683ea712ff2c3b23dcf8710710
Opcode Fuzzy Hash: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction Fuzzy Hash: 04A02232222880CFCB03BF88CE00F0033B2FB00A00FC882A8B002838B2822CCC00CA00

Function 016F4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016F4A8F

Strings

0I8w, xrefs: 016F4AD0, 016F4AD5
0I8w, xrefs: 016F4AFA
0I8w, xrefs: 016F4B14
0I8w, xrefs: 016F4B04, 016F4B09
0I8w, xrefs: 016F4ADA
0I8w, xrefs: 016F4AEA, 016F4AEF

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0I8w$0I8w$0I8w$0I8w$0I8w$0I8w
API String ID: 3446177414-2549722193
Opcode ID: e8013205a08d2a146238cf656fab8deea651012a3230cf8695514e123370899f
Instruction ID: 168348995f0916504f147618ce9b2593668b22c9061cdf707e80d149726473df
Opcode Fuzzy Hash: e8013205a08d2a146238cf656fab8deea651012a3230cf8695514e123370899f
Instruction Fuzzy Hash: 7301B532E892115AD7609E2CBC087877BD1B7C5778FC5816DEB088F289DB705C61D394

Function 016F2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 016F293C
___swprintf_l.LIBCMT ref: 016F295E
___swprintf_l.LIBCMT ref: 016F29A3
___swprintf_l.LIBCMT ref: 0172A52E

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: ff75d7c849805be9e858107ebaadff3f8b6313d71b32b5ef2b5e3512b1cd39f6
Instruction ID: 22dd7e3688224ae4a30785550cbc9ec3523567b46570e8a25017821193a72dbd
Opcode Fuzzy Hash: ff75d7c849805be9e858107ebaadff3f8b6313d71b32b5ef2b5e3512b1cd39f6
Instruction Fuzzy Hash: 2C51D6B5A00256AFCB11DB9D8C9097FFBB8BB08240B54826DF565D7641D334DE458BA0

Function 016CA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 017179FA
SsHd, xrefs: 016CA3E4
RtlpFindActivationContextSection_CheckParameters, xrefs: 017179D0, 017179F5
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 017179D5

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: 061bbe1a373cfe35810069fac16f549dc3c2637e66c9360b0fe0627bfe41bae0
Instruction ID: b66aac4733b5cc96afcd24f824c86825f421271e56a593b916bb08cbed33ecb1
Opcode Fuzzy Hash: 061bbe1a373cfe35810069fac16f549dc3c2637e66c9360b0fe0627bfe41bae0
Instruction Fuzzy Hash: FAE1B1716043068FD725CEACCC94B3ABBE1EB84B14F148A2DE956CB395E731D985CB81

Function 016CD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0171948C

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0171936B
RtlpFindActivationContextSection_CheckParameters, xrefs: 01719341, 01719366
GsHd, xrefs: 016CD874
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01719346

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: f0908942ed59c6ce4040a053b197258752e9a9b762a99fcc96cb01ecc966a4a0
Instruction ID: dcf2bfee9d92321bda2ff985d92cded254b7c6bad732648c648e65865d805ef0
Opcode Fuzzy Hash: f0908942ed59c6ce4040a053b197258752e9a9b762a99fcc96cb01ecc966a4a0
Instruction Fuzzy Hash: 92E1C1746043429FDB20CF5CC890B6BBBE5FB88718F144A3DEA958B285D770E845CB92

Function 016FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 016FB6BF

Strings

0, xrefs: 016FB66F
0, xrefs: 016FB695
-, xrefs: 016FB650
+, xrefs: 016FB65A

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: faadc6f7a6e447a6bd3e962208ff1e5096a7cba03e3d72da589e135dde6ec7c3
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 7C81CE70E052599EEF298E6CCC917FEBBB2AF85320F1C421EDA61A7391C7349841CB55

Function 016B9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01712559

Strings

@, xrefs: 016B9175
$, xrefs: 016B9191

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 62e7aa8cf2220ac4365e15ec8e7a8fb425c5fcb1edf52ac7482a11a9272a2906
Instruction ID: 19570fba6693a8cb16151a890a77b978aefa9711920b12cdc1fda8034f62aaa6
Opcode Fuzzy Hash: 62e7aa8cf2220ac4365e15ec8e7a8fb425c5fcb1edf52ac7482a11a9272a2906
Instruction Fuzzy Hash: 30812BB1D002699BDB31CB58CC44BEEB7B4AF48714F1441EAEA19B7680D7305E84CFA4

Function 016F4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016F49A4

Strings

0I8w, xrefs: 016F4A23
0I8w, xrefs: 016F4A13
X, xrefs: 016F49F0
0I8w, xrefs: 016F4A03

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0I8w$0I8w$0I8w$X
API String ID: 3446177414-113150377
Opcode ID: 71aeb3776d1e5a46663cd3856c07bfd7e6e279b6a40d337abdac552e6836307c
Instruction ID: c45beb0e7642b9bc95f5f4951a428eb4f763b7405c914a93559694235c959ba4
Opcode Fuzzy Hash: 71aeb3776d1e5a46663cd3856c07bfd7e6e279b6a40d337abdac552e6836307c
Instruction Fuzzy Hash: 6731AE3190120AEBCF22CF5CDC44B8E7BB1AB89768F40806DFF1496249D7709A65DF85

Function 016DDB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0171F611

Strings

RtlUnlockHeap, xrefs: 0171F65D
Invalid heap signature for heap at %p, xrefs: 0171F653
, passed to %s, xrefs: 0171F662

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 5621ce0c7280ea9c4cb2eda4e96d5ca84bc5cd81f0ea2f84997d0189f1b04bbb
Instruction ID: 01ecd47a78398a63ef4c0012cf4d82f4bbe0c00436e589a0c1a0b0e06e709787
Opcode Fuzzy Hash: 5621ce0c7280ea9c4cb2eda4e96d5ca84bc5cd81f0ea2f84997d0189f1b04bbb
Instruction Fuzzy Hash: 53413371A00741EFD722EF6CC885B6ABBA4EF45728F148569E54287395CB74A884CB90

Function 016DDBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0171F757

Strings

Invalid heap signature for heap at %p, xrefs: 0171F799
, passed to %s, xrefs: 0171F7A8
RtlLockHeap, xrefs: 0171F7A3

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 599c5c1ca0ad624b1eb6dd8f3ef4c3de55f50c940c26373d637f5f871ec0b075
Instruction ID: d5220a3dd67178931b62a095ad9d56458f4297be7c0b36b695a0dfe9f43b1492
Opcode Fuzzy Hash: 599c5c1ca0ad624b1eb6dd8f3ef4c3de55f50c940c26373d637f5f871ec0b075
Instruction Fuzzy Hash: 40313631504784DFE722FB6CCC19BA6BBE8EF01B60F448199E44387696C7F8A884CB51

Function 016AC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016AC0B4
RtlDebugPrintTimes.NTDLL ref: 0170D623
RtlDebugPrintTimes.NTDLL ref: 0170D651

Strings

$, xrefs: 016AC07C

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: ebc2af14998b6c106812545bfe9c788e250bdb10e05f3ef05e98a3c399f2041f
Instruction ID: 41f5b427b72f177ae5fa3b03d8ac8edbf2d0b2ce905abcbca70d6bd243342c0e
Opcode Fuzzy Hash: ebc2af14998b6c106812545bfe9c788e250bdb10e05f3ef05e98a3c399f2041f
Instruction Fuzzy Hash: A4115E32904318EBCF26AF94EC486ACBB72FF84774F108119F926672D0CB716A50CB80

Function 016DEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f780c76bf352ee39d134c3bcce3765609e8b9c21059702dfc66c12429045ba9
Instruction ID: 822d749b1460a8477d33bcf7cd46b54a5bd4fb1a31beecf16f6e5393672fc33d
Opcode Fuzzy Hash: 0f780c76bf352ee39d134c3bcce3765609e8b9c21059702dfc66c12429045ba9
Instruction Fuzzy Hash: DAE10071D00608DFCB25CFA9C980AADFBF1BF48314F2485AAE946A7361D770A942CF50

Function 0172EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0172EFE1
RtlDebugPrintTimes.NTDLL ref: 0172F009
RtlDebugPrintTimes.NTDLL ref: 0172F0AC
RtlDebugPrintTimes.NTDLL ref: 0172F160

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a50b8aa3eb4d399175e0ee73131ec21662ac80efe4a8616c241a257b8687e5dc
Instruction ID: 5764a22a1022c0209fb472e9172af6d4202d57cd71664c094fb481d9563a75b4
Opcode Fuzzy Hash: a50b8aa3eb4d399175e0ee73131ec21662ac80efe4a8616c241a257b8687e5dc
Instruction Fuzzy Hash: 27711571E002299FDF05CFA8C984AEDFBB5BF49714F15402AEA05FB254D734A906CBA4

Function 0172F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0172F26D
RtlDebugPrintTimes.NTDLL ref: 0172F292
RtlDebugPrintTimes.NTDLL ref: 0172F324
RtlDebugPrintTimes.NTDLL ref: 0172F378

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9f161ab3eb423f2c5d78efcffddac8130b62c432fd30704051f076c65d8fe6b9
Instruction ID: baa67f0b3cf7b52cd8af4a6ac077c66a496cb6f2df8a635fcfaa9a0940432019
Opcode Fuzzy Hash: 9f161ab3eb423f2c5d78efcffddac8130b62c432fd30704051f076c65d8fe6b9
Instruction Fuzzy Hash: C45101B6E002299FDF09CF98D845ADDFBF1BF49314F19812AE905AB291D734A902CF54

Function 016E7B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016E7B52
BaseThreadInitThunk.KERNEL32 ref: 016E7B5C
RtlDebugPrintTimes.NTDLL ref: 017249ED
RtlDebugPrintTimes.NTDLL ref: 01724A70

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: f7f9ed810f910f312331091073d67a04351c139badd79e0100f7b76cf470d843
Instruction ID: 0234d085e2b3c6f36174a3b9fa18315f20e1cc1c8b8b9f02b02ad16e209712b2
Opcode Fuzzy Hash: f7f9ed810f910f312331091073d67a04351c139badd79e0100f7b76cf470d843
Instruction Fuzzy Hash: BC310776E00229EFCF25DFA8D844AADBBF1BB48720F14812AE512B7294D7355D01CF54

Function 016B59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01710AA7

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 403899e9794ffeba0e2e74a24cf0a64aa52a74b60979d2ba916cfb603f4db113
Instruction ID: 9f162cdff854a496f7aa713a4fde9f149eaf8b04157515041f679cc3da5e0f87
Opcode Fuzzy Hash: 403899e9794ffeba0e2e74a24cf0a64aa52a74b60979d2ba916cfb603f4db113
Instruction Fuzzy Hash: 03323670D0426ADFDB22DF68CD84BE9BBB5BB18304F0081E9D54AA7241D7B49AC5CF91

Function 016F7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 016F7E8B

Strings

-, xrefs: 016F7DDD
+, xrefs: 016F7DE8

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 3575b52f1180bb44adf63a81df13f7069c007861f0d613f5de7338933573bedb
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 42919071E0121A9AEB24DF6DCC81ABEBBA5BF44320F54461EEB65E73C0D7309941CB51

Function 016CD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016CD3A4

Strings

l, xrefs: 016CD46B
Bl, xrefs: 016CD48C

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: 099ff8e36623607aa4492a2c461e0c050bbae0f3dd55831431a077600b47e617
Instruction ID: 3afb29116c3dc230e7b3b41cdcae32d3b99d1b7aaec290401e45c266d2d00fdf
Opcode Fuzzy Hash: 099ff8e36623607aa4492a2c461e0c050bbae0f3dd55831431a077600b47e617
Instruction Fuzzy Hash: 4AA1A431A013299BEB319B98CC94BB9B7B6EB85714F0480FDDA0967241CB74AD85CBD1

Function 016F5DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 016F5E34

Strings

pow, xrefs: 016F5E0C, 016F5E29

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 13267ecf5eeaff46b547e0516b20dac3a2e43a1fb495f94097c0d44a51c96dc0
Instruction ID: 25eea3cb46210a6b8904d95215a0c31618509d63dcda22c88c9aa8868f35f44b
Opcode Fuzzy Hash: 13267ecf5eeaff46b547e0516b20dac3a2e43a1fb495f94097c0d44a51c96dc0
Instruction Fuzzy Hash: 67514771A0920696DB22BB1CCD0136E2F94EB40711F24C95CE3D7863D9EB748CA6CB4A

Function 016DD7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016DD959

Part of subcall function 016B4859: RtlDebugPrintTimes.NTDLL ref: 016B48F7

Strings

$, xrefs: 016DD86D
$, xrefs: 016DD900

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 3244642a4ec1674d002a6bd3e885d1dbdcd30f8abf40cad208d50dce991a4531
Instruction ID: 8a113b96fc6eabb9767f3a45309045a31c55775dfaf7b9e51266fe9c0aec7fe8
Opcode Fuzzy Hash: 3244642a4ec1674d002a6bd3e885d1dbdcd30f8abf40cad208d50dce991a4531
Instruction Fuzzy Hash: A2511F71E003469FDB21EFA8C8857ADBBB2BF88314F25815DD5056B2C5C770A885CB80

Function 0173CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0173CFBD

Strings

@4Cw@4Cw, xrefs: 0173CFD5, 0173CFDA, 0173CFF1
@, xrefs: 0173CF0A

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 497ad50a5f3705fffcbe9b89d2ddff271adc4d67f616472d374c5e85a1d447e1
Instruction ID: 1e228192486b6304c1cfdf759a57f645245786bf9d272fed2d50abbe56964b13
Opcode Fuzzy Hash: 497ad50a5f3705fffcbe9b89d2ddff271adc4d67f616472d374c5e85a1d447e1
Instruction Fuzzy Hash: 3641C0B1900225DFDB219FA9CC40AAEFBB9FF94B50F40812EEA05DB255D734D801CB64

Function 0172FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0172FE73
RtlDebugPrintTimes.NTDLL ref: 0172FE95

Strings

$, xrefs: 0172FE3D

Memory Dump Source

Source File: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: fe5426f8c40937f87b5aa107e6eec80881882e24975e6b0c6003bcdaa75f69d1
Instruction ID: 44c18f92134849e96b56f5967ed0e51ff70fa63cb84690f49662c194e7de1582
Opcode Fuzzy Hash: fe5426f8c40937f87b5aa107e6eec80881882e24975e6b0c6003bcdaa75f69d1
Instruction Fuzzy Hash: 79419E75E00219ABDF12DF99C880AEEFBB5FF48B14F144159E905A7341C7719D52CBA0

Function 016ADF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 016AE040

Strings

0, xrefs: 016AE00B
0, xrefs: 016AE020

Memory Dump Source

Source File: 00000009.00000002.2185169509.00000000016A6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01680000, based on PE: true

Associated: 00000009.00000002.2185169509.0000000001680000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001687000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001700000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001706000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.0000000001742000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2185169509.00000000017A9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1680000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: c816e2c38407b38de824ead4eb22e9406c40009a0ce871e3410274295ddb11d9
Instruction ID: 34d5ee22a3cdd33f7ec591056262701318665d38f00008291d2e9fd0cf30bc8f
Opcode Fuzzy Hash: c816e2c38407b38de824ead4eb22e9406c40009a0ce871e3410274295ddb11d9
Instruction Fuzzy Hash: 984147B16087069FC311CF68C884A1BBBE5BB89318F44492EF988DB341D771EA15CF96

Analysis Process: explorer.exePID: 4004, Parent PID: 7152COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	69
Total number of Limit Nodes:	7

Executed Functions

Function 10DB3232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 10DB3449

Strings

`, xrefs: 10DB341D

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: a825fd6b9579a2e8892d1a8440246ea529b27ebc62087355b399d6b481b846bf
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 8F225B70A18A499FCB99DF28C4956AEF7E1FB99300F41422EE85ED7250DF30E851DB81

Function 10DB4E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10DB4E67

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 54cfffe6d9d626c21384a64b81b489635f0fbc2e5d07f80b256e75f939096650
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: F801B134628B884F8B88EF6CD48112AB7E4FBCE314F000B3EE99AC3250EB70C5414B42

Function 10DB4E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10DB4E67

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: f0b33b85fef60c7e869b90efea5a5a9dedd99feaee1a900689bd94a8040bb3a9
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 3B01A234628B884B8B48EB2C94412A6B3E5FBCE314F004B3EE9DAC3240DB61D5024B82

Function 10DB3F82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 10DB412E

Strings

: cl, xrefs: 10DB4338
nnec, xrefs: 10DB432A
GET , xrefs: 10DB4318
dat=, xrefs: 10DB4290
&un=, xrefs: 10DB44F1
&sql, xrefs: 10DB4471
Co, xrefs: 10DB4323
&br=, xrefs: 10DB4509
tion, xrefs: 10DB4331
ose, xrefs: 10DB433F

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: getaddrinfo
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 300660673-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 465cd75c139d13884ab9088171ed4b5826b1cb9a0f9adf9253f524fc4c80083f
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: A652BE34618B488BCB59EF68C4847EAB7E1FB56300F54462ED49FC7186DE30B94ACB91

Function 10DAE8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10DAE9A0

Strings

on.d, xrefs: 10DAE902
nt: , xrefs: 10DAE91E
User-Agent: , xrefs: 10DAE935, 10DAE948
urlmon.dll, xrefs: 10DAE959

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 198331e30d149e7ffa96fa09f846d71f42f8afc33cd88fdab64d2b72c6c844b6
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 1131E131614A0D8FCB45EFA8C8857EEB7E0FF58214F44422AE44ED7280EF789645CB99

Function 10DAE8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10DAE9A0

Strings

on.d, xrefs: 10DAE902
nt: , xrefs: 10DAE91E
User-Agent: , xrefs: 10DAE935, 10DAE948
urlmon.dll, xrefs: 10DAE959

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: dff44426946198d792c9d257445341fb4c95196321d42ddbf6d0ceafb2496b50
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: A5210630610A0D8BCB45EFA8C8457EE7BE0FF59304F44421EE45AD7280DF749604CB95

Function 10DAAB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 10DAACCA

Strings

.dll, xrefs: 10DAABCD
el32, xrefs: 10DAABA0
kern, xrefs: 10DAAB99

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: d0c50f899260546665539eb6b5759f11b5fff5b001c5760d6beebc206b2aa62a
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 98416B74918A08CFDB84EFA8C8D97AD77E0FB58300F44427AD84ADB259DF309945CB95

Function 10DAAB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 10DAACCA

Strings

.dll, xrefs: 10DAABCD
el32, xrefs: 10DAABA0
kern, xrefs: 10DAAB99

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: ab7bb1fd6eea7eb55ad23434e3e88a3793d0d820c8904ef6f860555253d50497
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: B2412974918A088FDB84EFA8C499BAD77F0FB68300F44417AD84EDB255DE309945CB95

Function 10DB05B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 10DB0611

Strings

sock, xrefs: 10DB05D9

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 1001521f85259efb7cf95a423fb7902406ff4c8a7f12117673f8b527c1347ae4
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 0901447061861C8FCB84DF1CD048B54BBE0FB59354F1545ADE85ECB266D7B0C981CB86

Function 10DA82DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 10DA832D

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: fb765b7df95bad45c58645982a1fd654f4bdd8653f3d4533069621d3cbf3552a
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: B9316B74A04B49DFDB94DF29808A2A5F7A0FB54300F48467ECD1DCB106CB74A860CFA1

Function 10DA8412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 10DA8461

Memory Dump Source

Source File: 0000000A.00000002.4569837606.0000000010CD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10CD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10cd0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: ebb0dfc94fdc45f8d1d65a25ebc1b72ec24cf98cf8ffb5a81b6ddd97947bf13a
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 1DF02230228A084FDB88EB2CD44262AB3D0EBAD200F40063EA98EC3264CA68C5818716

Non-executed Functions

Function 0E213D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

wini, xrefs: 0E213F72
32.d, xrefs: 0E213F0B
ll, xrefs: 0E213F13
dll, xrefs: 0E213F4C
kern, xrefs: 0E213F5A
.dll, xrefs: 0E213F2F
net., xrefs: 0E213F44
M, xrefs: 0E214082
S, xrefs: 0E214073
el32, xrefs: 0E213F27
user, xrefs: 0E213F03

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: f21c8b831cc179e97331274a5ff2833738217c571d66b19b852bf04cb984b771
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: B1E16CB4528F488FC764EF68C4947AAB7E0FB68301F504A6E959FC7241DF30AA41CB85

Function 0E352D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

user, xrefs: 0E352F03
el32, xrefs: 0E352F27
wini, xrefs: 0E352F72
dll, xrefs: 0E352F4C
32.d, xrefs: 0E352F0B
kern, xrefs: 0E352F5A
S, xrefs: 0E353073
ll, xrefs: 0E352F13
.dll, xrefs: 0E352F2F
M, xrefs: 0E353082
net., xrefs: 0E352F44

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: a9231d345ff04e7a55ff388ca8cf7f5815165e52b81dc80be8747baa6d8f3d88
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 1AE14A75618B488FC764EF78C494BAABBE0FB58300F504A2E999BC7355DF30A941CB85

Function 0E216792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

dPas, xrefs: 0E2168E2
d, xrefs: 0E2168F2
itUR, xrefs: 0E21685D
ypte, xrefs: 0E2168A5
rnam, xrefs: 0E2168B5
guid, xrefs: 0E2167CE
user, xrefs: 0E216876
swor, xrefs: 0E2168EA
e, xrefs: 0E2168BD
Fiel, xrefs: 0E216884
encr, xrefs: 0E2168D2
encr, xrefs: 0E21689D
ypte, xrefs: 0E2168DA
dUse, xrefs: 0E2168AD
Subm, xrefs: 0E216855
form, xrefs: 0E21684D
name, xrefs: 0E21687D

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 5283abe2d2d07094f0a7b9c42f990d8bcddebe337f963dfc1c1fdbda6853b074
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 6EB18C34528B488FDB54EF68C485AEEB7F1FFA8300F50496ED49AC7251EF7099058B86

Function 0E355792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

name, xrefs: 0E35587D
encr, xrefs: 0E35589D
ypte, xrefs: 0E3558A5
dUse, xrefs: 0E3558AD
d, xrefs: 0E3558F2
Fiel, xrefs: 0E355884
guid, xrefs: 0E3557CE
e, xrefs: 0E3558BD
user, xrefs: 0E355876
encr, xrefs: 0E3558D2
dPas, xrefs: 0E3558E2
itUR, xrefs: 0E35585D
Subm, xrefs: 0E355855
form, xrefs: 0E35584D
swor, xrefs: 0E3558EA
ypte, xrefs: 0E3558DA
rnam, xrefs: 0E3558B5

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 0685d757e8571b331a8bd1515befd0640bfd56a56dbf1ebe19b4ea4ba14bcc80
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 02B15B31518B488ADB55EF68C485AEEBBF1FF58300F90491ED89AC7351EF70A9058B86

Function 0E214622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

s, xrefs: 0E214689
2, xrefs: 0E214674
i, xrefs: 0E21469E
t, xrefs: 0E2146C8
w, xrefs: 0E2146B3
u, xrefs: 0E214661
d, xrefs: 0E2146A5
l, xrefs: 0E214682
l, xrefs: 0E2146AC
n, xrefs: 0E2146BA
n, xrefs: 0E2146C1
p, xrefs: 0E214690
d, xrefs: 0E21467B
c, xrefs: 0E214697
l, xrefs: 0E2146D6
d, xrefs: 0E2146CF
e, xrefs: 0E21466D

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 1fca11d774f5ac56af47d141c2e811d3c41bed173de7d26f8f1447d3421614f5
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 0241D370A28B088FDB14EF88A4497BD7BE2FB58700F40026ED409D7245DBB59D458BD6

Function 0E353622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

l, xrefs: 0E3536D6
2, xrefs: 0E353674
w, xrefs: 0E3536B3
c, xrefs: 0E353697
d, xrefs: 0E3536A5
s, xrefs: 0E353689
d, xrefs: 0E35367B
p, xrefs: 0E353690
n, xrefs: 0E3536C1
u, xrefs: 0E353661
i, xrefs: 0E35369E
e, xrefs: 0E35366D
n, xrefs: 0E3536BA
d, xrefs: 0E3536CF
l, xrefs: 0E3536AC
t, xrefs: 0E3536C8
l, xrefs: 0E353682

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 60c8e05ac71d0e79b86e916cf07e59c2906069227f825140367639657a983382
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: B341BF71A18B088FDF14DF88E445AAEBBE2FB88740F00025ED809D3345DBB59D458BD6

Function 0E21BAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 0E21BC2D
], xrefs: 0E21BC3D
n, xrefs: 0E21BC98
[, xrefs: 0E21BCCD
[, xrefs: 0E21BC66
c, xrefs: 0E21BC0B
], xrefs: 0E21BCA8
D, xrefs: 0E21BCDA
[, xrefs: 0E21BBF6
b, xrefs: 0E21BC73
e, xrefs: 0E21BCA0
l, xrefs: 0E21BCE2
l, xrefs: 0E21BC35
[, xrefs: 0E21BC90

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 17b75cb216c198aef53c70c726ec80c738a8217596994e449f019e2719e7453f
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 98C15E75228B098FC758EF28C8956AAF3E1FBA4304F404B5E955AC7250DF70EA15CB86

Function 0E35AAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

], xrefs: 0E35ACA8
l, xrefs: 0E35AC35
D, xrefs: 0E35ACDA
n, xrefs: 0E35AC98
e, xrefs: 0E35ACA0
[, xrefs: 0E35ABF6
[, xrefs: 0E35AC2D
[, xrefs: 0E35AC66
c, xrefs: 0E35AC0B
], xrefs: 0E35AC3D
[, xrefs: 0E35AC90
[, xrefs: 0E35ACCD
l, xrefs: 0E35ACE2
b, xrefs: 0E35AC73

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 502c170ca98978383495a4e9d37aad2c7c36ad5c1df29893fa359d13fc6ba84c
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 47C14B71218B099FC758EF24C495AAAF7E1FB94304F504B2ED89AC7310DF70A955CB86

Function 0E21BF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

n, xrefs: 0E21BF6B
r, xrefs: 0E21BFB8
r, xrefs: 0E21BFC0
., xrefs: 0E21BF63
r, xrefs: 0E21BF90
r, xrefs: 0E21BFB0
r, xrefs: 0E21BFA0
r, xrefs: 0E21BF98
0, xrefs: 0E21BF5B
r, xrefs: 0E21BFA8
c, xrefs: 0E21BFC8
r, xrefs: 0E21BF88

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 51f3648c83b58a3e5564c0ec5378e0ce13eb0a5d425006fd9834b4b7a8226e41
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: EE51C3355687488FD71DDF18C8812AAB7E5FBD5700F501A6EE8CBC7241DBB49A06CB82

Function 0E35AF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 0E35AF63
c, xrefs: 0E35AFC8
r, xrefs: 0E35AF88
r, xrefs: 0E35AF98
n, xrefs: 0E35AF6B
r, xrefs: 0E35AF90
r, xrefs: 0E35AFA8
r, xrefs: 0E35AFB8
r, xrefs: 0E35AFC0
0, xrefs: 0E35AF5B
r, xrefs: 0E35AFA0
r, xrefs: 0E35AFB0

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 8770e50cf6afbf3331e14f4f48435202d28e007298669b64be5425a8f5a61b26
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 9951D3321187488FD719DF18C8816AAFBE5FB85704F501A2EE8DBC7341DBB49906CB82

Function 0E2152F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 0E2154DB
l, xrefs: 0E2154E2
dragon_s.dll, xrefs: 0E215614
dll, xrefs: 0E21532E
opera_browser.dll, xrefs: 0E215629
nspr, xrefs: 0E2154D4
sspi, xrefs: 0E215320
cli., xrefs: 0E215327

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: e4b1cf030eba516a63dc3efb48afdc59a66e54406e407b9096ed397aab69ef0a
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: D2C17074628A194FC758EF68D895AAAF3E1FFA8300F5547A9844EC7250DF30EE018B85

Function 0E2152F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 0E2154DB
l, xrefs: 0E2154E2
dragon_s.dll, xrefs: 0E215614
dll, xrefs: 0E21532E
opera_browser.dll, xrefs: 0E215629
nspr, xrefs: 0E2154D4
sspi, xrefs: 0E215320
cli., xrefs: 0E215327

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 43364a7201381d58698d452b6b02d981cb3cd1ee653426a02b69b3d1ceceee85
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: B3C17074628A194FC758EF68D895AAAF3E1FFA8300F5547A9844EC7254DF30EE018BC5

Function 0E3542F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0E35432E
dragon_s.dll, xrefs: 0E354614
4.dl, xrefs: 0E3544DB
l, xrefs: 0E3544E2
nspr, xrefs: 0E3544D4
opera_browser.dll, xrefs: 0E354629
sspi, xrefs: 0E354320
cli., xrefs: 0E354327

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: daa8b95738892c9a92f8fbd5be02e4489efd67c50f462b0905305349a35951d9
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: AEC19E72618A198FC758EB68D495EAAF7E1FB94300F814729885BC7350DF70AA41CB85

Function 0E3542F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dll, xrefs: 0E35432E
dragon_s.dll, xrefs: 0E354614
4.dl, xrefs: 0E3544DB
l, xrefs: 0E3544E2
nspr, xrefs: 0E3544D4
opera_browser.dll, xrefs: 0E354629
sspi, xrefs: 0E354320
cli., xrefs: 0E354327

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: ae56487730b7eb920b3190681cec67c433fcca8a35c980353558276e2d67a5be
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 2CC19E72618A198FC758EF68D495EAAFBE1FB98300F814729885BC7350DF709E41CB85

Function 0E216CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

L: , xrefs: 0E216D66
2, xrefs: 0E216DE1
name, xrefs: 0E216DB2
word, xrefs: 0E216D9E
Pass, xrefs: 0E216D97
UR, xrefs: 0E216D5F
User, xrefs: 0E216DAB

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: f8b4159e42848258777530a8d238c8c8a765d228f2f9d3d5e72dab9d6c14dd38
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: BCA191706287488FDB19EFA8D4447EEB7E1FF98300F40466EE48AD7251EF709A458789

Function 0E355CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 0E355DAB
UR, xrefs: 0E355D5F
2, xrefs: 0E355DE1
word, xrefs: 0E355D9E
L: , xrefs: 0E355D66
Pass, xrefs: 0E355D97
name, xrefs: 0E355DB2

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 470653fdef08580b5cfa8ca7f31c57fb8a3ebcbd4615090625e4c48bbee6bc8c
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 6AA190716187488BDB19EFA8D444BEEBBE1FF84300F404A2DD88AD7351EF7099458789

Function 0E216CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

L: , xrefs: 0E216D66
2, xrefs: 0E216DE1
name, xrefs: 0E216DB2
word, xrefs: 0E216D9E
Pass, xrefs: 0E216D97
UR, xrefs: 0E216D5F
User, xrefs: 0E216DAB

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 7dced495fa2be3fb53ad2a7b14c28cb7d6338650ffb292e6192fb1db0cd6f012
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 6391A0706287488FDB19EFA8D444BEEB7E1FF98300F40466EE48AD7251EF709A458785

Function 0E355CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 0E355DAB
UR, xrefs: 0E355D5F
2, xrefs: 0E355DE1
word, xrefs: 0E355D9E
L: , xrefs: 0E355D66
Pass, xrefs: 0E355D97
name, xrefs: 0E355DB2

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: e414240574c34d70802610dc14d49278e196f3c63d8d249cd19c9c004ff56587
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: BD917E716187488BDB29EFA8D444BEEBBE1FF98300F404A2DD88AD7351EB7099458785

Function 0E216352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 0E21647C
., xrefs: 0E2163B0
n, xrefs: 0E2163E7
v, xrefs: 0E2164A0
e, xrefs: 0E21648E

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 0d6d0caaeb8c7e9542c41f054f312d39d9150169e953b02511d26be53d110011
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 2B71A3356287498FD758EFA8C4847AEB7F1FF68304F00066ED44AC7261EB71E9458B81

Function 0E355352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

e, xrefs: 0E35548E
., xrefs: 0E3553B0
v, xrefs: 0E3554A0
, xrefs: 0E35547C
n, xrefs: 0E3553E7

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: b5fc63013b43d089476d03d2612cac0b5b300403e5e47383b2bbe65914977622
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 317174326187488FD758EF68C484BAABBF1FF54304F400A2ED84AD7361EB71E9458B85

Function 0E211C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 0E211C5D
l32., xrefs: 0E211C97
dll, xrefs: 0E211C9E
shel, xrefs: 0E211C90
2.dl, xrefs: 0E211C64

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 79f2433f08e256ae132362e946533d0973f25d8cbf0bbe25a8ed0f7434b7f66c
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 495150B4918B4C8FDB54EFA4C0456EEB7F1FF68301F404A6E959AD7214DF3096418B89

Function 0E350C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0E350C64
dll, xrefs: 0E350C9E
shel, xrefs: 0E350C90
ole3, xrefs: 0E350C5D
l32., xrefs: 0E350C97

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 9a74ea75fd7b41e9a4beb3b8b3f84a5c2918dba46528d5db8eb26161922d56bb
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: DF513DB1914B4C8BDB54EFA4C045AEEFBE1FF58300F404A2ED89AE7214EF7095458B89

Function 0E21286F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 0E2129E0
dll, xrefs: 0E2128F4
4, xrefs: 0E2129E9
ion., xrefs: 0E2128EC
vers, xrefs: 0E2128E4

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 18b60664b9ef6bba593c9e37bc5c0ea53023a8a28e2a0f1c212793a2511506e4
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: E5417335228B4D8FDB75EF2498557EA77E4FBA4301F40466E984EC7250DF30DA058782

Function 0E35186F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

4, xrefs: 0E3519E9
\, xrefs: 0E3519E0
vers, xrefs: 0E3518E4
dll, xrefs: 0E3518F4
ion., xrefs: 0E3518EC

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 49472c500fe1066248d9061f4ca47f9a9472330560c7c87c7e8e58de9873f4db
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 98416331659B888FCBB5EF249855BEAB7E4FB98301F50462E985EC7340EF30D9458782

Function 0E2144B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 0E2144D3
cli., xrefs: 0E214515
32.d, xrefs: 0E2144DA
dll, xrefs: 0E21451C
sspi, xrefs: 0E21450E

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: a0a9cd83d0233261cdf17269260ac32418752575e160a13e8e696aeffec1635e
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 48415E70A29E0D9FCB54FF6880947AD77E1FB78300F5046AAA80ED7210DA71DA418B86

Function 0E3534B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

dll, xrefs: 0E35351C
32.d, xrefs: 0E3534DA
cli., xrefs: 0E353515
sspi, xrefs: 0E35350E
user, xrefs: 0E3534D3

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 9c03649ac4da94b335a4a8a0425fcd634c6021730c07f7185a225eba2a441c57
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: D4415D72A18E0D8FCB54EF688095BAD7BF1FB58340F40596AAC0AD7314EA71D9408B86

Function 0E212432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0E21252A
.dll, xrefs: 0E21253F
el32, xrefs: 0E212537
h, xrefs: 0E21251F

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 14008aedad4ed450213b6ee962c90104c5c14261434fa89c54be9834ee3a89f3
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 78419771618B4D8FD769DF2884943AABBE1FBA8300F104A6F949EC3265DF70C945CB41

Function 0E351432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 0E35152A
.dll, xrefs: 0E35153F
h, xrefs: 0E35151F
el32, xrefs: 0E351537

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 87966d4aae2291740aab912f0082c50145fd3ec715a36917e667302cae62cbd8
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 4F416E71609B498FD7A9DF2980847AABBE1FB98300F104B6E989FC3355DB70C945CB81

Function 0E2190B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

Snif, xrefs: 0E219154
f fr, xrefs: 0E21913D
, xrefs: 0E219184
om:, xrefs: 0E219146

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 41030c57d46885bcd7fc071fad2611e1c009d2300035c9b48583df3c55b55163
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 4C31E47552CB885FD71AEB28C4846DAB7D4FBA4300F504D5EE49BC7251EE30AA49CB83

Function 0E3580B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E35813D
Snif, xrefs: 0E358154
, xrefs: 0E358184
om:, xrefs: 0E358146

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 9b8a3d824d4561b7a532b9ee220623005a90ced91721a58e5e9e993d582cd250
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: F431A77151CB885FD719EB24D484ADABBD4FB94300F504D1ED89BD7351EE30A945CB42

Function 0E2190C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

Snif, xrefs: 0E219154
f fr, xrefs: 0E21913D
, xrefs: 0E219184
om:, xrefs: 0E219146

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 074a1fca4333034d01bafee20a85b507504648ff86c3c39143f92f40dcf5c7a1
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 0531F67552CB485FD719DB24C4946DAB7D4FBA4300F504D5EE49BC3251EE30EA49CA83

Function 0E3580C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E35813D
Snif, xrefs: 0E358154
, xrefs: 0E358184
om:, xrefs: 0E358146

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: b9461220ba6987b0291edc147fbc2f7177827ba960328c5145011d5705093a51
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 2931A572518B486FD719EB24C484ADABBD4FB94300F504D2EE89BD7351EE30E946CB42

Function 0E214FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E214FEE
chro, xrefs: 0E215023
hild, xrefs: 0E214FF6
.dll, xrefs: 0E214FFE

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 8ac045a77e7f13339c1f04bbf8c717422fbadc69223a3bf050671a17fe256f49
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 2D317074128B494FC784EF688494BAAB7E1FFE8200F954AAD984EC7214DF30DA45C792

Function 0E353FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E353FFE
chro, xrefs: 0E354023
me_c, xrefs: 0E353FEE
hild, xrefs: 0E353FF6

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 7185ce559c8face5cbedc0a5cee8adff4702e62220fc3d049a68dbb991536965
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: EB312F72118B588FC784EF688494FAABBE1FB94300F94496D984AC7355DF30CD45CB56

Function 0E214FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

me_c, xrefs: 0E214FEE
chro, xrefs: 0E215023
hild, xrefs: 0E214FF6
.dll, xrefs: 0E214FFE

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 9a1e9e62f048b1666442a0fedb8de4c242d040987bd2d8ceb3f7a15541ec655e
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: E8319274128B494FC794EF6884947AAB7E1FFE8300F954ABD944AC7254DF30CA05C782

Function 0E353FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E353FFE
chro, xrefs: 0E354023
me_c, xrefs: 0E353FEE
hild, xrefs: 0E353FF6

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 4eb97d9dc50b36e597ead753399bfcf52e22699cbfe8f497a00582b5de65e6bd
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 1F315072118B088FC784EF688494FAABBE1FB94300F944A6D984AC7355DF30CD45CB52

Function 0E2178C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E217935, 0E217948
nt: , xrefs: 0E21791E
urlmon.dll, xrefs: 0E217959
on.d, xrefs: 0E217902

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 34d47968e1d3377c87f02b7e33787a59a045a3db4b3bbcd02d7adb0680ac3999
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 5731D131624A0C8BCB14EFA8C8847EDBBE0FB68205F40066AD84EE7240DF748A45C799

Function 0E3568C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E356935, 0E356948
urlmon.dll, xrefs: 0E356959
nt: , xrefs: 0E35691E
on.d, xrefs: 0E356902

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 6a104f7ead4bfe4d65f7a8feb8abcd2d0b9010d881a2f972b65e83ce53ac28bb
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: B731D132614A0C8BCB04EFA8C884BEEBBE0FB58214F40462AD85ED7340DE748A45C789

Function 0E2178BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E217935, 0E217948
nt: , xrefs: 0E21791E
urlmon.dll, xrefs: 0E217959
on.d, xrefs: 0E217902

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: c63f7e36516159293c21df06bf00d7b4ea1bee1966213cfe7302134d32f00767
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 3D21E671A20A4D8BCF15EFA8C8847EDBBE0FF68204F40466AD45AD7240DF748B05C795

Function 0E3568BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 0E356935, 0E356948
urlmon.dll, xrefs: 0E356959
nt: , xrefs: 0E35691E
on.d, xrefs: 0E356902

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: afc1b4630bb165f1362903ae25ad21cb9eb3058e619f16aec5291ac6a6afea90
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: E421A571614A4C8BCB05EFA8C845BEEBFE1FF58204F80461AD85AD7350DF749A45C785

Function 0E218E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E218EF4
l, xrefs: 0E218F26
., xrefs: 0E218F1F
l, xrefs: 0E218F03

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 8ca9c6dffd6718aeb94410bc31c1b2db5e3eeaeb8fff29f18b7d18df045c0d3f
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 4D218D74A24A0D9FDB08EFA8C4447AEBBF0FF28300F504A6ED409D3600DB749A51CB84

Function 0E218E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E218EF4
l, xrefs: 0E218F26
., xrefs: 0E218F1F
l, xrefs: 0E218F03

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 114c08aa6a1c9e0fdc9c829692f961b725de05aaaf5d7d05e7d0e1c280f2fb0e
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: DF217F74A24A0D9BDB08EFA8D4447EDBBF1FF28314F504A6ED409D3600DB759A55CB84

Function 0E357E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E357F26
t, xrefs: 0E357EF4
., xrefs: 0E357F1F
l, xrefs: 0E357F03

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 4afc8c8d94a8e53b8279b1aec6755cde6f949fe19593187ad9ff5087d6d66a87
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 46215C71A24A0D9BDB08EFA8D444BEABBF1FF58304F904A2ED409D3700DB7499518B84

Function 0E357E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 0E357F26
t, xrefs: 0E357EF4
., xrefs: 0E357F1F
l, xrefs: 0E357F03

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: d466fbc62e50ad250df4ef005e179ad22ef65d83e0470b8fe801a55dfdb9e7a6
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: CD214B71A24B0D9BDB48EFA8D044BAABAF1FF58304F904A2ED409D3710DB7499918B84

Function 0E218FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 0E219015
pass, xrefs: 0E219022
logi, xrefs: 0E21903C
auth, xrefs: 0E21902F

Memory Dump Source

Source File: 0000000A.00000002.4568980866.000000000E1B0000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E1B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e1b0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 81ed96b61fb2c1eb871ea5ea6e4a6372799ae6bd611888c4cedc6a3474be5204
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: AD21C030624B0D8BCB05DF9998A06EEB7E1FF88354F00465AD80ADB244D7B1DA548BC2

Function 0E357FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 0E35802F
logi, xrefs: 0E35803C
user, xrefs: 0E358015
pass, xrefs: 0E358022

Memory Dump Source

Source File: 0000000A.00000002.4569080941.000000000E2C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E2C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e2c0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 87a758779e1c8ba3bf5887f4cb87080246c64779d650bdc489e429e99d7f0646
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: C121C071614B0D8BCB05DF999890AEEBBE1EF88344F014A19D80AEB348D7B0D9158BC2

Analysis Process: DjsaCPLWOz.exePID: 4896, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	7.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	75
Total number of Limit Nodes:	7

Executed Functions

Function 00E3D369 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E3D3F6
GetCurrentThread.KERNEL32 ref: 00E3D433
GetCurrentProcess.KERNEL32 ref: 00E3D470
GetCurrentThreadId.KERNEL32 ref: 00E3D4C9

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 10dc8dd87aa1fb0228e02b929ad9e29c4c4c03549c4019a2b1166f79664d8dae
Instruction ID: ebb7515995872101ee28f54db5308b9a4f6120c5b4e4d57e7fe26c6072a5d4aa
Opcode Fuzzy Hash: 10dc8dd87aa1fb0228e02b929ad9e29c4c4c03549c4019a2b1166f79664d8dae
Instruction Fuzzy Hash: 7A5176B0D053498FDB54CFA9D948BAEBFF1EF88314F208459E018A72A0DB746984CF61

Function 00E3D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00E3D3F6
GetCurrentThread.KERNEL32 ref: 00E3D433
GetCurrentProcess.KERNEL32 ref: 00E3D470
GetCurrentThreadId.KERNEL32 ref: 00E3D4C9

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9c5ebfdb441c626cebcb538b394b810150739fba6d7d715c3677c62600c7ee70
Instruction ID: ed1bfd58732e762e945467d4bb4fc957fa1a95cbeeffbc2d8688a75327ee85e2
Opcode Fuzzy Hash: 9c5ebfdb441c626cebcb538b394b810150739fba6d7d715c3677c62600c7ee70
Instruction Fuzzy Hash: EF5145B0D013498FDB54CFAAD948B9EBBF1EF88314F248459E019A7260DB74A984CF65

Function 00E3B3B1 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B626

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 96f01e0c060fcbe2957fb2c7eadf36d55d077477241325372675deb3376712f6
Instruction ID: d9a378b18c7fe954ef3d75810c6c7dc8c3c1e0811ee49fea7e8d592ef16b5421
Opcode Fuzzy Hash: 96f01e0c060fcbe2957fb2c7eadf36d55d077477241325372675deb3376712f6
Instruction Fuzzy Hash: 5681A970A00B058FD724DF29D4497AABBF1FF88304F00896ED59AE7A52E774E805CB94

Function 00E3590C Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359C9

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 87dcf04d22158a6c3542d1e1485ccf7cc10099a004d700d33bf4e25fd21242e3
Instruction ID: bf315169847e2a49456725642232ecb4293a2f33a034370290a35abe36fb5085
Opcode Fuzzy Hash: 87dcf04d22158a6c3542d1e1485ccf7cc10099a004d700d33bf4e25fd21242e3
Instruction Fuzzy Hash: CB4100B1C0071DCBEB24CFA9C984BDEBBB5BF89304F20815AD408AB251DB716946CF50

Function 00E344F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00E359C9

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1fc7f6c0072d7ba7bd5645d0f89c499c3ecf270dfa57f9b7508f70875b84dd52
Instruction ID: cc1b94d21a162ca137fa10ce2a75eb22ad4f93d60f615b861b451c6bdd57dad6
Opcode Fuzzy Hash: 1fc7f6c0072d7ba7bd5645d0f89c499c3ecf270dfa57f9b7508f70875b84dd52
Instruction Fuzzy Hash: 2941D271C0071DCBDB24CFA9C984B9EBBB5BF88704F20815AD418BB251DB756945CF90

Function 00E3D9C1 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3DA4F

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7ba9ba2715587f696107630f1437b4e7d66a9e9a90c82a5376adbb9f96caa1ce
Instruction ID: 1b0a58d23c02e92f074ef652a86a1aca90e8754d4b9d600490b6a1476261b6fe
Opcode Fuzzy Hash: 7ba9ba2715587f696107630f1437b4e7d66a9e9a90c82a5376adbb9f96caa1ce
Instruction Fuzzy Hash: FC21D2B5904249DFDB10CF9AE984AEEBFF4BB48324F14801AE918A3310D374A954CFA1

Function 00E3D9C8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3DA4F

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 09918fbacfd3bd3fc95cc3508671a0c425a125f0e4c1e7120f1e2c0903b05b81
Instruction ID: c656509d1e98d1c1f3efb6f432aaa7ba4176b812617eab3cb54d1e52472ee4bd
Opcode Fuzzy Hash: 09918fbacfd3bd3fc95cc3508671a0c425a125f0e4c1e7120f1e2c0903b05b81
Instruction Fuzzy Hash: 8121C4B5904249DFDB10CF9AD984ADEBFF5FB48320F14841AE918A3350D374A954CF65

Function 00E3B5C0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B626

Memory Dump Source

Source File: 0000000C.00000002.2164038745.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_e30000_DjsaCPLWOz.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 145fe1e9091a2445c6462c7bf2653c1982796c861a8b058594d70d91eb1fb58d
Instruction ID: d4fb5e0f1106817dcceb0eb7d4361c882abe10ef10c75d8edc1cf8a0dbf0b708
Opcode Fuzzy Hash: 145fe1e9091a2445c6462c7bf2653c1982796c861a8b058594d70d91eb1fb58d
Instruction Fuzzy Hash: B6110FB6C003498FDB20CF9AD844A9EFBF4AF88324F10945AD519B7211C3B9A545CFA1

Function 00B4D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163645674.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b4d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc44db92f696bed0b89ffd9af4247ba56abffae2ce6c75d23996810d5bef3173
Instruction ID: 8964154f81a1689f7d4da1e733ac1d3423473ba171827d1a1c26d952e9e3c501
Opcode Fuzzy Hash: fc44db92f696bed0b89ffd9af4247ba56abffae2ce6c75d23996810d5bef3173
Instruction Fuzzy Hash: 74213A76504204DFDB05DF14D9C0B26BFA5FB94324F20C5ADE9090B356C33AE956DBA2

Function 00B4D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163645674.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b4d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bff6477e81874fda66bee5e65c621c2677a041633151dc75f020d429320e9647
Instruction ID: 90d3d7513b509e5ce9d9a21184a870f43b73f0ceec578cb9e5a70aa52504a3d0
Opcode Fuzzy Hash: bff6477e81874fda66bee5e65c621c2677a041633151dc75f020d429320e9647
Instruction Fuzzy Hash: 64212572604240EFDB05DF14D9C0B2ABFA5FB98318F20C5ADE9090B256C736D956EAA1

Function 00B5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163714801.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b5d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6afee45fbba670c9dd5b48b795c5d5e96d6d4218f78d46bf9eab93b09d38ee8
Instruction ID: 692eadab7465f79b8810ac97daee7ecdb3d115405099b4c715543f825f8268f7
Opcode Fuzzy Hash: a6afee45fbba670c9dd5b48b795c5d5e96d6d4218f78d46bf9eab93b09d38ee8
Instruction Fuzzy Hash: 8321D075604204EFDB25DF14D9C0B26BBA5FB88315F20C6EDED094B292C777D84ACA61

Function 00B5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163714801.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b5d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46dab3c982c5c4f44246d51a3a1eeee750c8108d17309ab8a3e4ce16e1bafd74
Instruction ID: 42c5296902fa53f49ff27cf7e5f19cf7717507c91e388444744c491be9bf74d4
Opcode Fuzzy Hash: 46dab3c982c5c4f44246d51a3a1eeee750c8108d17309ab8a3e4ce16e1bafd74
Instruction Fuzzy Hash: D1212575504240DFDB24DF14D5D0B26BBA1FB84315F28C6EDDD0A4B292C37AD80BCA61

Function 00B5D005 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163714801.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b5d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d543a8d7b3e628c83fa6346eb213e35b07ed2e6856d46777d609132b17146a
Instruction ID: 0c339957e535836f1a0eae5d37150aae2d88f239784e4ada220d6df778e0b722
Opcode Fuzzy Hash: 47d543a8d7b3e628c83fa6346eb213e35b07ed2e6856d46777d609132b17146a
Instruction Fuzzy Hash: 3C2187755093C48FDB16CF20D594715BF71EB45314F28C6DAD8498B6A7C33AD80ACB62

Function 00B4D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163645674.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b4d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 667f82dd535a8cc80e75c1265ecf6cf2c363aef3e4754653e96345393d992848
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: 39110376504280CFCB01CF10D5C0B16BFB1FB94318F24C6E9D8490B256C33AD956DBA1

Function 00B4D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163645674.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b4d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction ID: 5f5bf2a02a40892eadd4cf53bee52a9d7bfc0be9e8ef67009677179f966a1401
Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
Instruction Fuzzy Hash: F011B1B6504280DFCB15CF10D5C4B16BFB1FB94324F24C6A9D8490B756C33AE956DBA1

Function 00B5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.2163714801.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b5d000_DjsaCPLWOz.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction ID: e97f4dd9754eddae360818c5bdefca4ecf11ac0c1d2ab7bd8ac262f9b6429d95
Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
Instruction Fuzzy Hash: AB117975504284DFCB15CF10D5C4B15BBA1FB84314F24C6E9DC494B6A6C37AD84ACB61

Analysis Process: MSBuild.exePID: 5964, Parent PID: 4896COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	0%
Total number of Nodes:	548
Total number of Limit Nodes:	73

Executed Functions

Function 0041A3DD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

1JA, xrefs: 0041A3FC, 0041A408
rMA, xrefs: 0041A402, 0041A410
rMA, xrefs: 0041A41D, 0041A424

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d0fd2fa676037548bfee32348a691438495e76661c9f3d3cc333c064b374a7c0
Instruction ID: d4360ac5b69843ba7f1b4e19baeb887bd84dc6bf54433842aafc9b36623450eb
Opcode Fuzzy Hash: d0fd2fa676037548bfee32348a691438495e76661c9f3d3cc333c064b374a7c0
Instruction Fuzzy Hash: 2FF0F4B2210108ABCB08DF89CC81EEB77A9EF8C314F118249BE1DA7241C630E811CBA0

Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425

Strings

1JA, xrefs: 0041A3FC, 0041A408
rMA, xrefs: 0041A402, 0041A410
rMA, xrefs: 0041A41D, 0041A424

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 1JA$rMA$rMA
API String ID: 2738559852-782607585
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4

Function 0041A50A Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8e98dd363e6cbb4194df273d667f016c0ebb9718585f1da8443e318f4019beac
Instruction ID: 0435345156c0ab3a092ec18c928051dad1933715447059083d21fc7a375db11c
Opcode Fuzzy Hash: 8e98dd363e6cbb4194df273d667f016c0ebb9718585f1da8443e318f4019beac
Instruction Fuzzy Hash: 57F08CB1210208ABCB14DF89CC80EEB37ADEF88314F048109BE08A7241C630E811CBE0

Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 5d3b467a68f710aaff65291511d1bbdf67ebdd1e2d3a2d0e9b69b9b7b55cd054
Instruction ID: d488d0bf4fa4e64719adedaae0a34d8314b85153388e6f82da1405f56c156318
Opcode Fuzzy Hash: 5d3b467a68f710aaff65291511d1bbdf67ebdd1e2d3a2d0e9b69b9b7b55cd054
Instruction Fuzzy Hash: 11E08C75250204BBD714EF94CC45ED77768EF48324F0440A9BA185B242D130F61186D0

Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0

Function 01702B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702B6A

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 002f0276833cfa497716172d34573b5ac96c60c6ab7050e437dc94e1099b2bb8
Instruction ID: 303c684bc625a8e30155136965f9a11d375cdd934296fd773830e69912d4ea8c
Opcode Fuzzy Hash: 002f0276833cfa497716172d34573b5ac96c60c6ab7050e437dc94e1099b2bb8
Instruction Fuzzy Hash: 14900262256400034305715C4414616900A97E1201B55C031E10145A0DC6258A916226

Function 01702BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702BFA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bcd4b59e7d85b53714d9891ec32aedb34d8285fc3b9febf5621354ccf65fa2c1
Instruction ID: 2fbbb84bfc50d9a46586c02444bf8188db4f86628a23ad2ec7a5a94550fd3a86
Opcode Fuzzy Hash: bcd4b59e7d85b53714d9891ec32aedb34d8285fc3b9febf5621354ccf65fa2c1
Instruction Fuzzy Hash: 0E90023225540803D380715C440464A500597D2301F95C025A0025664DCB158B5977A2

Function 01702AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702ADA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffa83c17bf96cdcd8caf7f62c7651b07128547e2ff23503e54f6fca278db4d60
Instruction ID: c7d58190b24ebb88390d059c1eb1c50c63ffa6bf811612284f03a48e73ae9161
Opcode Fuzzy Hash: ffa83c17bf96cdcd8caf7f62c7651b07128547e2ff23503e54f6fca278db4d60
Instruction Fuzzy Hash: D8900226265400030305B55C0704507504697D6351355C031F1015560CD7218A615222

Function 01702D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702D3A

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52e162ce196de31e394ad03b25c8e6f429a6067b54396bd00c60acdbb0c09a61
Instruction ID: 0996331cff4675991108ba82868de8e3640faacd9cb9ebeb1d44caa28efabcc1
Opcode Fuzzy Hash: 52e162ce196de31e394ad03b25c8e6f429a6067b54396bd00c60acdbb0c09a61
Instruction Fuzzy Hash: 3A90022235540003D340715C54186069005E7E2301F55D021E0414564CDA158A565323

Function 01702D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702D1A

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50461956e34b5d64f3b1a0d4c3348e716fdea3174ce585bc0c0d7caa83276780
Instruction ID: 94ace7b92fda22909b40290ea09b5009d15e823add42de2bd9e20087974c7f7d
Opcode Fuzzy Hash: 50461956e34b5d64f3b1a0d4c3348e716fdea3174ce585bc0c0d7caa83276780
Instruction Fuzzy Hash: 2A90022A26740003D380715C540860A500597D2202F95D425A0015568CCA158A695322

Function 01702DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702DFA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76697d5127d853aa67e1929212e28fc58df3fb53277eb54e78f8c7512ff9c705
Instruction ID: 2eee14576784d90666d29e4471d0251e91a2671cb37d16f1c13eb5aa82aa2606
Opcode Fuzzy Hash: 76697d5127d853aa67e1929212e28fc58df3fb53277eb54e78f8c7512ff9c705
Instruction Fuzzy Hash: 2290023225540413D311715C4504707500997D1241F95C422A0424568DD7568B52A222

Function 01702DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702DDA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0387c95ea207988227339718d14c400a21196d5ce14f6c5012f08dccfa2190ae
Instruction ID: d2644afa34436a83b076bf7659654514a26c333e4c2413d859d3386774335516
Opcode Fuzzy Hash: 0387c95ea207988227339718d14c400a21196d5ce14f6c5012f08dccfa2190ae
Instruction Fuzzy Hash: 83900222296441535745B15C44045079006A7E1241795C022A1414960CC6269A56D722

Function 01702C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702C7A

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d07f7c2c80b48dcc8042bf82a2499aba5dc84a080d09d6c6c36b71f5ffa3445d
Instruction ID: df347039c994c2c61539318e00d401e06eaa9a61d124cafbdb757c560c0751d2
Opcode Fuzzy Hash: d07f7c2c80b48dcc8042bf82a2499aba5dc84a080d09d6c6c36b71f5ffa3445d
Instruction Fuzzy Hash: DB90023225548803D310715C840474A500597D1301F59C421A4424668DC7958A917222

Function 01702CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702CAA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2a5be804a715e59b6c0f965b1852ffbe6309683078da7c987110dc5b16ecbb5
Instruction ID: f8233229b18ddb53a6241a73d91227a2800925c4079bd606384ec5927f2ba0a1
Opcode Fuzzy Hash: f2a5be804a715e59b6c0f965b1852ffbe6309683078da7c987110dc5b16ecbb5
Instruction Fuzzy Hash: 8390023225540403D300759C5408646500597E1301F55D021A5024565EC7658A916232

Function 01702F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702F3A

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e4a0db1f5412393872a63440c82c379f0868f3948d97c3a935a9ce3ae1dd8d5
Instruction ID: c8c4bad9d5f03dbed9cb47b6b4518d2261869cdc911e8a6a66e4ac4caba6466a
Opcode Fuzzy Hash: 8e4a0db1f5412393872a63440c82c379f0868f3948d97c3a935a9ce3ae1dd8d5
Instruction Fuzzy Hash: 2F90026239540443D300715C4414B065005D7E2301F55C025E1064564DC719CE526227

Function 01702FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702FEA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86190d62e70556d19f477efa8a70cc2ebc4ec0bc0aee98ee7e9f6ead66dcc6aa
Instruction ID: 51aaf0483add0b7bedf567272d20fc6436accb0e9b44f612f4d02abb207fc310
Opcode Fuzzy Hash: 86190d62e70556d19f477efa8a70cc2ebc4ec0bc0aee98ee7e9f6ead66dcc6aa
Instruction Fuzzy Hash: EF900222265C0043D300756C4C14B07500597D1303F55C125A0154564CCA158A615622

Function 01702FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702FBA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf8df855816d4ae2e6373534b31680d859f7490a7feb4c3d31bb6283c5053579
Instruction ID: 3759aba5b9981250a4e4783d85c982f8eb85835b193b31114e61efd0a747f5de
Opcode Fuzzy Hash: cf8df855816d4ae2e6373534b31680d859f7490a7feb4c3d31bb6283c5053579
Instruction Fuzzy Hash: 5A900222655400434340716C88449069005BBE2211755C131A0998560DC6598A655766

Function 01702F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702F9A

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08fcc6c96870c8cd76dbaec2de142ec1af98ae2418995738c3ee95f0a43ff2c7
Instruction ID: f3631c2945548e386a015880297d9384a6d28bed747a3f4c7cfd5031a312b7f2
Opcode Fuzzy Hash: 08fcc6c96870c8cd76dbaec2de142ec1af98ae2418995738c3ee95f0a43ff2c7
Instruction Fuzzy Hash: 0990023225580403D300715C481470B500597D1302F55C021A1164565DC7258A516672

Function 01702EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702EAA

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ee78f4230269b9d28fc7374dcdc055c8b5a895a66c072aa0c35f13112a7b038
Instruction ID: b9f25b53c3a406ba4dc3f81f3d4cd6468b7fe7525cad29fc3a0893b470309144
Opcode Fuzzy Hash: 8ee78f4230269b9d28fc7374dcdc055c8b5a895a66c072aa0c35f13112a7b038
Instruction Fuzzy Hash: 5490027225540403D340715C4404746500597D1301F55C021A5064564EC7598FD56766

Function 01702E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702E8A

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce70a7ff661a29ef1bb2029b0acfb67e10032779708aef15e5e5b9a702a2cc82
Instruction ID: 1decb71bc1bdf632251ba2c54fb82f22cb2f51c71c1dbb8add2893da12c69c7e
Opcode Fuzzy Hash: ce70a7ff661a29ef1bb2029b0acfb67e10032779708aef15e5e5b9a702a2cc82
Instruction Fuzzy Hash: 2790022265540503D301715C4404616500A97D1241F95C032A1024565ECB258B92A232

Function 0041A745 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Strings

.AP, xrefs: 0041A76F, 0041A77B

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID: .AP
API String ID: 3899507212-3996626295
Opcode ID: aabae8c4149cba7c7552cc2964eda48ac3dbb9147c169a43c49f200a9c8fa95b
Instruction ID: a2026d221001ece8e07f97ecf387a6c3bd36ce84549689ac952d8f2f99152e1c
Opcode Fuzzy Hash: aabae8c4149cba7c7552cc2964eda48ac3dbb9147c169a43c49f200a9c8fa95b
Instruction Fuzzy Hash: AF0129B5210204AFCB04DF99DC81DEB77A9AF88314F018159FD4C97242C634E966CBB5

Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D

Strings

6EA, xrefs: 0041A622, 0041A62C

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: 6EA
API String ID: 1279760036-1400015478
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0

Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 693ff8fe3ab662aba22a0f4906f7d0ad7010bf78851cb405694a08299bb8f006
Instruction ID: a107327e3af74cd298d00712a59031634e66c7b2234dd660ca556f942aebb97e
Opcode Fuzzy Hash: 693ff8fe3ab662aba22a0f4906f7d0ad7010bf78851cb405694a08299bb8f006
Instruction Fuzzy Hash: 1A01B571A9031876EB20A6959C03FFE7B689B40F54F04011EFF04BA1C1E6A9690646EA

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA

Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95

Function 0041A632 Relevance: 1.5, APIs: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e6ae964f8ec6dd29bfeb82a1bc8d2991c6bd60e971231ad2d863a1ef3c0c1beb
Instruction ID: d6343332d30a81f5fd92b4ddee1758047473a252feee6e74f272bf2f292e948b
Opcode Fuzzy Hash: e6ae964f8ec6dd29bfeb82a1bc8d2991c6bd60e971231ad2d863a1ef3c0c1beb
Instruction Fuzzy Hash: 56E0EDB52102006BCB14DFB8CC08EE73BACAF88750F014249F90C5B245C131E914CAB0

Function 0041A7D5 Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 7ef6ad37eb9ffca0e74339ab526ec4af0854bef4afc0e73091c9dce3c3af7b19
Instruction ID: 67068b118a6f605efd830c3f62bb11fd949e07eaffad9b74eb94aea8f80a9ca6
Opcode Fuzzy Hash: 7ef6ad37eb9ffca0e74339ab526ec4af0854bef4afc0e73091c9dce3c3af7b19
Instruction Fuzzy Hash: 2EE06871109208ABDB00BB99AD89EE73B28DFC0360F04499FF95D5B242C830B529C3A2

Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0

Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A678 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 095b8a33a3bcff6e6fe8c3ca26f24508802c06a1ee5bd363ee71582a72295282
Instruction ID: ec8a23b5c1171f3dff4e51253b0b2f4fa135bcf20b2ca7c384c2fca830db324b
Opcode Fuzzy Hash: 095b8a33a3bcff6e6fe8c3ca26f24508802c06a1ee5bd363ee71582a72295282
Instruction Fuzzy Hash: A1E08671510104BBC720DFB8CC8AEDB7768DF09390F118158F9196B242D532A501CBA1

Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8

Memory Dump Source

Source File: 0000000F.00000002.2178459966.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1

Function 01702C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702C24

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6eb89dcf897c22b7cd4b6cb7a7127af612bcb8998379ad6e66150812ca2be422
Instruction ID: dfc15c05df4d4070d86287a06ab2f98d55d2f4987570a5b24f5a7e673a8a476c
Opcode Fuzzy Hash: 6eb89dcf897c22b7cd4b6cb7a7127af612bcb8998379ad6e66150812ca2be422
Instruction Fuzzy Hash: 45B09B739455C5C6DB12E764460C717B94077D1701F15C075D2030695F8738C1D1E276

Non-executed Functions

Function 01702890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0170293C
___swprintf_l.LIBCMT ref: 0170295E
___swprintf_l.LIBCMT ref: 017029A3
___swprintf_l.LIBCMT ref: 0173A52E

Strings

:%u.%u.%u.%u, xrefs: 0173A5B8
ffff:, xrefs: 0173A504
::%hs%u.%u.%u.%u, xrefs: 0173A527
::ffff:0:%u.%u.%u.%u, xrefs: 0173A54E

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 955f6f1da59346620ae9d447e845d6b79abd195be36d5ff6ff33e631b4e8c4fc
Instruction ID: 6874d62ddd5ce998ebf621626c1bd5d31f1485d1a08a5b6ff9dbb5b86028968b
Opcode Fuzzy Hash: 955f6f1da59346620ae9d447e845d6b79abd195be36d5ff6ff33e631b4e8c4fc
Instruction Fuzzy Hash: 0251D6B6A00216BFCB12DBAC889497EFBF8BB482407148269F595D7686D734DE4087A0

Function 01772410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017724A6
___swprintf_l.LIBCMT ref: 017724E2
___swprintf_l.LIBCMT ref: 0177257D
___swprintf_l.LIBCMT ref: 017725A3
___swprintf_l.LIBCMT ref: 017725C8
___swprintf_l.LIBCMT ref: 01772608

Strings

:%u.%u.%u.%u, xrefs: 017725FF
::%hs%u.%u.%u.%u, xrefs: 0177249E
::ffff:0:%u.%u.%u.%u, xrefs: 017724DA
ffff:, xrefs: 0177247D, 0177249D

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 19bd2b6a46e5a1fddc99faef9c3577b1a06abce78152c2b75e0dc13df9d5ada0
Instruction ID: 150b02da3da82f2b82a0dd6b01c645f2d848e7ebf7b02fe43275c02282b14c90
Opcode Fuzzy Hash: 19bd2b6a46e5a1fddc99faef9c3577b1a06abce78152c2b75e0dc13df9d5ada0
Instruction Fuzzy Hash: AD51C475B00645AEDF30DE5CCC9097EFBB9AB44200F1488A9F5A6D7646EA74EE408760

Function 016F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

ExecuteOptions, xrefs: 017346A0
Execute=1, xrefs: 01734713
CLIENT(ntdll): Processing section info %ws..., xrefs: 01734787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017346FC
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01734742
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01734655
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01734725

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 2e5850394bbbab5c25150e90dbd98dee192f7c674b622cdeca6a657acafb8bce
Instruction ID: ac56f901d319606220db6d082155a99ca93998af69881b5b11a7a97336148deb
Opcode Fuzzy Hash: 2e5850394bbbab5c25150e90dbd98dee192f7c674b622cdeca6a657acafb8bce
Instruction Fuzzy Hash: D1510A31600229ABEF11ABA9DC89FBDB7A8EF59301F04009DD706A72D1E7719E458F50

Function 01796940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: c29bcbe0718652c6e5ac80aa970863b7a729cd1a9d5bf21eb33232c2b4d57f8f
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 0A021571508342AFDB09CF18D494A6BFBE5FFC8700F148A2DB9995B264DB31E949CB42

Function 0170B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0170B6BF

Strings

0, xrefs: 0170B695
+, xrefs: 0170B65A
0, xrefs: 0170B66F
-, xrefs: 0170B650

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: c5f609524d5e498246a13f15ffc72ef49d589222d33b9f8983ad9fdca10618ba
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: E181BF78E45349CEEF2A8E6CC8907BEFBF1AF85320F18455AD861A72D1C7309B408B51

Function 017720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0177214F
___swprintf_l.LIBCMT ref: 01772172

Strings

[, xrefs: 0177212B
%%%u, xrefs: 01772146
]:%u, xrefs: 01772169

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 19e8d5b0035e121cfdaebfa8aed0d65bafa506f3881f034882b0716a4b6419be
Instruction ID: 473af2c7c57747b052bfdb9703f5bdc90c15e39f11b6412adcbea89fb2708da8
Opcode Fuzzy Hash: 19e8d5b0035e121cfdaebfa8aed0d65bafa506f3881f034882b0716a4b6419be
Instruction Fuzzy Hash: 3A21B27AA00219ABDB11DF79DC44AFEFBF9FF54640F040126EA55E3245E730DA018BA0

Function 016EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017302E7
RTL: Re-Waiting, xrefs: 0173031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017302BD

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: c4a59b6437c5e4f2b1c2909e73c7e556da1c0ab23fcd6b9f0f7231fb3f13a26e
Instruction ID: a852074abdf8ffe8f14eaaebff7a0e38b7772d0f34e8c9ad57c8e443e950b85a
Opcode Fuzzy Hash: c4a59b6437c5e4f2b1c2909e73c7e556da1c0ab23fcd6b9f0f7231fb3f13a26e
Instruction Fuzzy Hash: 98E1BE71609741DFEB25CF28C888B2ABBE0BB84314F140AADF5A58B3D2D775D945CB42

Function 016FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01737B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01737B7F
RTL: Re-Waiting, xrefs: 01737BAC

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 8fbab266f5b8db24f684fdefdfa4d1c88ec998851670641924f570898246d96f
Instruction ID: 819643b69559d5590baea031d3a9404e2c489cbf2cd211e265e0f87c5df52929
Opcode Fuzzy Hash: 8fbab266f5b8db24f684fdefdfa4d1c88ec998851670641924f570898246d96f
Instruction Fuzzy Hash: 5041E0757057029FD725CE2DCC40B6AB7E5EF89720F000A2DFA5A9B781DB31E8058B91

Function 016FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0173728C

Strings

RTL: Resource at %p, xrefs: 017372A3
RTL: Re-Waiting, xrefs: 017372C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01737294

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 50bc2dd5042359406d4b78c83f01758878650ace5c014d45087f56d28e08d959
Instruction ID: ccf52d0a4e73937e22cdafc7c1b2da4588c7973885c981dc3e3b4b4b1cc261ce
Opcode Fuzzy Hash: 50bc2dd5042359406d4b78c83f01758878650ace5c014d45087f56d28e08d959
Instruction Fuzzy Hash: D0410072709202ABD725CE29CC41F6AF7B5FF94710F10061DFA55AB281DB31E8428BD1

Function 01772300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0177238D
___swprintf_l.LIBCMT ref: 017723B3

Strings

]:%u, xrefs: 017723AA
%%%u, xrefs: 01772384

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 933612243e7b11f7edb8dd297be237ec9f617b8f7a411d644c0d6d571654d073
Instruction ID: 6d22ab17c36a3d28d673b65f9dd0d7160203964a9768f16a98efe98034aa5ae0
Opcode Fuzzy Hash: 933612243e7b11f7edb8dd297be237ec9f617b8f7a411d644c0d6d571654d073
Instruction Fuzzy Hash: 55319372A00219AFDF20DF2DCC44BEEF7F8EF44610F55455AE959E3245EB30AA448BA0

Function 01707D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01707E8B

Strings

+, xrefs: 01707DE8
-, xrefs: 01707DDD

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 92b71c898f17da89726addf7c14ccb59ba85954e1ead106bc8604a7326433081
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 60919071E00316DAEB2ADF6DC881ABEFBE5AF44320F54451EE995A72C4D630BD818B11

Function 016C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 016C9191
@, xrefs: 016C9175

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 72c6f29c4ad3643ef488bf497312b91d94dec1e4d7810e389c0dc1ef28023bdd
Instruction ID: 72ad9e140748aef742ada4f952e076c689b7f664231b5fb6b5a51e03885ddd43
Opcode Fuzzy Hash: 72c6f29c4ad3643ef488bf497312b91d94dec1e4d7810e389c0dc1ef28023bdd
Instruction Fuzzy Hash: 59812C72D002699BDB31CB54CC45BEEBBB4AF48714F0041DAEA19B7640D7709E85CFA4

Function 0174CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0174CFBD

Strings

@, xrefs: 0174CF0A
@4Cw@4Cw, xrefs: 0174CFD5, 0174CFDA, 0174CFF1

Memory Dump Source

Source File: 0000000F.00000002.2179949521.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 2d30680e4276d39b890498a3c861c3f592b67a345c7ef0a43478a9d1b18693e3
Instruction ID: ebbda91d662845bba2eb0bcb602a43569c3b6ffec08a4b13816e5b12aac5c4d9
Opcode Fuzzy Hash: 2d30680e4276d39b890498a3c861c3f592b67a345c7ef0a43478a9d1b18693e3
Instruction Fuzzy Hash: 56417DB2900215DFDB22DFA9C890AADFBB8FF64B50F00412EEA45DB264D7349941CB65

Analysis Process: cscript.exePID: 4784, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	0%
Total number of Nodes:	622
Total number of Limit Nodes:	77

Executed Functions

Function 04CFA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 04CFA19F

Strings

0, xrefs: 04CFA227

Memory Dump Source

Source File: 00000010.00000002.4560155445.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4cf0000_cscript.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: d80ca956325ff3bba7d8b0edcaa0fb4470275bd1824a9a6f2019ec047719d445
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: 88F12E70918A8C8FDBA5EF68CC94AEEB7E1FB98304F40462AD54ED7250DF34A641DB41

Function 04CF9BAF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 227
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 04CF9C93
NtMapViewOfSection.NTDLL ref: 04CF9CFF
NtClose.NTDLL ref: 04CF9DC5

Strings

@, xrefs: 04CF9C8B
@, xrefs: 04CF9D0C

Memory Dump Source

Source File: 00000010.00000002.4560155445.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4cf0000_cscript.jbxd

Similarity

API ID: Section$CloseCreateView
String ID: @$@
API String ID: 1133238012-149943524
Opcode ID: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction ID: 69199a469419571fcdbb8bebc221ba799c3ca4a37a1cf015ab8ea19341db3c61
Opcode Fuzzy Hash: db7dcd85dc853400a789dde9de35cb8114d6383d98fd4a16120e7ccab82aa783
Instruction Fuzzy Hash: 55619370118B088FCB58EF58D8856AABBE1FF98314F50062EE58AC3651DF35E541CB86

Function 04CF9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 04CF9C93
NtMapViewOfSection.NTDLL ref: 04CF9CFF

Strings

@, xrefs: 04CF9C8B
@, xrefs: 04CF9D0C

Memory Dump Source

Source File: 00000010.00000002.4560155445.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4cf0000_cscript.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: 2832530d1384cad0327c2092ecb5a5d151f0e9e358465fb8bb0cee8966cf0f1f
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: 935171B05187088FDB58DF18D8956AABBE1FF88314F50062EE58EC3651DF35E541CB86

Function 04CFA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 04CFA19F

Strings

0, xrefs: 04CFA0CD

Memory Dump Source

Source File: 00000010.00000002.4560155445.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4cf0000_cscript.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: cb268865580e8131d91c6a7de95a000fbdccf0830401f1b7e2f43e54c8b3624c
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 62512B70914A8C8FDBA9EF68C8946EEB7F5FB98304F40462AD54AD7210DF34A645CB41

Function 02E5A330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02E54BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02E54BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02E5A37D

Strings

.z`, xrefs: 02E5A36D, 02E5A378

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: ea5fda1b586e3d089f46e80813c551783d80f8b1669a0d1ee8df30ba11dbd9fb
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: FBF0BDB2211208ABCB08CF89DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4

Function 02E5A3E0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02E54D72,5EB65239,FFFFFFFF,02E54A31,?,?,02E54D72,?,02E54A31,FFFFFFFF,5EB65239,02E54D72,?,00000000), ref: 02E5A425

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 8a3dc977432e3aac76c1c0ec58852bca17aaa33df26b298048fd2c3c37f510d6
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: E7F0B7B2210208AFCB14DF89DC80EEB77ADEF8C754F158259BE1D97241D630E811CBA0

Function 02E5A3DD Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02E54D72,5EB65239,FFFFFFFF,02E54A31,?,?,02E54D72,?,02E54A31,FFFFFFFF,5EB65239,02E54D72,?,00000000), ref: 02E5A425

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a224246e0399fbad29a278f0e2d9c2779ae9543c9c7cc2a80d4121a5026a6bf2
Instruction ID: cad69f1fd8823aa8b38a77c93a3762e01a3f6ba967424b77be1813476d50a294
Opcode Fuzzy Hash: a224246e0399fbad29a278f0e2d9c2779ae9543c9c7cc2a80d4121a5026a6bf2
Instruction Fuzzy Hash: E5F0F4B2210108ABCB08DF89CC80EEB77A9EF8C314F118249BE1DA7241C630E811CBA0

Function 04F22CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22CAA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1c960474bcabf933361a8db627fbc3cfef92ba1d80a551f732b0756e67154a9
Instruction ID: dbc6f628f158223df1c89d1bd413b83c2cb56b578e4f0fc97897a1a9e709376b
Opcode Fuzzy Hash: e1c960474bcabf933361a8db627fbc3cfef92ba1d80a551f732b0756e67154a9
Instruction Fuzzy Hash: BE90023124140412F5007598940864610558BE0346F55D011B5029555EC669D9927132

Function 04F22C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22C7A

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92cea595b1c51b9e82fe3a3a4b61ad18098c59e234003eb844049a7737fcd6d3
Instruction ID: c8b7bf0e7c328ecd1fe6e5023faa64b7382da20852b38d109cefaca686f7bb21
Opcode Fuzzy Hash: 92cea595b1c51b9e82fe3a3a4b61ad18098c59e234003eb844049a7737fcd6d3
Instruction Fuzzy Hash: AE90023124148812F5107158C40474A10558BD0346F59C411B4429658D8699D9927122

Function 04F22C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22C6A

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 109df8a375671e1c65b91e967a6d0f6b127dcd869fccabcc9dc10d99be5c5104
Instruction ID: e00a7207b9f0fd2f638f920a5e949342cbe0767718ad48c2875bb2e57445d1c9
Opcode Fuzzy Hash: 109df8a375671e1c65b91e967a6d0f6b127dcd869fccabcc9dc10d99be5c5104
Instruction Fuzzy Hash: 8C90023124140852F50071588404B4610558BE0346F55C016B0129654D8619D9527522

Function 04F22DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22DFA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 990378ebb730e3d2854793507301c7ae7fb1661702c05983f33d70d7da3c1531
Instruction ID: 78eceaa28f98471798399215fc7ee2f69d53c9f55b0231cef37e35459ad700e5
Opcode Fuzzy Hash: 990378ebb730e3d2854793507301c7ae7fb1661702c05983f33d70d7da3c1531
Instruction Fuzzy Hash: 0590023124140423F5117158850470710598BD0286F95C412B0429558D965ADA53B122

Function 04F22DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22DDA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fa10fc85c2df4bcf4e7a3a9a023cd626ced43ebaad95270ab28dd73158a50d6e
Instruction ID: e9c6126373a4d92aa9c036ea2405d6800bbacb90a2ac2dfe3f3a2909b2cb686c
Opcode Fuzzy Hash: fa10fc85c2df4bcf4e7a3a9a023cd626ced43ebaad95270ab28dd73158a50d6e
Instruction Fuzzy Hash: 6B900221282441627945B158840450750569BE0286795C012B1419950C852AE957E622

Function 04F22D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22D1A

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 16a8dda8411d7261c987763573daab97e3ae8e86d79af5a2f1edc8b3928e6f34
Instruction ID: abbf120e3040f6ef1dfcb09fcc7b5e557165e0a6c5a6b2519f02f5d44be1d3cf
Opcode Fuzzy Hash: 16a8dda8411d7261c987763573daab97e3ae8e86d79af5a2f1edc8b3928e6f34
Instruction Fuzzy Hash: 1590022925340012F5807158940860A10558BD1247F95D415B001A558CC919D96A6322

Function 04F22EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22EAA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab098a42d9d3b56d3762e0107583793388efea36bb6e450a0fa88527e2dd0ac5
Instruction ID: cd9d56584022a0d2e2929f5a6b772c37b47f6056273f34cd884eebe05db75d4e
Opcode Fuzzy Hash: ab098a42d9d3b56d3762e0107583793388efea36bb6e450a0fa88527e2dd0ac5
Instruction Fuzzy Hash: FD90027124140412F5407158840474610558BD0346F55C011B5069554E865DDED67666

Function 04F22FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22FEA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 231fb5d00f99b54626af036fcb81e4de8ccc25a4c398531eeee04a6536f1a1dd
Instruction ID: c68336dfe4599f7b43153e6dba2ac36779c67bd072d66d0b47fa4525b1d91be3
Opcode Fuzzy Hash: 231fb5d00f99b54626af036fcb81e4de8ccc25a4c398531eeee04a6536f1a1dd
Instruction Fuzzy Hash: 2F900221251C0052F60075688C14B0710558BD0347F55C115B0159554CC919D9626522

Function 04F22F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22F3A

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b2be09aa16edc1bd3de0a9832d1867fc118b2e59611456261aab0a5f47343d1
Instruction ID: 4d738063b8f77accb03fc89dbb7f5137f3ce1e51fd816d212ada32ebdc577107
Opcode Fuzzy Hash: 2b2be09aa16edc1bd3de0a9832d1867fc118b2e59611456261aab0a5f47343d1
Instruction Fuzzy Hash: BD90026138140452F50071588414B061055CBE1346F55C015F1069554D861DDD537127

Function 04F22AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22ADA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1e499ca112d3428e815cbb10886d333b3a9a14dec3810b60c5caeacb481cc3e
Instruction ID: f8d8891bebc153ffa3ec5631067582671a7d1a376ed259ca903e06792b5d44bf
Opcode Fuzzy Hash: e1e499ca112d3428e815cbb10886d333b3a9a14dec3810b60c5caeacb481cc3e
Instruction Fuzzy Hash: 09900225251400132505B558470450710968BD5396355C021F101A550CD625D9626122

Function 04F22BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22BFA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f4d161a2df758ae851ffd6f0b3be0c3b528754ed08d1a781647aed8318ef5762
Instruction ID: 66adf5dca583a732d9a65b5228f4384820be47abbc707ee33ad32158a2216806
Opcode Fuzzy Hash: f4d161a2df758ae851ffd6f0b3be0c3b528754ed08d1a781647aed8318ef5762
Instruction Fuzzy Hash: 8390023124140812F5807158840464A10558BD1346F95C015B002A654DCA19DB5A77A2

Function 04F22BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22BEA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f734e18e0a294a5d21a20f7e16e8b92c89f09b1c29d9106d73fee700588b34d5
Instruction ID: c73eea2dab8a006b3eb689ae08242be40353172941a3b9b7b52fd50581aa7c62
Opcode Fuzzy Hash: f734e18e0a294a5d21a20f7e16e8b92c89f09b1c29d9106d73fee700588b34d5
Instruction Fuzzy Hash: 5290023124544852F54071588404A4610658BD034AF55C011B0069694D9629DE56B662

Function 04F22B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22B6A

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef8117a8b481012c13aba33e9fc43f7adf731ab4b95fcdd86727ad53733b4b05
Instruction ID: 37adfbe3f8771f40399c538b53c3a7ef6d7755d507c06779ec50dca4e8a6aba6
Opcode Fuzzy Hash: ef8117a8b481012c13aba33e9fc43f7adf731ab4b95fcdd86727ad53733b4b05
Instruction Fuzzy Hash: EA90026124240013650571588414616505A8BE0246B55C021F1019590DC529D9927126

Function 04F235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F235CA

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee38b9740af4c686206092a0bda2a53c25ab409ab2202ace0fa6affee76c4825
Instruction ID: 3df367d8a53baf5fc8824674e2d5768585ff07479f821c611df22f53449f122e
Opcode Fuzzy Hash: ee38b9740af4c686206092a0bda2a53c25ab409ab2202ace0fa6affee76c4825
Instruction Fuzzy Hash: D990023164550412F5007158851470620558BD0246F65C411B0429568D8799DA5275A3

Function 02E59050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02E590F8

Strings

net.dll, xrefs: 02E590C1, 02E59147, 02E5911F, 02E5912B, 02E59153
wininet.dll, xrefs: 02E590AE, 02E590B7

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 07fb741d0de705a7bee4e1f72086dc2eacc46a567c641b428c38a657a8f17114
Instruction ID: b1cc1d82423eea47a9b358c04969b96f0c6789f4861509b0e42b9a3fe64911cd
Opcode Fuzzy Hash: 07fb741d0de705a7bee4e1f72086dc2eacc46a567c641b428c38a657a8f17114
Instruction Fuzzy Hash: 1D3170B2540754ABC724DF64C885FABB7B9EB48B04F10C51DFA2A9B245DB30A650CBA4

Function 02E59046 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 02E590F8

Strings

net.dll, xrefs: 02E590C1, 02E5911F, 02E5912B
wininet.dll, xrefs: 02E590AE, 02E590B7

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 5113bc41125a1a5837c43e88f4ba38f501976ba5b2f5d07f2690e48e17d044da
Instruction ID: 6a8490705ef1913a48bc2b817763d092bfb436f6a15649ab3f9eb717e2324879
Opcode Fuzzy Hash: 5113bc41125a1a5837c43e88f4ba38f501976ba5b2f5d07f2690e48e17d044da
Instruction Fuzzy Hash: 3421E6B1580250ABC724DF68CC85BA7BBB4FB48704F10C11DFA295B246D770A550CFE5

Function 02E5A632 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E43AF8), ref: 02E5A66D

Strings

.z`, xrefs: 02E5A65C, 02E5A668

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e1bc9c8ea46bd1c4a48b20246eff63545e4208ddee84185bf788ab582bf352c5
Instruction ID: 3513142b26854ef10a496b4988934f78f8aaa623fbba020d6741c41c2844b678
Opcode Fuzzy Hash: e1bc9c8ea46bd1c4a48b20246eff63545e4208ddee84185bf788ab582bf352c5
Instruction Fuzzy Hash: 82E06DB62142046BCB14DFB9CC48EA77BACAF89750F018259F94C5B255C131E914CAB0

Function 02E5A640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02E43AF8), ref: 02E5A66D

Strings

.z`, xrefs: 02E5A65C, 02E5A668

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: bf74bad01d5d51ee512c8e567fb4ecca5d82a9af15411366db01fa17c70bd71b
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 47E04FB12102146BDB14DF59CC44EA777ADEF88750F018555FD0857341C630F910CAF0

Function 02E48309 Relevance: 3.1, APIs: 2, Instructions: 56
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02E4836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02E4838B

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ce1467f263ab9eb7afed26fbdad85e8423216cc79405db0c39d3edb70e5e23d1
Instruction ID: f56cee57f1c4948548b34dd67db42c2a81f298fe1db2e0189df5ab2c0d9e5823
Opcode Fuzzy Hash: ce1467f263ab9eb7afed26fbdad85e8423216cc79405db0c39d3edb70e5e23d1
Instruction Fuzzy Hash: 82018831AD132877EB21AA949C02FFE776D5B41F54F148119FF04BA1C0EAA46A0647E5

Function 02E48310 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02E4836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02E4838B

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction ID: 479fda1f1ed5008a532f3291a202fe869cec5a6b93ad5fb0c4e21f68e47984cc
Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
Instruction Fuzzy Hash: 9E01A731ED022877E721AA949C02FFE776D5B40F54F048119FF04BA1C1EA94790546F5

Function 02E5A6AD Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E5A704

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f8bb1373f04a202a702c49e87df1bc79baa7d8cc049af3e0bf0b135264cde46b
Instruction ID: 8d591e0f47d35187dd7ae817140a106633b954fc9274d0ffaa4b77ba024dc914
Opcode Fuzzy Hash: f8bb1373f04a202a702c49e87df1bc79baa7d8cc049af3e0bf0b135264cde46b
Instruction Fuzzy Hash: 1301B6B2214108BFCB54DF89DC80EEB37ADAF8C754F158258FA0D97245C630E851CBA0

Function 02E5A6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02E5A704

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 3d721354acb1e782628d914113d1a88483e1eea729c771941e950b4cdbede414
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 5B01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4

Function 02E59180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02E4F050,?,?,00000000), ref: 02E591BC

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: f6a1478ee43e0a36ff2a3fc66a0d3c9d2aa5fd5cf4bdfca84ef241fbfec6805c
Instruction ID: a358289c185795f4d445bfd0ab1f1e5f2cfc40e7ba37d91b678d62b04be19c74
Opcode Fuzzy Hash: f6a1478ee43e0a36ff2a3fc66a0d3c9d2aa5fd5cf4bdfca84ef241fbfec6805c
Instruction Fuzzy Hash: 7AE06D773902243AE3206599AC02FE7B29C8B81B24F554026FA0DEA2C1D995F40146E4

Function 02E59176 Relevance: 1.5, APIs: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02E4F050,?,?,00000000), ref: 02E591BC

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 61e286dc3fc6dfd0221d112ef2d4ab8b76374ee9ec85905d7d7e65fb0c23c22d
Instruction ID: ae10c40f8470f78779529442b8c483cc986747360b14daba7e74d986953148c0
Opcode Fuzzy Hash: 61e286dc3fc6dfd0221d112ef2d4ab8b76374ee9ec85905d7d7e65fb0c23c22d
Instruction Fuzzy Hash: FAE022B73902207AE33169589C02FE7A28C8B81B14F25402AFA4DAB2C0C9A1F80106A8

Function 02E5A600 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(02E54536,?,02E54CAF,02E54CAF,?,02E54536,?,?,?,?,?,00000000,00000000,?), ref: 02E5A62D

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 7ce16cc6abdcc36b23a6d5af4721d1bc2a8902bddb5dbc556d866b87f8094947
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 8AE012B2220218ABDB14EF99CC40EA777ADAF88654F118559BE085B241C630F9118AB0

Function 02E4F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,02E48D14,?), ref: 02E4F6FB

Memory Dump Source

Source File: 00000010.00000002.4558936526.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e40000_cscript.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction ID: 54ef4b89ede57b32917c97d1aeafa8e94e346c7a41607fbc17399b705e504318
Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction Fuzzy Hash: 16D05E616903082AE610AEA49C02F6632895B44A04F494064F9499A2C3DD50E0004565

Function 04F22C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04F22C24

Memory Dump Source

Source File: 00000010.00000002.4560393908.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04EB0000, based on PE: true

Associated: 00000010.00000002.4560393908.0000000004FD9000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.0000000004FDD000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4560393908.000000000504E000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4eb0000_cscript.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe25500e672104c4f89e79771619c0e9c4bda62e87f173512adda3749ea3d75c
Instruction ID: 0cda67ad9e575be01e2142da2b9ac42da4765ce99700f9a20a1a290358b90879
Opcode Fuzzy Hash: fe25500e672104c4f89e79771619c0e9c4bda62e87f173512adda3749ea3d75c
Instruction Fuzzy Hash: E5B09B71D415D5D5FF11F760470871779506BD0755F16C061E2034641E473CD1D2F176

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New purchase order.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DjsaCPLWOz.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\New purchase order.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_104cqqod.bbb.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f25ezsac.a1h.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqjglvcv.s2y.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kgzddzji.e0v.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbvinzpe.yvb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rinueunc.stt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_um0iwhe5.ydb.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yyv3cszo.ldy.psm1

C:\Users\user\AppData\Local\Temp\tmp96C3.tmp

Windows Analysis Report
New purchase order.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre