Edit tour

Windows Analysis Report
Payment Receipt.exe

Overview

General Information

Sample name:	Payment Receipt.exe
Analysis ID:	1590981
MD5:	d9d98d244f3d4779c8aa532562ffb536
SHA1:	594abbcf69862f343c0ce75716da5607ab6bbaed
SHA256:	4d49933551f01cc730f63fd290ecb61f4bfa880a0660f0ec7363e148ef85645a
Tags:	exeuser-James_inthe_box
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to resolve many domain names, but no domain seems valid

Uses netstat to query active network connections and open ports

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

Payment Receipt.exe (PID: 5264 cmdline: "C:\Users\user\Desktop\Payment Receipt.exe" MD5: D9D98D244F3D4779C8AA532562FFB536)

powershell.exe (PID: 2272 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xnnxAkrxh.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 3472 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 432 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 6692 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

systray.exe (PID: 2272 cmdline: "C:\Windows\SysWOW64\systray.exe" MD5: 28D565BB24D30E5E3DE8AFF6900AF098)

cmd.exe (PID: 5952 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

NETSTAT.EXE (PID: 5504 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)

xnnxAkrxh.exe (PID: 1892 cmdline: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe MD5: D9D98D244F3D4779C8AA532562FFB536)

schtasks.exe (PID: 5516 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 3552 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6711:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d040:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xae7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15d67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9dc8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa032:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15b65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15651:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15c67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15ddf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaa4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x148cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb743:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bda7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cdaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18cc9:$sqlite3step: 68 34 1C 7B E1 0x18ddc:$sqlite3step: 68 34 1C 7B E1 0x18cf8:$sqlite3text: 68 38 2A 90 C5 0x18e1d:$sqlite3text: 68 38 2A 90 C5 0x18d0b:$sqlite3blob: 68 53 D8 7F 8C 0x18e33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2099532221.00000000056B0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6dd9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d708:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb547:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1642f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa490:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa6fa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1622d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15d19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1632f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x164a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb112:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14f94:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbe0b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c46f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d472:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19391:$sqlite3step: 68 34 1C 7B E1 0x194a4:$sqlite3step: 68 34 1C 7B E1 0x193c0:$sqlite3text: 68 38 2A 90 C5 0x194e5:$sqlite3text: 68 38 2A 90 C5 0x193d3:$sqlite3blob: 68 53 D8 7F 8C 0x194fb:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2096067309.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.2122551276.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.2094401397.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.4536334313.0000000010EEF000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xaf2:$a2: pass 0xaf8:$a3: email 0xaff:$a4: login 0xb06:$a5: signin 0xb17:$a6: persistent 0xcea:$r1: C:\Users\user\AppData\Roaming\21N13Q01\21Nlog.ini
00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x814a1:$a1: 3C 30 50 4F 53 54 74 09 40 0xae8c1:$a1: 3C 30 50 4F 53 54 74 09 40 0x97dd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc51f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x85c0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb302f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x90af7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbdf17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x84b58:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x84dc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb1f78:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xb21e2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x908f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbdd15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x903e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbd801:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x909f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbde17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x90b6f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbdf8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x857da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb2bfa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8f65c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbca7c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x864d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb38f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x96b37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xc3f57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x97b3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x93a59:$sqlite3step: 68 34 1C 7B E1 0x93b6c:$sqlite3step: 68 34 1C 7B E1 0xc0e79:$sqlite3step: 68 34 1C 7B E1 0xc0f8c:$sqlite3step: 68 34 1C 7B E1 0x93a88:$sqlite3text: 68 38 2A 90 C5 0x93bad:$sqlite3text: 68 38 2A 90 C5 0xc0ea8:$sqlite3text: 68 38 2A 90 C5 0xc0fcd:$sqlite3text: 68 38 2A 90 C5 0x93a9b:$sqlite3blob: 68 53 D8 7F 8C 0x93bc3:$sqlite3blob: 68 53 D8 7F 8C 0xc0ebb:$sqlite3blob: 68 53 D8 7F 8C 0xc0fe3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: Payment Receipt.exe PID: 5264	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Payment Receipt.exe PID: 5264	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4bd98:$a1: 3C 30 50 4F 53 54 74 09 40 0xa36c9:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: xnnxAkrxh.exe PID: 1892	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: xnnxAkrxh.exe PID: 1892	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x36b8d:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: MSBuild.exe PID: 3552	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x477b:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: systray.exe PID: 2272	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xcd499:$a1: 3C 30 50 4F 53 54 74 09 40 0x112e0b:$a1: 3C 30 50 4F 53 54 74 09 40 0x114449:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: NETSTAT.EXE PID: 5504	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5ff9b:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.MSBuild.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.MSBuild.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0.2.Payment Receipt.exe.56b0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
15.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
15.2.MSBuild.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
15.2.MSBuild.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
11.2.xnnxAkrxh.exe.32645dc.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment Receipt.exe.2fb45b0.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment Receipt.exe.56b0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.xnnxAkrxh.exe.32645dc.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment Receipt.exe.2fb45b0.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.xnnxAkrxh.exe.30427ac.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment Receipt.exe.2cd9e14.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.xnnxAkrxh.exe.2f89e40.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.Payment Receipt.exe.2d92780.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Receipt.exe", ParentImage: C:\Users\user\Desktop\Payment Receipt.exe, ParentProcessId: 5264, ParentProcessName: Payment Receipt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe", ProcessId: 2272, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe, ParentImage: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe, ParentProcessId: 1892, ParentProcessName: xnnxAkrxh.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp", ProcessId: 5516, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Receipt.exe", ParentImage: C:\Users\user\Desktop\Payment Receipt.exe, ParentProcessId: 5264, ParentProcessName: Payment Receipt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp", ProcessId: 432, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Receipt.exe", ParentImage: C:\Users\user\Desktop\Payment Receipt.exe, ParentProcessId: 5264, ParentProcessName: Payment Receipt.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe", ProcessId: 2272, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Receipt.exe", ParentImage: C:\Users\user\Desktop\Payment Receipt.exe, ParentProcessId: 5264, ParentProcessName: Payment Receipt.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp", ProcessId: 432, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.dj1.lat/a03d/www.olourclubbet.shop	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/www.oliticalpatriot.net	Avira URL Cloud: Label: malware
Source: http://www.olourclubbet.shop/a03d/www.leurdivin.online	Avira URL Cloud: Label: malware
Source: http://www.dj1.lat/a03d/	Avira URL Cloud: Label: malware
Source: www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/www.elnqdjc.shop	Avira URL Cloud: Label: malware
Source: http://www.ome-renovation-86342.bond/a03d/www.eepvid.xyz	Avira URL Cloud: Label: malware
Source: http://www.duxrib.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ensentoto.cloud/a03d/	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/e	Avira URL Cloud: Label: malware
Source: http://www.enelog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.leurdivin.online/a03d/	Avira URL Cloud: Label: malware
Source: http://www.eepvid.xyz/a03d/www.agiararoma.net	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/	Avira URL Cloud: Label: malware
Source: http://www.oonlightshadow.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/www.ensentoto.cloud	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/www.inggraphic.pro	Avira URL Cloud: Label: malware
Source: http://www.eatbox.store/a03d/	Avira URL Cloud: Label: malware
Source: http://www.leurdivin.online/a03d/www.duxrib.xyz	Avira URL Cloud: Label: malware
Source: http://www.lphatechblog.xyz/a03d/	Avira URL Cloud: Label: malware
Source: http://www.elnqdjc.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ensentoto.cloud/a03d/www.aja168e.live	Avira URL Cloud: Label: malware
Source: http://www.oonlightshadow.shop/a03d/www.ome-renovation-86342.bond	Avira URL Cloud: Label: malware
Source: http://www.aja168e.live/a03d/	Avira URL Cloud: Label: malware
Source: http://www.oliticalpatriot.net/a03d/	Avira URL Cloud: Label: malware
Source: http://www.ome-renovation-86342.bond/a03d/	Avira URL Cloud: Label: malware
Source: http://www.agiararoma.net/a03d/	Avira URL Cloud: Label: malware
Source: http://www.inggraphic.pro/a03d/www.lphatechblog.xyz	Avira URL Cloud: Label: malware
Source: http://www.olourclubbet.shop/a03d/	Avira URL Cloud: Label: malware
Source: http://www.eatbox.store/a03d/www.enelog.xyz	Avira URL Cloud: Label: malware
Source: http://www.agiararoma.net/a03d/www.eatbox.store	Avira URL Cloud: Label: malware
Source: http://www.oliticalpatriot.net/a03d/www.oonlightshadow.shop	Avira URL Cloud: Label: malware
Source: http://www.eepvid.xyz/a03d/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.enelog.xyz/a03d/"], "decoy": ["nfluencer-marketing-13524.bond", "cebepu.info", "lphatechblog.xyz", "haoyun.website", "itiz.xyz", "orld-visa-center.online", "si.art", "alata.xyz", "mmarketing.xyz", "elnqdjc.shop", "ensentoto.cloud", "voyagu.info", "onvert.today", "1fuli9902.shop", "otelhafnia.info", "rumpchiefofstaff.store", "urvivalflashlights.shop", "0090.pizza", "ings-hu-13.today", "oliticalpatriot.net", "5970.pizza", "arimatch-in.legal", "eepvid.xyz", "bfootball.net", "otorcycle-loans-19502.bond", "nline-advertising-34790.bond", "behm.info", "aportsystems.store", "agiararoma.net", "agfov4u.xyz", "9769.mobi", "ome-renovation-86342.bond", "kkkk.shop", "duxrib.xyz", "xurobo.info", "leurdivin.online", "ive-neurozoom.store", "ndogaming.online", "dj1.lat", "yselection.xyz", "52628.xyz", "lsaadmart.store", "oftware-download-92806.bond", "avid-hildebrand.info", "orashrine.store", "erpangina-treatment-views.sbs", "ategorie-polecane-831.buzz", "oonlightshadow.shop", "istromarmitaria.online", "gmgslzdc.sbs", "asglobalaz.shop", "locarry.store", "eleefmestreech.online", "inggraphic.pro", "atidiri.fun", "olourclubbet.shop", "eatbox.store", "romatografia.online", "encortex.beauty", "8oosnny.xyz", "72266.vip", "aja168e.live", "fath.shop", "argloscaremedia.info"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe

ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: Payment Receipt.exe	Virustotal: Detection: 52%			Perma Link
Source: Payment Receipt.exe	ReversingLabs: Detection: 47%

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Payment Receipt.exe

Joe Sandbox ML: detected

Source: Payment Receipt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49729 version: TLS 1.0

Source: Payment Receipt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: netstat.pdbGCTL source: MSBuild.exe, 00000009.00000002.2149345307.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2148823562.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2156304949.00000000002A0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdb source: MSBuild.exe, 0000000F.00000002.2135900602.0000000001650000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2135582745.0000000001227000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 00000010.00000002.4521304668.0000000000F40000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: MSBuild.exe, 0000000F.00000002.2135900602.0000000001650000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2135582745.0000000001227000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521304668.0000000000F40000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: MSBuild.exe, 00000009.00000002.2149345307.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2148823562.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2156304949.00000000002A0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2135203708.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2137361084.00000000046A9000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003940000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003ADE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2152489189.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2148978317.00000000035EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qogK.pdb source: Payment Receipt.exe, xnnxAkrxh.exe.0.dr
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2135203708.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2137361084.00000000046A9000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003940000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003ADE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2152489189.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2148978317.00000000035EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qogK.pdbSHA256{( source: Payment Receipt.exe, xnnxAkrxh.exe.0.dr

Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 4x nop then jmp 074121B6h	11_2_074129D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then pop ebx	15_2_00407B1E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop ebx	16_2_008B7B1E

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.enelog.xyz/a03d/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.eepvid.xyz
Source:	DNS query: www.enelog.xyz

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.olourclubbet.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eepvid.xyz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.dj1.lat replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eatbox.store replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.leurdivin.online replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ome-renovation-86342.bond replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oonlightshadow.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.agiararoma.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.oliticalpatriot.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.elnqdjc.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.enelog.xyz replaycode: Name error (3)

Uses netstat to query active network connections and open ports

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"

Source: global traffic

TCP traffic: 192.168.2.5:49356 -> 162.159.36.2:53

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49729 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.dj1.lat
Source: global traffic	DNS traffic detected: DNS query: www.olourclubbet.shop
Source: global traffic	DNS traffic detected: DNS query: www.leurdivin.online
Source: global traffic	DNS traffic detected: DNS query: www.oliticalpatriot.net
Source: global traffic	DNS traffic detected: DNS query: www.oonlightshadow.shop
Source: global traffic	DNS traffic detected: DNS query: www.ome-renovation-86342.bond
Source: global traffic	DNS traffic detected: DNS query: www.eepvid.xyz
Source: global traffic	DNS traffic detected: DNS query: www.agiararoma.net
Source: global traffic	DNS traffic detected: DNS query: www.eatbox.store
Source: global traffic	DNS traffic detected: DNS query: www.enelog.xyz
Source: global traffic	DNS traffic detected: DNS query: www.elnqdjc.shop

Source: explorer.exe, 0000000A.00000000.2089672425.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000002.4520859787.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2075644805.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 0000000A.00000000.2089672425.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.2089672425.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000000.2089672425.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000000.2089672425.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000002.4526732090.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526100825.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2087738182.0000000008890000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: Payment Receipt.exe, 00000000.00000002.2094401397.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, xnnxAkrxh.exe, 0000000B.00000002.2122551276.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Receipt.exe, xnnxAkrxh.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.net
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.net/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.net/a03d/www.eatbox.store
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.agiararoma.netReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.live/a03d/e
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aja168e.liveReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.lat/a03d/www.olourclubbet.shop
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dj1.latReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyz/a03d/www.oliticalpatriot.net
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.duxrib.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eatbox.store
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eatbox.store/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eatbox.store/a03d/www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eatbox.storeReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyz/a03d/www.agiararoma.net
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eepvid.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shop/a03d/www.inggraphic.pro
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.elnqdjc.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyz/a03d/www.elnqdjc.shop
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enelog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ensentoto.cloud
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ensentoto.cloud/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ensentoto.cloud/a03d/www.aja168e.live
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ensentoto.cloudReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.pro/a03d/www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.inggraphic.proReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.online
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.online/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.online/a03d/www.duxrib.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.leurdivin.onlineReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyz/a03d/www.ensentoto.cloud
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lphatechblog.xyzReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliticalpatriot.net
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliticalpatriot.net/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliticalpatriot.net/a03d/www.oonlightshadow.shop
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oliticalpatriot.netReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olourclubbet.shop
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olourclubbet.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olourclubbet.shop/a03d/www.leurdivin.online
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olourclubbet.shopReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bond
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bond/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bond/a03d/www.eepvid.xyz
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ome-renovation-86342.bondReferer:
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shop
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shop/a03d/
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shop/a03d/www.ome-renovation-86342.bond
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oonlightshadow.shopReferer:
Source: explorer.exe, 0000000A.00000002.4532983341.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2096023107.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 0000000A.00000000.2082591553.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4524849977.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000002.4524849977.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2082591553.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.2078717645.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3848157821.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4522869071.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096105406.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 0000000A.00000002.4528253488.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3095714439.0000000009B89000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096765005.0000000009BA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097395447.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000002.4528307777.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3095714439.0000000009B89000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096765005.0000000009BA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097035501.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000002.4532983341.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2096023107.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 0000000A.00000000.2089672425.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 0000000A.00000000.2089672425.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.4536334313.0000000010EEF000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Payment Receipt.exe PID: 5264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: xnnxAkrxh.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: MSBuild.exe PID: 3552, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: systray.exe PID: 2272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: NETSTAT.EXE PID: 5504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment Receipt.exe

Source: C:\Windows\explorer.exe	Code function: 10_2_10ED7232 NtCreateFile,	10_2_10ED7232
Source: C:\Windows\explorer.exe	Code function: 10_2_10ED8E12 NtProtectVirtualMemory,	10_2_10ED8E12
Source: C:\Windows\explorer.exe	Code function: 10_2_10ED8E0A NtProtectVirtualMemory,	10_2_10ED8E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A320 NtCreateFile,	15_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A3D0 NtReadFile,	15_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A450 NtClose,	15_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A500 NtAllocateVirtualMemory,	15_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A31B NtCreateFile,	15_2_0041A31B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A44B NtClose,	15_2_0041A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041A4FF NtAllocateVirtualMemory,	15_2_0041A4FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702B60 NtClose,LdrInitializeThunk,	15_2_01702B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_01702BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702AD0 NtReadFile,LdrInitializeThunk,	15_2_01702AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_01702D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_01702D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_01702DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702DD0 NtDelayExecution,LdrInitializeThunk,	15_2_01702DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_01702C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_01702CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702F30 NtCreateSection,LdrInitializeThunk,	15_2_01702F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702FE0 NtCreateFile,LdrInitializeThunk,	15_2_01702FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702FB0 NtResumeThread,LdrInitializeThunk,	15_2_01702FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702F90 NtProtectVirtualMemory,LdrInitializeThunk,	15_2_01702F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_01702EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_01702E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01704340 NtSetContextThread,	15_2_01704340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01704650 NtSuspendThread,	15_2_01704650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702BE0 NtQueryValueKey,	15_2_01702BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702BA0 NtEnumerateValueKey,	15_2_01702BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702B80 NtQueryInformationFile,	15_2_01702B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702AF0 NtWriteFile,	15_2_01702AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702AB0 NtWaitForSingleObject,	15_2_01702AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702D00 NtSetInformationFile,	15_2_01702D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702DB0 NtEnumerateKey,	15_2_01702DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702C60 NtCreateKey,	15_2_01702C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702C00 NtQueryInformationProcess,	15_2_01702C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702CF0 NtOpenProcess,	15_2_01702CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702CC0 NtQueryVirtualMemory,	15_2_01702CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702F60 NtCreateProcessEx,	15_2_01702F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702FA0 NtQuerySection,	15_2_01702FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702E30 NtWriteVirtualMemory,	15_2_01702E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01702EE0 NtQueueApcThread,	15_2_01702EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703010 NtOpenDirectoryObject,	15_2_01703010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703090 NtSetValueKey,	15_2_01703090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017035C0 NtCreateMutant,	15_2_017035C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017039B0 NtGetContextThread,	15_2_017039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703D70 NtOpenThread,	15_2_01703D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01703D10 NtOpenProcessToken,	15_2_01703D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2CA0 NtQueryInformationToken,LdrInitializeThunk,	16_2_048C2CA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2C60 NtCreateKey,LdrInitializeThunk,	16_2_048C2C60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_048C2C70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2DD0 NtDelayExecution,LdrInitializeThunk,	16_2_048C2DD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	16_2_048C2DF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2D10 NtMapViewOfSection,LdrInitializeThunk,	16_2_048C2D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_048C2EA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2FE0 NtCreateFile,LdrInitializeThunk,	16_2_048C2FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2F30 NtCreateSection,LdrInitializeThunk,	16_2_048C2F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2AD0 NtReadFile,LdrInitializeThunk,	16_2_048C2AD0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2BE0 NtQueryValueKey,LdrInitializeThunk,	16_2_048C2BE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_048C2BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2B60 NtClose,LdrInitializeThunk,	16_2_048C2B60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C35C0 NtCreateMutant,LdrInitializeThunk,	16_2_048C35C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C4650 NtSuspendThread,	16_2_048C4650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C4340 NtSetContextThread,	16_2_048C4340
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2CC0 NtQueryVirtualMemory,	16_2_048C2CC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2CF0 NtOpenProcess,	16_2_048C2CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2C00 NtQueryInformationProcess,	16_2_048C2C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2DB0 NtEnumerateKey,	16_2_048C2DB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2D00 NtSetInformationFile,	16_2_048C2D00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2D30 NtUnmapViewOfSection,	16_2_048C2D30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2E80 NtReadVirtualMemory,	16_2_048C2E80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2EE0 NtQueueApcThread,	16_2_048C2EE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2E30 NtWriteVirtualMemory,	16_2_048C2E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2F90 NtProtectVirtualMemory,	16_2_048C2F90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2FA0 NtQuerySection,	16_2_048C2FA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2FB0 NtResumeThread,	16_2_048C2FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2F60 NtCreateProcessEx,	16_2_048C2F60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2AB0 NtWaitForSingleObject,	16_2_048C2AB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2AF0 NtWriteFile,	16_2_048C2AF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2B80 NtQueryInformationFile,	16_2_048C2B80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C2BA0 NtEnumerateValueKey,	16_2_048C2BA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C3090 NtSetValueKey,	16_2_048C3090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C3010 NtOpenDirectoryObject,	16_2_048C3010
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C3D10 NtOpenProcessToken,	16_2_048C3D10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C3D70 NtOpenThread,	16_2_048C3D70
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C39B0 NtGetContextThread,	16_2_048C39B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CA3D0 NtReadFile,	16_2_008CA3D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CA320 NtCreateFile,	16_2_008CA320
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CA450 NtClose,	16_2_008CA450
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CA500 NtAllocateVirtualMemory,	16_2_008CA500
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CA31B NtCreateFile,	16_2_008CA31B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CA4FF NtAllocateVirtualMemory,	16_2_008CA4FF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CA44B NtClose,	16_2_008CA44B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045FA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	16_2_045FA036
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045F9BAF NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	16_2_045F9BAF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045FA042 NtQueryInformationProcess,	16_2_045FA042
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045F9BB2 NtCreateSection,NtMapViewOfSection,	16_2_045F9BB2

Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_01134204	0_2_01134204
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_01137018	0_2_01137018
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_0113D8EC	0_2_0113D8EC
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_08C8C920	0_2_08C8C920
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_08C8CD58	0_2_08C8CD58
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_08C83F60	0_2_08C83F60
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_08C83F70	0_2_08C83F70
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_08C85180	0_2_08C85180
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_08C8D190	0_2_08C8D190
Source: C:\Users\user\Desktop\Payment Receipt.exe	Code function: 0_2_08C8D5C8	0_2_08C8D5C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01036000	9_2_01036000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0100	9_2_00FE0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE3F0	9_2_00FFE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010702C0	9_2_010702C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010465B2	9_2_010465B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010465D0	9_2_010465D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0535	9_2_00FF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014750	9_2_01014750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100C6E0	9_2_0100C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD68F1	9_2_00FD68F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE28F0	9_2_00FE28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01006962	9_2_01006962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFA840	9_2_00FFA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01028890	9_2_01028890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E8F0	9_2_0101E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2A45	9_2_00FF2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0CF2	9_2_00FE0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01008DBF	9_2_01008DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0C00	9_2_00FF0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF8DC0	9_2_00FF8DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFED7A	9_2_00FFED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFAD00	9_2_00FFAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01032F28	9_2_01032F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01010F30	9_2_01010F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064F40	9_2_01064F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0E59	9_2_00FF0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106EFA0	9_2_0106EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2FC8	9_2_00FE2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002ED9	9_2_01002ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0102516C	9_2_0102516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFB1B0	9_2_00FFB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDF172	9_2_00FDF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF52A0	9_2_00FF52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF33F3	9_2_00FF33F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100D2F0	9_2_0100D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF3497	9_2_00FF3497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010374E0	9_2_010374E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFB730	9_2_00FFB730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF38E0	9_2_00FF38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100B950	9_2_0100B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105D800	9_2_0105D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF59DA	9_2_00FF59DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE1979	9_2_00FE1979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF9950	9_2_00FF9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100FB80	9_2_0100FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01065BF0	9_2_01065BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0102DBF9	9_2_0102DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01063A6C	9_2_01063A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100FDC0	9_2_0100FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01009C20	9_2_01009C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01069C32	9_2_01069C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF3D40	9_2_00FF3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF9EB0	9_2_00FF9EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF1F92	9_2_00FF1F92
Source: C:\Windows\explorer.exe	Code function: 10_2_102FB036	10_2_102FB036
Source: C:\Windows\explorer.exe	Code function: 10_2_102F2082	10_2_102F2082
Source: C:\Windows\explorer.exe	Code function: 10_2_102F3D02	10_2_102F3D02
Source: C:\Windows\explorer.exe	Code function: 10_2_102F9912	10_2_102F9912
Source: C:\Windows\explorer.exe	Code function: 10_2_102FF5CD	10_2_102FF5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_102FC232	10_2_102FC232
Source: C:\Windows\explorer.exe	Code function: 10_2_102F6B32	10_2_102F6B32
Source: C:\Windows\explorer.exe	Code function: 10_2_102F6B30	10_2_102F6B30
Source: C:\Windows\explorer.exe	Code function: 10_2_1043A036	10_2_1043A036
Source: C:\Windows\explorer.exe	Code function: 10_2_10431082	10_2_10431082
Source: C:\Windows\explorer.exe	Code function: 10_2_10432D02	10_2_10432D02
Source: C:\Windows\explorer.exe	Code function: 10_2_10438912	10_2_10438912
Source: C:\Windows\explorer.exe	Code function: 10_2_1043E5CD	10_2_1043E5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_1043B232	10_2_1043B232
Source: C:\Windows\explorer.exe	Code function: 10_2_10435B32	10_2_10435B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10435B30	10_2_10435B30
Source: C:\Windows\explorer.exe	Code function: 10_2_10ED7232	10_2_10ED7232
Source: C:\Windows\explorer.exe	Code function: 10_2_10ECD082	10_2_10ECD082
Source: C:\Windows\explorer.exe	Code function: 10_2_10ED6036	10_2_10ED6036
Source: C:\Windows\explorer.exe	Code function: 10_2_10EDA5CD	10_2_10EDA5CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10ED1B30	10_2_10ED1B30
Source: C:\Windows\explorer.exe	Code function: 10_2_10ED1B32	10_2_10ED1B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10ECED02	10_2_10ECED02
Source: C:\Windows\explorer.exe	Code function: 10_2_10ED4912	10_2_10ED4912
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_05294204	11_2_05294204
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_05297018	11_2_05297018
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_0529D8EC	11_2_0529D8EC
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_058ED5C8	11_2_058ED5C8
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_058E5180	11_2_058E5180
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_058ED190	11_2_058ED190
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_058ECD58	11_2_058ECD58
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_058E3F60	11_2_058E3F60
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_058E3F70	11_2_058E3F70
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_058EC920	11_2_058EC920
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Code function: 11_2_07415210	11_2_07415210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00401030	15_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041EAC3	15_2_0041EAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041E524	15_2_0041E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D580	15_2_0041D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402D90	15_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00409E50	15_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00409E0A	15_2_00409E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041EFDF	15_2_0041EFDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_00402FB0	15_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01758158	15_2_01758158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C0100	15_2_016C0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176A118	15_2_0176A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017881CC	15_2_017881CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017901AA	15_2_017901AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017841A2	15_2_017841A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01762000	15_2_01762000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178A352	15_2_0178A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DE3F0	15_2_016DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017903E6	15_2_017903E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01770274	15_2_01770274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017502C0	15_2_017502C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0535	15_2_016D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01790591	15_2_01790591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01782446	15_2_01782446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01774420	15_2_01774420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0177E4F6	15_2_0177E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0770	15_2_016D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016F4750	15_2_016F4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016CC7C0	15_2_016CC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EC6E0	15_2_016EC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016E6962	15_2_016E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D29A0	15_2_016D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0179A9A6	15_2_0179A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D2840	15_2_016D2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DA840	15_2_016DA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016FE8F0	15_2_016FE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016B68B8	15_2_016B68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178AB40	15_2_0178AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01786BD7	15_2_01786BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016CEA80	15_2_016CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176CD1F	15_2_0176CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DAD00	15_2_016DAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016CADE0	15_2_016CADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016E8DBF	15_2_016E8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0C00	15_2_016D0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C0CF2	15_2_016C0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01770CB5	15_2_01770CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01744F40	15_2_01744F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01772F30	15_2_01772F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01712F28	15_2_01712F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016F0F30	15_2_016F0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DCFE0	15_2_016DCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C2FC8	15_2_016C2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0174EFA0	15_2_0174EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D0E59	15_2_016D0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178EE26	15_2_0178EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178EEDB	15_2_0178EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178CE93	15_2_0178CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016E2E90	15_2_016E2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0179B16B	15_2_0179B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016BF172	15_2_016BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0170516C	15_2_0170516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016DB1B0	15_2_016DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017870E9	15_2_017870E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178F0E0	15_2_0178F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D70C0	15_2_016D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0177F0CC	15_2_0177F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016BD34C	15_2_016BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178132D	15_2_0178132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0171739A	15_2_0171739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017712ED	15_2_017712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EB2C0	15_2_016EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D52A0	15_2_016D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01787571	15_2_01787571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017995C3	15_2_017995C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176D5B0	15_2_0176D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C1460	15_2_016C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178F43F	15_2_0178F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178F7B0	15_2_0178F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01715630	15_2_01715630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_017816CC	15_2_017816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D9950	15_2_016D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EB950	15_2_016EB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01765910	15_2_01765910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0173D800	15_2_0173D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D38E0	15_2_016D38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FB76	15_2_0178FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01745BF0	15_2_01745BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0170DBF9	15_2_0170DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EFB80	15_2_016EFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01743A6C	15_2_01743A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FA49	15_2_0178FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01787A46	15_2_01787A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0177DAC6	15_2_0177DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01715AA0	15_2_01715AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01771AA3	15_2_01771AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0176DAAC	15_2_0176DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01787D73	15_2_01787D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01781D5A	15_2_01781D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D3D40	15_2_016D3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016EFDC0	15_2_016EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01749C32	15_2_01749C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FCF2	15_2_0178FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FF09	15_2_0178FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01693FD2	15_2_01693FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_01693FD5	15_2_01693FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0178FFB1	15_2_0178FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D1F92	15_2_016D1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016D9EB0	15_2_016D9EB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0493E4F6	16_2_0493E4F6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04934420	16_2_04934420
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04942446	16_2_04942446
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04950591	16_2_04950591
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04890535	16_2_04890535
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048AC6E0	16_2_048AC6E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0488C7C0	16_2_0488C7C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048B4750	16_2_048B4750
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04890770	16_2_04890770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04922000	16_2_04922000
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049441A2	16_2_049441A2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049501AA	16_2_049501AA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049481CC	16_2_049481CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04880100	16_2_04880100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0492A118	16_2_0492A118
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04918158	16_2_04918158
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049102C0	16_2_049102C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04930274	16_2_04930274
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049503E6	16_2_049503E6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0489E3F0	16_2_0489E3F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494A352	16_2_0494A352
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04930CB5	16_2_04930CB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04880CF2	16_2_04880CF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04890C00	16_2_04890C00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048A8DBF	16_2_048A8DBF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0488ADE0	16_2_0488ADE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0489AD00	16_2_0489AD00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0492CD1F	16_2_0492CD1F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494CE93	16_2_0494CE93
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048A2E90	16_2_048A2E90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494EEDB	16_2_0494EEDB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494EE26	16_2_0494EE26
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04890E59	16_2_04890E59
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0490EFA0	16_2_0490EFA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04882FC8	16_2_04882FC8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0489CFE0	16_2_0489CFE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04932F30	16_2_04932F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048D2F28	16_2_048D2F28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048B0F30	16_2_048B0F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04904F40	16_2_04904F40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048768B8	16_2_048768B8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048BE8F0	16_2_048BE8F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0489A840	16_2_0489A840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04892840	16_2_04892840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048929A0	16_2_048929A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0495A9A6	16_2_0495A9A6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048A6962	16_2_048A6962
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0488EA80	16_2_0488EA80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04946BD7	16_2_04946BD7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494AB40	16_2_0494AB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494F43F	16_2_0494F43F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04881460	16_2_04881460
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0492D5B0	16_2_0492D5B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049595C3	16_2_049595C3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04947571	16_2_04947571
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049416CC	16_2_049416CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048D5630	16_2_048D5630
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494F7B0	16_2_0494F7B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048970C0	16_2_048970C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0493F0CC	16_2_0493F0CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494F0E0	16_2_0494F0E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049470E9	16_2_049470E9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0489B1B0	16_2_0489B1B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048C516C	16_2_048C516C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0487F172	16_2_0487F172
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0495B16B	16_2_0495B16B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048952A0	16_2_048952A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048AB2C0	16_2_048AB2C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_049312ED	16_2_049312ED
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048D739A	16_2_048D739A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494132D	16_2_0494132D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0487D34C	16_2_0487D34C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494FCF2	16_2_0494FCF2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04909C32	16_2_04909C32
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048AFDC0	16_2_048AFDC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04893D40	16_2_04893D40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04941D5A	16_2_04941D5A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04947D73	16_2_04947D73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04899EB0	16_2_04899EB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04891F92	16_2_04891F92
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494FFB1	16_2_0494FFB1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04853FD5	16_2_04853FD5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04853FD2	16_2_04853FD2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494FF09	16_2_0494FF09
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048938E0	16_2_048938E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048FD800	16_2_048FD800
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04925910	16_2_04925910
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04899950	16_2_04899950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048AB950	16_2_048AB950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048D5AA0	16_2_048D5AA0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04931AA3	16_2_04931AA3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0492DAAC	16_2_0492DAAC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0493DAC6	16_2_0493DAC6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04947A46	16_2_04947A46
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494FA49	16_2_0494FA49
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04903A6C	16_2_04903A6C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048AFB80	16_2_048AFB80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_04905BF0	16_2_04905BF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048CDBF9	16_2_048CDBF9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0494FB76	16_2_0494FB76
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CD580	16_2_008CD580
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CE524	16_2_008CE524
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CEAC3	16_2_008CEAC3
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008B2D90	16_2_008B2D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008B9E0A	16_2_008B9E0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008B9E50	16_2_008B9E50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008B2FB0	16_2_008B2FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CEFDF	16_2_008CEFDF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045FA036	16_2_045FA036
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045F2D02	16_2_045F2D02
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045FE5CD	16_2_045FE5CD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045F1082	16_2_045F1082
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045F8912	16_2_045F8912
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045FB232	16_2_045FB232
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045F5B32	16_2_045F5B32
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_045F5B30	16_2_045F5B30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0173EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01037E54 appears 97 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0174F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 016BB970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01705130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0105EA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01717E54 appears 111 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 048FEA12 appears 86 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 0490F290 appears 105 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 0487B970 appears 280 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 048D7E54 appears 111 times
Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 048C5130 appears 58 times

Source: Payment Receipt.exe, 00000000.00000002.2100995430.000000000796E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000002.2100995430.000000000796E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000002.2093411967.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000002.2094401397.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000002.2099532221.00000000056B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000000.2054128784.0000000000822000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqogK.exeB vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000002.2096067309.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Payment Receipt.exe
Source: Payment Receipt.exe, 00000000.00000002.2100072048.0000000007400000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Payment Receipt.exe
Source: Payment Receipt.exe	Binary or memory string: OriginalFilenameqogK.exeB vs Payment Receipt.exe

Source: Payment Receipt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.4536334313.0000000010EEF000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Payment Receipt.exe PID: 5264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: xnnxAkrxh.exe PID: 1892, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: MSBuild.exe PID: 3552, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: systray.exe PID: 2272, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: NETSTAT.EXE PID: 5504, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: Payment Receipt.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xnnxAkrxh.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *.sln
Source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@26/15@12/0

Source: C:\Users\user\Desktop\Payment Receipt.exe

File created: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Mutant created: \Sessions\1\BaseNamedObjects\FWTqYqdhwUDIUF

Source: C:\Users\user\Desktop\Payment Receipt.exe

File created: C:\Users\user\AppData\Local\Temp\tmpC62F.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe

Command line argument: SystemTray_Main

16_2_00F413B0

Source: Payment Receipt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Payment Receipt.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Payment Receipt.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Receipt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Payment Receipt.exe, 00000000.00000000.2054128784.0000000000822000.00000002.00000001.01000000.00000003.sdmp, xnnxAkrxh.exe.0.dr

Binary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);

Source: Payment Receipt.exe	Virustotal: Detection: 52%
Source: Payment Receipt.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\Payment Receipt.exe

File read: C:\Users\user\Desktop\Payment Receipt.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment Receipt.exe "C:\Users\user\Desktop\Payment Receipt.exe"
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xnnxAkrxh.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe C:\Users\user\AppData\Roaming\xnnxAkrxh.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xnnxAkrxh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\systray.exe "C:\Windows\SysWOW64\systray.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Section loaded: snmpapi.dll

Source: C:\Users\user\Desktop\Payment Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Payment Receipt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Payment Receipt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Payment Receipt.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Payment Receipt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: netstat.pdbGCTL source: MSBuild.exe, 00000009.00000002.2149345307.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2148823562.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2156304949.00000000002A0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdb source: MSBuild.exe, 0000000F.00000002.2135900602.0000000001650000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2135582745.0000000001227000.00000004.00000020.00020000.00000000.sdmp, systray.exe, systray.exe, 00000010.00000002.4521304668.0000000000F40000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: systray.pdbGCTL source: MSBuild.exe, 0000000F.00000002.2135900602.0000000001650000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 0000000F.00000002.2135582745.0000000001227000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521304668.0000000000F40000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: netstat.pdb source: MSBuild.exe, 00000009.00000002.2149345307.0000000000F80000.00000040.10000000.00040000.00000000.sdmp, MSBuild.exe, 00000009.00000002.2148823562.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2156304949.00000000002A0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: explorer.exe, 0000000A.00000002.4535999877.00000000106DF000.00000004.80000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4522848878.0000000004D9F000.00000004.10000000.00040000.00000000.sdmp, systray.exe, 00000010.00000002.4521005814.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2135203708.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2137361084.00000000046A9000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003940000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003ADE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2152489189.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2148978317.00000000035EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qogK.pdb source: Payment Receipt.exe, xnnxAkrxh.exe.0.dr
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, systray.exe, systray.exe, 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2135203708.00000000044F6000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000010.00000003.2137361084.00000000046A9000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003940000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000002.2157400239.0000000003ADE000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2152489189.0000000003793000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000011.00000003.2148978317.00000000035EF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qogK.pdbSHA256{( source: Payment Receipt.exe, xnnxAkrxh.exe.0.dr

Source: Payment Receipt.exe

Static PE information: 0xFAE9CBCD [Sat May 26 12:34:21 2103 UTC]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE09AD push ecx; mov dword ptr [esp], ecx	9_2_00FE09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FB1366 push eax; iretd	9_2_00FB1369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FB1FEC push eax; iretd	9_2_00FB1FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01037E99 push ecx; ret	9_2_01037EAC
Source: C:\Windows\explorer.exe	Code function: 10_2_102FF9B5 push esp; retn 0000h	10_2_102FFAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_102FFB02 push esp; retn 0000h	10_2_102FFB03
Source: C:\Windows\explorer.exe	Code function: 10_2_102FFB1E push esp; retn 0000h	10_2_102FFB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_1043E9B5 push esp; retn 0000h	10_2_1043EAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_1043EB02 push esp; retn 0000h	10_2_1043EB03
Source: C:\Windows\explorer.exe	Code function: 10_2_1043EB1E push esp; retn 0000h	10_2_1043EB1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10EDA9B5 push esp; retn 0000h	10_2_10EDAAE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10EDAB02 push esp; retn 0000h	10_2_10EDAB03
Source: C:\Windows\explorer.exe	Code function: 10_2_10EDAB1E push esp; retn 0000h	10_2_10EDAB1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041E1FC pushfd ; retf	15_2_0041E1FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_004172AE push ebp; retf	15_2_004172B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D475 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D4C2 push eax; ret	15_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D4CB push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D52C push eax; ret	15_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0041D580 push edx; ret	15_2_0041D957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0169225F pushad ; ret	15_2_016927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016927FA pushad ; ret	15_2_016927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_016C09AD push ecx; mov dword ptr [esp], ecx	15_2_016C09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 15_2_0169283D push eax; iretd	15_2_01692858
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_00F41B3D push ecx; ret	16_2_00F41B50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048527FA pushad ; ret	16_2_048527F9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0485225F pushad ; ret	16_2_048527F9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_0485283D push eax; iretd	16_2_04852858
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_048809AD push ecx; mov dword ptr [esp], ecx	16_2_048809B6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008CE1FC pushfd ; retf	16_2_008CE1FD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 16_2_008C72AE push ebp; retf	16_2_008C72B1

Source: Payment Receipt.exe	Static PE information: section name: .text entropy: 7.702381936686581
Source: xnnxAkrxh.exe.0.dr	Static PE information: section name: .text entropy: 7.702381936686581

Source: C:\Users\user\Desktop\Payment Receipt.exe

File created: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Payment Receipt.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: Payment Receipt.exe PID: 5264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xnnxAkrxh.exe PID: 1892, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\systray.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 8B9904 second address: 8B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 8B9B6E second address: 8B9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 3259904 second address: 325990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 3259B6E second address: 3259B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: 1130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: 4BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: 8EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: 75C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: 9EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: AEC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: 2C60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: 8A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: 9A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: 9BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: ABF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_00FDE0D0 rdtsc

9_2_00FDE0D0

Source: C:\Users\user\Desktop\Payment Receipt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6260	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2831	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7053	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2593	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9755	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 883	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 8803
Source: C:\Windows\SysWOW64\systray.exe	Window / User API: threadDelayed 1167

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\systray.exe	API coverage: 2.2 %

Source: C:\Users\user\Desktop\Payment Receipt.exe TID: 6980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6600	Thread sleep count: 6260 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6504	Thread sleep count: 2831 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1680	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5952	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep count: 9755 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep time: -19510000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep count: 170 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6768	Thread sleep time: -340000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe TID: 6572	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6580	Thread sleep count: 8803 > 30
Source: C:\Windows\SysWOW64\systray.exe TID: 6580	Thread sleep time: -17606000s >= -30000s
Source: C:\Windows\SysWOW64\systray.exe TID: 6580	Thread sleep count: 1167 > 30
Source: C:\Windows\SysWOW64\systray.exe TID: 6580	Thread sleep time: -2334000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Receipt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000003.3097035501.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000A.00000002.4524849977.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 0000000A.00000003.3097395447.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 0000000A.00000003.3849096520.0000000009BA6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 0000000A.00000003.3097035501.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 0000000A.00000000.2078717645.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000A.00000003.3097035501.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.2075644805.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 0000000A.00000000.2078717645.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000002.4524849977.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.2078717645.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 0000000A.00000000.2078717645.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 0000000A.00000003.3097395447.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 0000000A.00000000.2075644805.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000003.3097035501.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}-
Source: explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.4524849977.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Payment Receipt.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_00FDE0D0 rdtsc

9_2_00FDE0D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 9_2_01022B60 LdrInitializeThunk,

9_2_01022B60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDC0F0 mov eax, dword ptr fs:[00000030h]	9_2_00FDC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE80E9 mov eax, dword ptr fs:[00000030h]	9_2_00FE80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA0E3 mov ecx, dword ptr fs:[00000030h]	9_2_00FDA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01010124 mov eax, dword ptr fs:[00000030h]	9_2_01010124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD80A0 mov eax, dword ptr fs:[00000030h]	9_2_00FD80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01022160 mov eax, dword ptr fs:[00000030h]	9_2_01022160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE208A mov eax, dword ptr fs:[00000030h]	9_2_00FE208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01020185 mov eax, dword ptr fs:[00000030h]	9_2_01020185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106019F mov eax, dword ptr fs:[00000030h]	9_2_0106019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106019F mov eax, dword ptr fs:[00000030h]	9_2_0106019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106019F mov eax, dword ptr fs:[00000030h]	9_2_0106019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106019F mov eax, dword ptr fs:[00000030h]	9_2_0106019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2050 mov eax, dword ptr fs:[00000030h]	9_2_00FE2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0105E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0105E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0105E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0105E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0105E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0103E1D8 mov eax, dword ptr fs:[00000030h]	9_2_0103E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA020 mov eax, dword ptr fs:[00000030h]	9_2_00FDA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDC020 mov eax, dword ptr fs:[00000030h]	9_2_00FDC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010501DA mov eax, dword ptr fs:[00000030h]	9_2_010501DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010501DA mov eax, dword ptr fs:[00000030h]	9_2_010501DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE016 mov eax, dword ptr fs:[00000030h]	9_2_00FFE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE016 mov eax, dword ptr fs:[00000030h]	9_2_00FFE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE016 mov eax, dword ptr fs:[00000030h]	9_2_00FFE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE016 mov eax, dword ptr fs:[00000030h]	9_2_00FFE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010101F8 mov eax, dword ptr fs:[00000030h]	9_2_010101F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064000 mov ecx, dword ptr fs:[00000030h]	9_2_01064000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF61D1 mov eax, dword ptr fs:[00000030h]	9_2_00FF61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF61D1 mov eax, dword ptr fs:[00000030h]	9_2_00FF61D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01042045 mov eax, dword ptr fs:[00000030h]	9_2_01042045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066050 mov eax, dword ptr fs:[00000030h]	9_2_01066050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A060 mov eax, dword ptr fs:[00000030h]	9_2_0101A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA197 mov eax, dword ptr fs:[00000030h]	9_2_00FDA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA197 mov eax, dword ptr fs:[00000030h]	9_2_00FDA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA197 mov eax, dword ptr fs:[00000030h]	9_2_00FDA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100C073 mov eax, dword ptr fs:[00000030h]	9_2_0100C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6154 mov eax, dword ptr fs:[00000030h]	9_2_00FE6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6154 mov eax, dword ptr fs:[00000030h]	9_2_00FE6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDC156 mov eax, dword ptr fs:[00000030h]	9_2_00FDC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2140 mov ecx, dword ptr fs:[00000030h]	9_2_00FE2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2140 mov eax, dword ptr fs:[00000030h]	9_2_00FE2140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010620DE mov eax, dword ptr fs:[00000030h]	9_2_010620DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010660E0 mov eax, dword ptr fs:[00000030h]	9_2_010660E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010220F0 mov ecx, dword ptr fs:[00000030h]	9_2_010220F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A30B mov eax, dword ptr fs:[00000030h]	9_2_0101A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A30B mov eax, dword ptr fs:[00000030h]	9_2_0101A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A30B mov eax, dword ptr fs:[00000030h]	9_2_0101A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01000310 mov ecx, dword ptr fs:[00000030h]	9_2_01000310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF02E1 mov eax, dword ptr fs:[00000030h]	9_2_00FF02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF02E1 mov eax, dword ptr fs:[00000030h]	9_2_00FF02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF02E1 mov eax, dword ptr fs:[00000030h]	9_2_00FF02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FEA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FEA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FEA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FEA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA2C3 mov eax, dword ptr fs:[00000030h]	9_2_00FEA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0104634C mov eax, dword ptr fs:[00000030h]	9_2_0104634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01062349 mov eax, dword ptr fs:[00000030h]	9_2_01062349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105035C mov eax, dword ptr fs:[00000030h]	9_2_0105035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106035C mov eax, dword ptr fs:[00000030h]	9_2_0106035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106035C mov eax, dword ptr fs:[00000030h]	9_2_0106035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106035C mov eax, dword ptr fs:[00000030h]	9_2_0106035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106035C mov ecx, dword ptr fs:[00000030h]	9_2_0106035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106035C mov eax, dword ptr fs:[00000030h]	9_2_0106035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106035C mov eax, dword ptr fs:[00000030h]	9_2_0106035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF02A0 mov eax, dword ptr fs:[00000030h]	9_2_00FF02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF02A0 mov eax, dword ptr fs:[00000030h]	9_2_00FF02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100438F mov eax, dword ptr fs:[00000030h]	9_2_0100438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100438F mov eax, dword ptr fs:[00000030h]	9_2_0100438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD826B mov eax, dword ptr fs:[00000030h]	9_2_00FD826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4260 mov eax, dword ptr fs:[00000030h]	9_2_00FE4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4260 mov eax, dword ptr fs:[00000030h]	9_2_00FE4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4260 mov eax, dword ptr fs:[00000030h]	9_2_00FE4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6259 mov eax, dword ptr fs:[00000030h]	9_2_00FE6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA250 mov eax, dword ptr fs:[00000030h]	9_2_00FDA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD823B mov eax, dword ptr fs:[00000030h]	9_2_00FD823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010663C0 mov eax, dword ptr fs:[00000030h]	9_2_010663C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0218 mov eax, dword ptr fs:[00000030h]	9_2_00FF0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010163FF mov eax, dword ptr fs:[00000030h]	9_2_010163FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE3F0 mov eax, dword ptr fs:[00000030h]	9_2_00FFE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE3F0 mov eax, dword ptr fs:[00000030h]	9_2_00FFE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE3F0 mov eax, dword ptr fs:[00000030h]	9_2_00FFE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF03E9 mov eax, dword ptr fs:[00000030h]	9_2_00FF03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FE83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FE83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FE83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE83C0 mov eax, dword ptr fs:[00000030h]	9_2_00FE83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01068243 mov eax, dword ptr fs:[00000030h]	9_2_01068243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01068243 mov ecx, dword ptr fs:[00000030h]	9_2_01068243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8397 mov eax, dword ptr fs:[00000030h]	9_2_00FD8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8397 mov eax, dword ptr fs:[00000030h]	9_2_00FD8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8397 mov eax, dword ptr fs:[00000030h]	9_2_00FD8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDE388 mov eax, dword ptr fs:[00000030h]	9_2_00FDE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDE388 mov eax, dword ptr fs:[00000030h]	9_2_00FDE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDE388 mov eax, dword ptr fs:[00000030h]	9_2_00FDE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01060283 mov eax, dword ptr fs:[00000030h]	9_2_01060283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01060283 mov eax, dword ptr fs:[00000030h]	9_2_01060283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01060283 mov eax, dword ptr fs:[00000030h]	9_2_01060283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E284 mov eax, dword ptr fs:[00000030h]	9_2_0101E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E284 mov eax, dword ptr fs:[00000030h]	9_2_0101E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2324 mov eax, dword ptr fs:[00000030h]	9_2_00FE2324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDC301 mov ecx, dword ptr fs:[00000030h]	9_2_00FDC301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE04E5 mov ecx, dword ptr fs:[00000030h]	9_2_00FE04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E53E mov eax, dword ptr fs:[00000030h]	9_2_0100E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E53E mov eax, dword ptr fs:[00000030h]	9_2_0100E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E53E mov eax, dword ptr fs:[00000030h]	9_2_0100E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E53E mov eax, dword ptr fs:[00000030h]	9_2_0100E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E53E mov eax, dword ptr fs:[00000030h]	9_2_0100E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD64BA mov eax, dword ptr fs:[00000030h]	9_2_00FD64BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE64AB mov eax, dword ptr fs:[00000030h]	9_2_00FE64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101656A mov eax, dword ptr fs:[00000030h]	9_2_0101656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101656A mov eax, dword ptr fs:[00000030h]	9_2_0101656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101656A mov eax, dword ptr fs:[00000030h]	9_2_0101656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014588 mov eax, dword ptr fs:[00000030h]	9_2_01014588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA471 mov eax, dword ptr fs:[00000030h]	9_2_00FEA471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E59C mov eax, dword ptr fs:[00000030h]	9_2_0101E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010045B1 mov eax, dword ptr fs:[00000030h]	9_2_010045B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010045B1 mov eax, dword ptr fs:[00000030h]	9_2_010045B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E5CF mov eax, dword ptr fs:[00000030h]	9_2_0101E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E5CF mov eax, dword ptr fs:[00000030h]	9_2_0101E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0101A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0101A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDC427 mov eax, dword ptr fs:[00000030h]	9_2_00FDC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDE420 mov eax, dword ptr fs:[00000030h]	9_2_00FDE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDE420 mov eax, dword ptr fs:[00000030h]	9_2_00FDE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDE420 mov eax, dword ptr fs:[00000030h]	9_2_00FDE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0100E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C5ED mov eax, dword ptr fs:[00000030h]	9_2_0101C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C5ED mov eax, dword ptr fs:[00000030h]	9_2_0101C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018402 mov eax, dword ptr fs:[00000030h]	9_2_01018402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018402 mov eax, dword ptr fs:[00000030h]	9_2_01018402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018402 mov eax, dword ptr fs:[00000030h]	9_2_01018402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE25E0 mov eax, dword ptr fs:[00000030h]	9_2_00FE25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066420 mov eax, dword ptr fs:[00000030h]	9_2_01066420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066420 mov eax, dword ptr fs:[00000030h]	9_2_01066420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066420 mov eax, dword ptr fs:[00000030h]	9_2_01066420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066420 mov eax, dword ptr fs:[00000030h]	9_2_01066420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066420 mov eax, dword ptr fs:[00000030h]	9_2_01066420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066420 mov eax, dword ptr fs:[00000030h]	9_2_01066420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01066420 mov eax, dword ptr fs:[00000030h]	9_2_01066420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE65D0 mov eax, dword ptr fs:[00000030h]	9_2_00FE65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A430 mov eax, dword ptr fs:[00000030h]	9_2_0101A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101E443 mov eax, dword ptr fs:[00000030h]	9_2_0101E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100245A mov eax, dword ptr fs:[00000030h]	9_2_0100245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106C460 mov ecx, dword ptr fs:[00000030h]	9_2_0106C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100A470 mov eax, dword ptr fs:[00000030h]	9_2_0100A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100A470 mov eax, dword ptr fs:[00000030h]	9_2_0100A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100A470 mov eax, dword ptr fs:[00000030h]	9_2_0100A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2582 mov eax, dword ptr fs:[00000030h]	9_2_00FE2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE2582 mov ecx, dword ptr fs:[00000030h]	9_2_00FE2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA580 mov ecx, dword ptr fs:[00000030h]	9_2_00FDA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA580 mov eax, dword ptr fs:[00000030h]	9_2_00FDA580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010144B0 mov ecx, dword ptr fs:[00000030h]	9_2_010144B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0106A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0535 mov eax, dword ptr fs:[00000030h]	9_2_00FF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0535 mov eax, dword ptr fs:[00000030h]	9_2_00FF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0535 mov eax, dword ptr fs:[00000030h]	9_2_00FF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0535 mov eax, dword ptr fs:[00000030h]	9_2_00FF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0535 mov eax, dword ptr fs:[00000030h]	9_2_00FF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0535 mov eax, dword ptr fs:[00000030h]	9_2_00FF0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C700 mov eax, dword ptr fs:[00000030h]	9_2_0101C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01010710 mov eax, dword ptr fs:[00000030h]	9_2_01010710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF26EB mov eax, dword ptr fs:[00000030h]	9_2_00FF26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF26EB mov eax, dword ptr fs:[00000030h]	9_2_00FF26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF26EB mov eax, dword ptr fs:[00000030h]	9_2_00FF26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF26EB mov eax, dword ptr fs:[00000030h]	9_2_00FF26EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C720 mov eax, dword ptr fs:[00000030h]	9_2_0101C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C720 mov eax, dword ptr fs:[00000030h]	9_2_0101C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105C730 mov eax, dword ptr fs:[00000030h]	9_2_0105C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101273C mov eax, dword ptr fs:[00000030h]	9_2_0101273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101273C mov ecx, dword ptr fs:[00000030h]	9_2_0101273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101273C mov eax, dword ptr fs:[00000030h]	9_2_0101273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101674D mov esi, dword ptr fs:[00000030h]	9_2_0101674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101674D mov eax, dword ptr fs:[00000030h]	9_2_0101674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101674D mov eax, dword ptr fs:[00000030h]	9_2_0101674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01022750 mov eax, dword ptr fs:[00000030h]	9_2_01022750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01022750 mov eax, dword ptr fs:[00000030h]	9_2_01022750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064755 mov eax, dword ptr fs:[00000030h]	9_2_01064755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106E75D mov eax, dword ptr fs:[00000030h]	9_2_0106E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4690 mov eax, dword ptr fs:[00000030h]	9_2_00FE4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4690 mov eax, dword ptr fs:[00000030h]	9_2_00FE4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF266C mov eax, dword ptr fs:[00000030h]	9_2_00FF266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFC640 mov eax, dword ptr fs:[00000030h]	9_2_00FFC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010607C3 mov eax, dword ptr fs:[00000030h]	9_2_010607C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE262C mov eax, dword ptr fs:[00000030h]	9_2_00FE262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFE627 mov eax, dword ptr fs:[00000030h]	9_2_00FFE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0106E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010027ED mov eax, dword ptr fs:[00000030h]	9_2_010027ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010027ED mov eax, dword ptr fs:[00000030h]	9_2_010027ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010027ED mov eax, dword ptr fs:[00000030h]	9_2_010027ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C7F0 mov eax, dword ptr fs:[00000030h]	9_2_0101C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE47FB mov eax, dword ptr fs:[00000030h]	9_2_00FE47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE47FB mov eax, dword ptr fs:[00000030h]	9_2_00FE47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E609 mov eax, dword ptr fs:[00000030h]	9_2_0105E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01022619 mov eax, dword ptr fs:[00000030h]	9_2_01022619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01016620 mov eax, dword ptr fs:[00000030h]	9_2_01016620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018620 mov eax, dword ptr fs:[00000030h]	9_2_01018620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE07AF mov eax, dword ptr fs:[00000030h]	9_2_00FE07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A660 mov eax, dword ptr fs:[00000030h]	9_2_0101A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A660 mov eax, dword ptr fs:[00000030h]	9_2_0101A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012674 mov eax, dword ptr fs:[00000030h]	9_2_01012674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C68B mov eax, dword ptr fs:[00000030h]	9_2_0101C68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8770 mov eax, dword ptr fs:[00000030h]	9_2_00FE8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0770 mov eax, dword ptr fs:[00000030h]	9_2_00FF0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0101C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0750 mov eax, dword ptr fs:[00000030h]	9_2_00FE0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010166B0 mov eax, dword ptr fs:[00000030h]	9_2_010166B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDA740 mov eax, dword ptr fs:[00000030h]	9_2_00FDA740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0101A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0101A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0710 mov eax, dword ptr fs:[00000030h]	9_2_00FE0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0105E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0105E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0105E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0105E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010606F1 mov eax, dword ptr fs:[00000030h]	9_2_010606F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010606F1 mov eax, dword ptr fs:[00000030h]	9_2_010606F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E908 mov eax, dword ptr fs:[00000030h]	9_2_0105E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105E908 mov eax, dword ptr fs:[00000030h]	9_2_0105E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE28F0 mov eax, dword ptr fs:[00000030h]	9_2_00FE28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE28F0 mov eax, dword ptr fs:[00000030h]	9_2_00FE28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE28F0 mov eax, dword ptr fs:[00000030h]	9_2_00FE28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE28F0 mov eax, dword ptr fs:[00000030h]	9_2_00FE28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE28F0 mov eax, dword ptr fs:[00000030h]	9_2_00FE28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE28F0 mov eax, dword ptr fs:[00000030h]	9_2_00FE28F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106C912 mov eax, dword ptr fs:[00000030h]	9_2_0106C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106892A mov eax, dword ptr fs:[00000030h]	9_2_0106892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF28D0 mov ecx, dword ptr fs:[00000030h]	9_2_00FF28D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01060946 mov eax, dword ptr fs:[00000030h]	9_2_01060946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A950 mov eax, dword ptr fs:[00000030h]	9_2_0101A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01006962 mov eax, dword ptr fs:[00000030h]	9_2_01006962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01006962 mov eax, dword ptr fs:[00000030h]	9_2_01006962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01006962 mov eax, dword ptr fs:[00000030h]	9_2_01006962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0102096E mov eax, dword ptr fs:[00000030h]	9_2_0102096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0102096E mov edx, dword ptr fs:[00000030h]	9_2_0102096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0102096E mov eax, dword ptr fs:[00000030h]	9_2_0102096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0887 mov eax, dword ptr fs:[00000030h]	9_2_00FE0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106C97C mov eax, dword ptr fs:[00000030h]	9_2_0106C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4859 mov eax, dword ptr fs:[00000030h]	9_2_00FE4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE4859 mov eax, dword ptr fs:[00000030h]	9_2_00FE4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010689B3 mov esi, dword ptr fs:[00000030h]	9_2_010689B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010689B3 mov eax, dword ptr fs:[00000030h]	9_2_010689B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010689B3 mov eax, dword ptr fs:[00000030h]	9_2_010689B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010149D0 mov eax, dword ptr fs:[00000030h]	9_2_010149D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0106E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010129F9 mov eax, dword ptr fs:[00000030h]	9_2_010129F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_010129F9 mov eax, dword ptr fs:[00000030h]	9_2_010129F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106C810 mov eax, dword ptr fs:[00000030h]	9_2_0106C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FEA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FEA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FEA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FEA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FEA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEA9D0 mov eax, dword ptr fs:[00000030h]	9_2_00FEA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101A830 mov eax, dword ptr fs:[00000030h]	9_2_0101A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002835 mov eax, dword ptr fs:[00000030h]	9_2_01002835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002835 mov eax, dword ptr fs:[00000030h]	9_2_01002835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002835 mov eax, dword ptr fs:[00000030h]	9_2_01002835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002835 mov ecx, dword ptr fs:[00000030h]	9_2_01002835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002835 mov eax, dword ptr fs:[00000030h]	9_2_01002835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01002835 mov eax, dword ptr fs:[00000030h]	9_2_01002835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE09AD mov eax, dword ptr fs:[00000030h]	9_2_00FE09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE09AD mov eax, dword ptr fs:[00000030h]	9_2_00FE09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01010854 mov eax, dword ptr fs:[00000030h]	9_2_01010854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106E872 mov eax, dword ptr fs:[00000030h]	9_2_0106E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106E872 mov eax, dword ptr fs:[00000030h]	9_2_0106E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106C89D mov eax, dword ptr fs:[00000030h]	9_2_0106C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100E8C0 mov eax, dword ptr fs:[00000030h]	9_2_0100E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8918 mov eax, dword ptr fs:[00000030h]	9_2_00FD8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8918 mov eax, dword ptr fs:[00000030h]	9_2_00FD8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0101C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0101C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105EB1D mov eax, dword ptr fs:[00000030h]	9_2_0105EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EB20 mov eax, dword ptr fs:[00000030h]	9_2_0100EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EB20 mov eax, dword ptr fs:[00000030h]	9_2_0100EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0AD0 mov eax, dword ptr fs:[00000030h]	9_2_00FE0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8AA0 mov eax, dword ptr fs:[00000030h]	9_2_00FE8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8AA0 mov eax, dword ptr fs:[00000030h]	9_2_00FE8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FDEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEEA80 mov eax, dword ptr fs:[00000030h]	9_2_00FEEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0A5B mov eax, dword ptr fs:[00000030h]	9_2_00FF0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0A5B mov eax, dword ptr fs:[00000030h]	9_2_00FF0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6A50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2A45 mov eax, dword ptr fs:[00000030h]	9_2_00FF2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2A45 mov eax, dword ptr fs:[00000030h]	9_2_00FF2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2A45 mov eax, dword ptr fs:[00000030h]	9_2_00FF2A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018BF0 mov ecx, dword ptr fs:[00000030h]	9_2_01018BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018BF0 mov eax, dword ptr fs:[00000030h]	9_2_01018BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018BF0 mov eax, dword ptr fs:[00000030h]	9_2_01018BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01042BF6 mov eax, dword ptr fs:[00000030h]	9_2_01042BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0106CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EBFC mov eax, dword ptr fs:[00000030h]	9_2_0100EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8A00 mov eax, dword ptr fs:[00000030h]	9_2_00FD8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8A00 mov eax, dword ptr fs:[00000030h]	9_2_00FD8A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8BF0 mov eax, dword ptr fs:[00000030h]	9_2_00FE8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8BF0 mov eax, dword ptr fs:[00000030h]	9_2_00FE8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8BF0 mov eax, dword ptr fs:[00000030h]	9_2_00FE8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0106CA11 mov eax, dword ptr fs:[00000030h]	9_2_0106CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CA24 mov eax, dword ptr fs:[00000030h]	9_2_0101CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0BCD mov eax, dword ptr fs:[00000030h]	9_2_00FE0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0BCD mov eax, dword ptr fs:[00000030h]	9_2_00FE0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0BCD mov eax, dword ptr fs:[00000030h]	9_2_00FE0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01004A35 mov eax, dword ptr fs:[00000030h]	9_2_01004A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01004A35 mov eax, dword ptr fs:[00000030h]	9_2_01004A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CA38 mov eax, dword ptr fs:[00000030h]	9_2_0101CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0BBE mov eax, dword ptr fs:[00000030h]	9_2_00FF0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0BBE mov eax, dword ptr fs:[00000030h]	9_2_00FF0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01010A50 mov eax, dword ptr fs:[00000030h]	9_2_01010A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CA6F mov eax, dword ptr fs:[00000030h]	9_2_0101CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CA6F mov eax, dword ptr fs:[00000030h]	9_2_0101CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CA6F mov eax, dword ptr fs:[00000030h]	9_2_0101CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105CA72 mov eax, dword ptr fs:[00000030h]	9_2_0105CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105CA72 mov eax, dword ptr fs:[00000030h]	9_2_0105CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDCB7E mov eax, dword ptr fs:[00000030h]	9_2_00FDCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2B79 mov eax, dword ptr fs:[00000030h]	9_2_00FF2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2B79 mov eax, dword ptr fs:[00000030h]	9_2_00FF2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2B79 mov eax, dword ptr fs:[00000030h]	9_2_00FF2B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01018A90 mov edx, dword ptr fs:[00000030h]	9_2_01018A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01036AA4 mov eax, dword ptr fs:[00000030h]	9_2_01036AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8B50 mov eax, dword ptr fs:[00000030h]	9_2_00FD8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01036ACC mov eax, dword ptr fs:[00000030h]	9_2_01036ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01036ACC mov eax, dword ptr fs:[00000030h]	9_2_01036ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01036ACC mov eax, dword ptr fs:[00000030h]	9_2_01036ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014AD0 mov eax, dword ptr fs:[00000030h]	9_2_01014AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014AD0 mov eax, dword ptr fs:[00000030h]	9_2_01014AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101AAEE mov eax, dword ptr fs:[00000030h]	9_2_0101AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101AAEE mov eax, dword ptr fs:[00000030h]	9_2_0101AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014D1D mov eax, dword ptr fs:[00000030h]	9_2_01014D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2CDC mov eax, dword ptr fs:[00000030h]	9_2_00FF2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2CDC mov eax, dword ptr fs:[00000030h]	9_2_00FF2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2CDC mov eax, dword ptr fs:[00000030h]	9_2_00FF2CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01068D20 mov eax, dword ptr fs:[00000030h]	9_2_01068D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8CD0 mov eax, dword ptr fs:[00000030h]	9_2_00FD8CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDCCC8 mov eax, dword ptr fs:[00000030h]	9_2_00FDCCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD8C8D mov eax, dword ptr fs:[00000030h]	9_2_00FD8C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FECC74 mov eax, dword ptr fs:[00000030h]	9_2_00FECC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01016DA0 mov eax, dword ptr fs:[00000030h]	9_2_01016DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEAC50 mov eax, dword ptr fs:[00000030h]	9_2_00FEAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEAC50 mov eax, dword ptr fs:[00000030h]	9_2_00FEAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEAC50 mov eax, dword ptr fs:[00000030h]	9_2_00FEAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEAC50 mov eax, dword ptr fs:[00000030h]	9_2_00FEAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEAC50 mov eax, dword ptr fs:[00000030h]	9_2_00FEAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FEAC50 mov eax, dword ptr fs:[00000030h]	9_2_00FEAC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6C50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6C50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6C50 mov eax, dword ptr fs:[00000030h]	9_2_00FE6C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CDB1 mov ecx, dword ptr fs:[00000030h]	9_2_0101CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0101CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0101CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01008DBF mov eax, dword ptr fs:[00000030h]	9_2_01008DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01008DBF mov eax, dword ptr fs:[00000030h]	9_2_01008DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064DD7 mov eax, dword ptr fs:[00000030h]	9_2_01064DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064DD7 mov eax, dword ptr fs:[00000030h]	9_2_01064DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EDD3 mov eax, dword ptr fs:[00000030h]	9_2_0100EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EDD3 mov eax, dword ptr fs:[00000030h]	9_2_0100EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDEC20 mov eax, dword ptr fs:[00000030h]	9_2_00FDEC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01000DE1 mov eax, dword ptr fs:[00000030h]	9_2_01000DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100CDF0 mov eax, dword ptr fs:[00000030h]	9_2_0100CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100CDF0 mov ecx, dword ptr fs:[00000030h]	9_2_0100CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0C00 mov eax, dword ptr fs:[00000030h]	9_2_00FF0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0C00 mov eax, dword ptr fs:[00000030h]	9_2_00FF0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0C00 mov eax, dword ptr fs:[00000030h]	9_2_00FF0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF0C00 mov eax, dword ptr fs:[00000030h]	9_2_00FF0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CC00 mov eax, dword ptr fs:[00000030h]	9_2_0101CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064C0F mov eax, dword ptr fs:[00000030h]	9_2_01064C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDCDEA mov eax, dword ptr fs:[00000030h]	9_2_00FDCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDCDEA mov eax, dword ptr fs:[00000030h]	9_2_00FDCDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01000C44 mov eax, dword ptr fs:[00000030h]	9_2_01000C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01000C44 mov eax, dword ptr fs:[00000030h]	9_2_01000C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01014C59 mov eax, dword ptr fs:[00000030h]	9_2_01014C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105CCA0 mov ecx, dword ptr fs:[00000030h]	9_2_0105CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0105CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0105CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0105CCA0 mov eax, dword ptr fs:[00000030h]	9_2_0105CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE0D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE8D59 mov eax, dword ptr fs:[00000030h]	9_2_00FE8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064CA8 mov eax, dword ptr fs:[00000030h]	9_2_01064CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01008CB1 mov eax, dword ptr fs:[00000030h]	9_2_01008CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01008CB1 mov eax, dword ptr fs:[00000030h]	9_2_01008CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6D10 mov eax, dword ptr fs:[00000030h]	9_2_00FD6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6D10 mov eax, dword ptr fs:[00000030h]	9_2_00FD6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FD6D10 mov eax, dword ptr fs:[00000030h]	9_2_00FD6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012CF0 mov eax, dword ptr fs:[00000030h]	9_2_01012CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012CF0 mov eax, dword ptr fs:[00000030h]	9_2_01012CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012CF0 mov eax, dword ptr fs:[00000030h]	9_2_01012CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012CF0 mov eax, dword ptr fs:[00000030h]	9_2_01012CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFAD00 mov eax, dword ptr fs:[00000030h]	9_2_00FFAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFAD00 mov eax, dword ptr fs:[00000030h]	9_2_00FFAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FFAD00 mov eax, dword ptr fs:[00000030h]	9_2_00FFAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01024F03 mov eax, dword ptr fs:[00000030h]	9_2_01024F03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CF1F mov eax, dword ptr fs:[00000030h]	9_2_0101CF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6EE0 mov eax, dword ptr fs:[00000030h]	9_2_00FE6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6EE0 mov eax, dword ptr fs:[00000030h]	9_2_00FE6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6EE0 mov eax, dword ptr fs:[00000030h]	9_2_00FE6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6EE0 mov eax, dword ptr fs:[00000030h]	9_2_00FE6EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FF2ED9 mov eax, dword ptr fs:[00000030h]	9_2_00FF2ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100EF28 mov eax, dword ptr fs:[00000030h]	9_2_0100EF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064F40 mov eax, dword ptr fs:[00000030h]	9_2_01064F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064F40 mov eax, dword ptr fs:[00000030h]	9_2_01064F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064F40 mov eax, dword ptr fs:[00000030h]	9_2_01064F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01064F40 mov eax, dword ptr fs:[00000030h]	9_2_01064F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CF50 mov eax, dword ptr fs:[00000030h]	9_2_0101CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01016F60 mov eax, dword ptr fs:[00000030h]	9_2_01016F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01016F60 mov eax, dword ptr fs:[00000030h]	9_2_01016F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100AF69 mov eax, dword ptr fs:[00000030h]	9_2_0100AF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0100AF69 mov eax, dword ptr fs:[00000030h]	9_2_0100AF69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDAE90 mov eax, dword ptr fs:[00000030h]	9_2_00FDAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDAE90 mov eax, dword ptr fs:[00000030h]	9_2_00FDAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FDAE90 mov eax, dword ptr fs:[00000030h]	9_2_00FDAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_0101CF80 mov eax, dword ptr fs:[00000030h]	9_2_0101CF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_00FE6E71 mov eax, dword ptr fs:[00000030h]	9_2_00FE6E71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 9_2_01012F98 mov eax, dword ptr fs:[00000030h]	9_2_01012F98

Source: C:\Users\user\Desktop\Payment Receipt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe

Code function: 16_2_00F41B93 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

16_2_00F41B93

Source: C:\Users\user\Desktop\Payment Receipt.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe"
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xnnxAkrxh.exe"
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xnnxAkrxh.exe"	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0xF9A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0xF9A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtClose: Indirect: 0x166A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	NtQueueApcThread: Indirect: 0x166A4F2

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 1028	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread register set: target process: 1028
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 1028

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 2A0000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section unmapped: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe base address: F40000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 87D008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: F0A008	Jump to behavior

Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xnnxAkrxh.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Source: explorer.exe, 0000000A.00000002.4528253488.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3095714439.0000000009B89000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096765005.0000000009BA6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 0000000A.00000000.2076615581.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4521856208.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.2076615581.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2081935309.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4521856208.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.2076615581.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4521856208.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.2076615581.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4521856208.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000002.4520859787.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2075644805.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\Payment Receipt.exe	Queries volume information: C:\Users\user\Desktop\Payment Receipt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Payment Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Queries volume information: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\systray.exe

Code function: 16_2_00F41A45 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

16_2_00F41A45

Source: C:\Users\user\Desktop\Payment Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Payment Receipt.exe.56b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.32645dc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2fb45b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.56b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.32645dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2fb45b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.30427ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2cd9e14.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.2f89e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2d92780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2099532221.00000000056B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2122551276.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2094401397.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.Payment Receipt.exe.56b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.32645dc.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2fb45b0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.56b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.32645dc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2fb45b0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.30427ac.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2cd9e14.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.xnnxAkrxh.exe.2f89e40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Payment Receipt.exe.2d92780.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2099532221.00000000056B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2096067309.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2122551276.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2094401397.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	712 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Scheduled Task/Job	4 Obfuscated Files or Information	NTDS	213 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	321 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	712 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Receipt.exe	53%	Virustotal		Browse
Payment Receipt.exe	47%	ReversingLabs	Win32.Trojan.Leonem
Payment Receipt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\xnnxAkrxh.exe	47%	ReversingLabs	Win32.Trojan.Leonem

Source	Detection	Scanner	Label
http://www.oliticalpatriot.net	0%	Avira URL Cloud	safe
http://www.dj1.lat/a03d/www.olourclubbet.shop	100%	Avira URL Cloud	malware
http://www.duxrib.xyz/a03d/www.oliticalpatriot.net	100%	Avira URL Cloud	malware
http://www.agiararoma.net	0%	Avira URL Cloud	safe
http://www.eatbox.store	0%	Avira URL Cloud	safe
http://www.ensentoto.cloudReferer:	0%	Avira URL Cloud	safe
http://www.oonlightshadow.shop	0%	Avira URL Cloud	safe
http://www.olourclubbet.shop/a03d/www.leurdivin.online	100%	Avira URL Cloud	malware
http://www.dj1.lat/a03d/	100%	Avira URL Cloud	malware
www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.aja168e.liveReferer:	0%	Avira URL Cloud	safe
http://www.enelog.xyzReferer:	0%	Avira URL Cloud	safe
http://www.lphatechblog.xyzReferer:	0%	Avira URL Cloud	safe
http://www.enelog.xyz/a03d/www.elnqdjc.shop	100%	Avira URL Cloud	malware
http://www.ome-renovation-86342.bond/a03d/www.eepvid.xyz	100%	Avira URL Cloud	malware
http://www.duxrib.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.ensentoto.cloud/a03d/	100%	Avira URL Cloud	malware
http://www.aja168e.live/a03d/e	100%	Avira URL Cloud	malware
http://www.enelog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.eepvid.xyz	0%	Avira URL Cloud	safe
http://www.ensentoto.cloud	0%	Avira URL Cloud	safe
http://www.dj1.latReferer:	0%	Avira URL Cloud	safe
http://www.leurdivin.online/a03d/	100%	Avira URL Cloud	malware
http://www.eepvid.xyz/a03d/www.agiararoma.net	100%	Avira URL Cloud	malware
http://www.lphatechblog.xyz	0%	Avira URL Cloud	safe
http://www.inggraphic.pro/a03d/	100%	Avira URL Cloud	malware
http://www.oonlightshadow.shop/a03d/	100%	Avira URL Cloud	malware
http://www.aja168e.live	0%	Avira URL Cloud	safe
http://www.inggraphic.proReferer:	0%	Avira URL Cloud	safe
http://www.lphatechblog.xyz/a03d/www.ensentoto.cloud	100%	Avira URL Cloud	malware
http://www.elnqdjc.shop/a03d/www.inggraphic.pro	100%	Avira URL Cloud	malware
http://www.inggraphic.pro	0%	Avira URL Cloud	safe
http://www.olourclubbet.shopReferer:	0%	Avira URL Cloud	safe
http://www.eatbox.store/a03d/	100%	Avira URL Cloud	malware
http://www.eepvid.xyzReferer:	0%	Avira URL Cloud	safe
http://www.agiararoma.netReferer:	0%	Avira URL Cloud	safe
http://www.leurdivin.online/a03d/www.duxrib.xyz	100%	Avira URL Cloud	malware
http://www.lphatechblog.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.ome-renovation-86342.bondReferer:	0%	Avira URL Cloud	safe
http://www.enelog.xyz	0%	Avira URL Cloud	safe
http://www.elnqdjc.shop/a03d/	100%	Avira URL Cloud	malware
http://www.ensentoto.cloud/a03d/www.aja168e.live	100%	Avira URL Cloud	malware
http://www.oonlightshadow.shop/a03d/www.ome-renovation-86342.bond	100%	Avira URL Cloud	malware
http://www.aja168e.live/a03d/	100%	Avira URL Cloud	malware
http://www.oliticalpatriot.net/a03d/	100%	Avira URL Cloud	malware
http://www.ome-renovation-86342.bond/a03d/	100%	Avira URL Cloud	malware
http://www.dj1.lat	0%	Avira URL Cloud	safe
http://www.agiararoma.net/a03d/	100%	Avira URL Cloud	malware
http://www.inggraphic.pro/a03d/www.lphatechblog.xyz	100%	Avira URL Cloud	malware
http://www.ome-renovation-86342.bond	0%	Avira URL Cloud	safe
http://www.oonlightshadow.shopReferer:	0%	Avira URL Cloud	safe
http://www.leurdivin.onlineReferer:	0%	Avira URL Cloud	safe
http://www.olourclubbet.shop/a03d/	100%	Avira URL Cloud	malware
http://www.elnqdjc.shop	0%	Avira URL Cloud	safe
http://www.eatbox.store/a03d/www.enelog.xyz	100%	Avira URL Cloud	malware
http://www.elnqdjc.shopReferer:	0%	Avira URL Cloud	safe
http://www.oliticalpatriot.netReferer:	0%	Avira URL Cloud	safe
http://www.agiararoma.net/a03d/www.eatbox.store	100%	Avira URL Cloud	malware
http://www.eatbox.storeReferer:	0%	Avira URL Cloud	safe
http://www.oliticalpatriot.net/a03d/www.oonlightshadow.shop	100%	Avira URL Cloud	malware
http://www.olourclubbet.shop	0%	Avira URL Cloud	safe
http://www.eepvid.xyz/a03d/	100%	Avira URL Cloud	malware
http://www.leurdivin.online	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
www.olourclubbet.shop	unknown	unknown	true	unknown
www.leurdivin.online	unknown	unknown	true	unknown
www.agiararoma.net	unknown	unknown	true	unknown
www.elnqdjc.shop	unknown	unknown	true	unknown
www.dj1.lat	unknown	unknown	true	unknown
www.oliticalpatriot.net	unknown	unknown	true	unknown
www.ome-renovation-86342.bond	unknown	unknown	true	unknown
206.23.85.13.in-addr.arpa	unknown	unknown	false	high
www.enelog.xyz	unknown	unknown	true	unknown
www.eatbox.store	unknown	unknown	true	unknown
www.oonlightshadow.shop	unknown	unknown	true	unknown
www.eepvid.xyz	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.enelog.xyz/a03d/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 0000000A.00000000.2089672425.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.eatbox.store	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oliticalpatriot.net	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dj1.lat/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.dj1.lat/a03d/www.olourclubbet.shop	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.olourclubbet.shop/a03d/www.leurdivin.online	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ensentoto.cloudReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 0000000A.00000002.4532983341.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2096023107.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false		high
http://tempuri.org/DataSet1.xsd	Payment Receipt.exe, xnnxAkrxh.exe.0.dr	false		high
http://www.duxrib.xyz/a03d/www.oliticalpatriot.net	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.agiararoma.net	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oonlightshadow.shop	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 0000000A.00000002.4528253488.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3095714439.0000000009B89000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096765005.0000000009BA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097395447.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 0000000A.00000002.4526732090.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4526100825.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.2087738182.0000000008890000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.duxrib.xyzReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.aja168e.liveReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enelog.xyzReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyz/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyz/a03d/www.elnqdjc.shop	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ensentoto.cloud/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ome-renovation-86342.bond/a03d/www.eepvid.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.lphatechblog.xyzReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aja168e.live/a03d/e	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyz/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.eepvid.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.leurdivin.online/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 0000000A.00000002.4532983341.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2096023107.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Payment Receipt.exe, 00000000.00000002.2094401397.0000000002BD6000.00000004.00000800.00020000.00000000.sdmp, xnnxAkrxh.exe, 0000000B.00000002.2122551276.0000000002E86000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.lphatechblog.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eepvid.xyz/a03d/www.agiararoma.net	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/)s	explorer.exe, 0000000A.00000000.2089672425.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4527375829.00000000099B0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.dj1.latReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ensentoto.cloud	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.inggraphic.pro/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oonlightshadow.shop/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aja168e.live	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lphatechblog.xyz/a03d/www.ensentoto.cloud	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.proReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eatbox.store/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.elnqdjc.shop/a03d/www.inggraphic.pro	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.pro	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olourclubbet.shopReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eepvid.xyzReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.agiararoma.netReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.leurdivin.online/a03d/www.duxrib.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com	explorer.exe, 0000000A.00000002.4528307777.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3095714439.0000000009B89000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3096765005.0000000009BA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009BA9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3097035501.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.lphatechblog.xyz/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.elnqdjc.shop/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ome-renovation-86342.bondReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oonlightshadow.shop/a03d/www.ome-renovation-86342.bond	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.enelog.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dj1.lat	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ensentoto.cloud/a03d/www.aja168e.live	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aja168e.live/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oliticalpatriot.net/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ome-renovation-86342.bond/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.agiararoma.net/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.inggraphic.pro/a03d/www.lphatechblog.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oonlightshadow.shopReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 0000000A.00000000.2082591553.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4524849977.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.olourclubbet.shop/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.leurdivin.onlineReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ome-renovation-86342.bond	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.eatbox.store/a03d/www.enelog.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.oliticalpatriot.netReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elnqdjc.shop	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.elnqdjc.shopReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.duxrib.xyz	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 0000000A.00000002.4527375829.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2089672425.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.oliticalpatriot.net/a03d/www.oonlightshadow.shop	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.agiararoma.net/a03d/www.eatbox.store	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.eatbox.storeReferer:	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.olourclubbet.shop	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 0000000A.00000002.4520859787.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.2075644805.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.eepvid.xyz/a03d/	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.leurdivin.online	explorer.exe, 0000000A.00000002.4527375829.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590981
Start date and time:	2025-01-14 16:57:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	Payment Receipt.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@26/15@12/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 166 Number of non-executed functions: 315
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 199.232.214.172, 2.17.190.73, 20.3.187.198, 13.85.23.206, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, e3913.cd.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:58:38	API Interceptor	1x Sleep call for process: Payment Receipt.exe modified
10:58:39	API Interceptor	26x Sleep call for process: powershell.exe modified
10:58:41	API Interceptor	1x Sleep call for process: xnnxAkrxh.exe modified
10:58:42	API Interceptor	7307020x Sleep call for process: explorer.exe modified
10:59:22	API Interceptor	6446837x Sleep call for process: systray.exe modified
16:58:40	Task Scheduler	Run new task: xnnxAkrxh path: C:\Users\user\AppData\Roaming\xnnxAkrxh.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	hhcqxkb.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://forrestore.com/static/apps/437.zip	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://2ol.itectaxice.ru/Qm75/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://account.tctmagazine.com/emailclickthrough?TxActivity=239212&returnUrl=https://mighty-calm-plum-toucan.easy2.de/&Hash=1DD38A2BA32B80F59EA0F1A750C3EC0E	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
bg.microsoft.map.fastly.net	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	email.eml	Get hash	malicious	unknown	Browse	199.232.214.172
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	final shipping documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.232.214.172
	0dsIoO7xjt.docx	Get hash	malicious	Unknown	Browse	199.232.210.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	original.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	Mbda Us.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.210.172
	T710XblGiM.docm	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	https://github.com/MscrmTools/XrmToolBox/releases/download/v1.2024.9.69/XrmToolbox.zip	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://bccab.dynartis.it/TI_loc.csv	Get hash	malicious	Unknown	Browse	23.1.237.91
	1736856908fb16676aec3e4c808c4bd5cde8e123cc70360266f85ec0ed17050bca6456c9dd274.dat-decoded.exe	Get hash	malicious	XWorm	Browse	23.1.237.91
	https://akirapowered84501.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuG-142imNH	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://bombasml.es	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://performancemanager10.successfactors.com/sf/hrisworkflowapprovelink?workflowRequestId=V4-0-a1-iHQRWD3bQis7XhhWNKzjfWwnvURbEsN0CxUc27Zt3ml0ag&company=oceanagoldT2&username=dave.oliver@oceanagold.com	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://inform-customer-sale.vercel.app/	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91

Process:	C:\Users\user\Desktop\Payment Receipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xnnxAkrxh.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\xnnxAkrxh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZeUyus:lGLHxv2IfLZ2KRH6Ougos
MD5:	534D6716758747FA57A53A245EB4D6A1
SHA1:	78784FF1B73FBA507598C5D518BE90D9B96EE1B6
SHA-256:	2BC11EC63A7511C3C755BA497E774B153A2C8366E779B00369714A49EE4E492B
SHA-512:	D957D8DD62F4694C3FF7CE48384356F756370B082B488529AB510C35DB5C06C159EACA9ABEADFC715E13BAB7C5EDF2DD9D7134BDBF6DCF1D2B3F4451E1454475
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j21oyo0.dkf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vmk3dhn.gku.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikplznr0.pdh.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_javjnqpk.nnt.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvvo4gcn.bdj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltq14tk4.eeu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4lu2k10.121.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mftjzgvy.aqw.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmpC62F.tmp

Download File

Process:	C:\Users\user\Desktop\Payment Receipt.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.098308124399701
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNti3zVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTYzrv
MD5:	35274496FED5CC17CBAB7A776980E9CA
SHA1:	B76E03C015D8A45F52097CB25D5779EA70B08AEF
SHA-256:	D70C8B7606ABBE59E9B130EBBD2D4D61DF71461EDFF180643445B769B6F091CC
SHA-512:	BCD4EE9A15984FE6C56173655F94E4AAFDDFC3069DEDEC60DCA48E28ACD4EB7B2539DEF2A962BEB13B210E85F27BB7EC04BD13D1CF809B32C83620B622791A0D
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmpD235.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\xnnxAkrxh.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1582
Entropy (8bit):	5.098308124399701
Encrypted:	false
SSDEEP:	24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNti3zVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTYzrv
MD5:	35274496FED5CC17CBAB7A776980E9CA
SHA1:	B76E03C015D8A45F52097CB25D5779EA70B08AEF
SHA-256:	D70C8B7606ABBE59E9B130EBBD2D4D61DF71461EDFF180643445B769B6F091CC
SHA-512:	BCD4EE9A15984FE6C56173655F94E4AAFDDFC3069DEDEC60DCA48E28ACD4EB7B2539DEF2A962BEB13B210E85F27BB7EC04BD13D1CF809B32C83620B622791A0D
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\xnnxAkrxh.exe

Download File

Process:	C:\Users\user\Desktop\Payment Receipt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	663040
Entropy (8bit):	7.694468156173238
Encrypted:	false
SSDEEP:	12288:+YRxA4Y5lyA/BxSPCgPGT5GrNz72lYBjonsMqfGx7OnOSSGsR8CleigAVJTsxZtK:ZROUrF8K0qq0OEfCQjUszE
MD5:	D9D98D244F3D4779C8AA532562FFB536
SHA1:	594ABBCF69862F343C0CE75716DA5607AB6BBAED
SHA-256:	4D49933551F01CC730F63FD290ECB61F4BFA880A0660F0EC7363E148EF85645A
SHA-512:	4807098AE5E3DB0B40E32C7CC053580202922CC3CC1374AACFA5D767E3CA2D94255D029865A6351233B613835D06068011A0EA15ACAD620256137C8ED826CE96
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............r2... ...@....@.. ....................................@..................................2..O....@.......................`......L...p............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................Q2......H.......hK..\=......9...................................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....(".....0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.J...(%...o&...tJ.......('..........9.....s.........s(...s)...o.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

C:\Users\user\AppData\Roaming\xnnxAkrxh.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Payment Receipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.694468156173238
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Payment Receipt.exe
File size:	663'040 bytes
MD5:	d9d98d244f3d4779c8aa532562ffb536
SHA1:	594abbcf69862f343c0ce75716da5607ab6bbaed
SHA256:	4d49933551f01cc730f63fd290ecb61f4bfa880a0660f0ec7363e148ef85645a
SHA512:	4807098ae5e3db0b40e32c7cc053580202922cc3cc1374aacfa5d767e3ca2d94255d029865a6351233b613835d06068011a0ea15acad620256137c8ed826ce96
SSDEEP:	12288:+YRxA4Y5lyA/BxSPCgPGT5GrNz72lYBjonsMqfGx7OnOSSGsR8CleigAVJTsxZtK:ZROUrF8K0qq0OEfCQjUszE
TLSH:	04E4F1647229E807C5971FB10A22D3F91779AD99E920D303DFEA3EFB7C36A1515803A1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............r2... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a3272
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFAE9CBCD [Sat May 26 12:34:21 2103 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
call far 0000h : 003E9999h
aas
int CCh
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa321d	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa1a4c	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa1288	0xa1400	20bec6c17b6d441d05820bb05f7f9966	False	0.9093659156976744	data	7.702381936686581	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x5e0	0x600	d0c7189329e4bcaa95ef17d16cff8cbb	False	0.431640625	data	4.160647078658928	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	d87dc7069747865e713a6968a10a6e3f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa4090	0x350	data			0.4257075471698113
RT_MANIFEST	0xa43f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:58:35.404980898 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:35.405061960 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:35.529989004 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:45.014352083 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:45.014357090 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:45.139348984 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:46.816694021 CET	443	49703	23.1.237.91	192.168.2.5
Jan 14, 2025 16:58:46.816894054 CET	49703	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:58.510492086 CET	49703	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:58.510492086 CET	49703	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:58.511220932 CET	49729	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:58.511260986 CET	443	49729	23.1.237.91	192.168.2.5
Jan 14, 2025 16:58:58.511390924 CET	49729	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:58.511864901 CET	49729	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:58:58.511883020 CET	443	49729	23.1.237.91	192.168.2.5
Jan 14, 2025 16:58:58.515573025 CET	443	49703	23.1.237.91	192.168.2.5
Jan 14, 2025 16:58:58.515600920 CET	443	49703	23.1.237.91	192.168.2.5
Jan 14, 2025 16:58:59.105192900 CET	443	49729	23.1.237.91	192.168.2.5
Jan 14, 2025 16:58:59.105850935 CET	49729	443	192.168.2.5	23.1.237.91
Jan 14, 2025 16:59:10.929615974 CET	49356	53	192.168.2.5	162.159.36.2
Jan 14, 2025 16:59:10.934493065 CET	53	49356	162.159.36.2	192.168.2.5
Jan 14, 2025 16:59:10.936708927 CET	49356	53	192.168.2.5	162.159.36.2
Jan 14, 2025 16:59:10.936758995 CET	49356	53	192.168.2.5	162.159.36.2
Jan 14, 2025 16:59:10.941598892 CET	53	49356	162.159.36.2	192.168.2.5
Jan 14, 2025 16:59:11.385220051 CET	53	49356	162.159.36.2	192.168.2.5
Jan 14, 2025 16:59:11.388314962 CET	49356	53	192.168.2.5	162.159.36.2
Jan 14, 2025 16:59:11.396337032 CET	53	49356	162.159.36.2	192.168.2.5
Jan 14, 2025 16:59:11.399590015 CET	49356	53	192.168.2.5	162.159.36.2
Jan 14, 2025 16:59:18.257095098 CET	443	49729	23.1.237.91	192.168.2.5
Jan 14, 2025 16:59:18.257180929 CET	49729	443	192.168.2.5	23.1.237.91

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 16:59:10.927542925 CET	53	62925	162.159.36.2	192.168.2.5
Jan 14, 2025 16:59:11.439152002 CET	53518	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:59:11.446515083 CET	53	53518	1.1.1.1	192.168.2.5
Jan 14, 2025 16:59:16.875190973 CET	49683	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:59:16.884042978 CET	53	49683	1.1.1.1	192.168.2.5
Jan 14, 2025 16:59:36.624735117 CET	57942	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:59:36.633454084 CET	53	57942	1.1.1.1	192.168.2.5
Jan 14, 2025 16:59:56.891633987 CET	49441	53	192.168.2.5	1.1.1.1
Jan 14, 2025 16:59:56.901618004 CET	53	49441	1.1.1.1	192.168.2.5
Jan 14, 2025 17:00:37.469516039 CET	64180	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:00:37.480067968 CET	53	64180	1.1.1.1	192.168.2.5
Jan 14, 2025 17:00:57.907255888 CET	53590	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:00:57.992129087 CET	53	53590	1.1.1.1	192.168.2.5
Jan 14, 2025 17:01:18.375351906 CET	63590	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:01:18.384378910 CET	53	63590	1.1.1.1	192.168.2.5
Jan 14, 2025 17:01:38.843972921 CET	58393	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:01:38.852811098 CET	53	58393	1.1.1.1	192.168.2.5
Jan 14, 2025 17:01:59.343652010 CET	51555	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:01:59.353140116 CET	53	51555	1.1.1.1	192.168.2.5
Jan 14, 2025 17:02:19.839963913 CET	56553	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:02:19.848644018 CET	53	56553	1.1.1.1	192.168.2.5
Jan 14, 2025 17:02:40.769581079 CET	58421	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:02:40.781064987 CET	53	58421	1.1.1.1	192.168.2.5
Jan 14, 2025 17:03:02.358901024 CET	55878	53	192.168.2.5	1.1.1.1
Jan 14, 2025 17:03:02.370676994 CET	53	55878	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 16:59:11.439152002 CET	192.168.2.5	1.1.1.1	0x69ce	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 14, 2025 16:59:16.875190973 CET	192.168.2.5	1.1.1.1	0x48c2	Standard query (0)	www.dj1.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:59:36.624735117 CET	192.168.2.5	1.1.1.1	0x1a1d	Standard query (0)	www.olourclubbet.shop	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:59:56.891633987 CET	192.168.2.5	1.1.1.1	0xcf96	Standard query (0)	www.leurdivin.online	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:00:37.469516039 CET	192.168.2.5	1.1.1.1	0xf616	Standard query (0)	www.oliticalpatriot.net	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:00:57.907255888 CET	192.168.2.5	1.1.1.1	0xd3ef	Standard query (0)	www.oonlightshadow.shop	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:01:18.375351906 CET	192.168.2.5	1.1.1.1	0xe62d	Standard query (0)	www.ome-renovation-86342.bond	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:01:38.843972921 CET	192.168.2.5	1.1.1.1	0xb1c5	Standard query (0)	www.eepvid.xyz	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:01:59.343652010 CET	192.168.2.5	1.1.1.1	0xeb12	Standard query (0)	www.agiararoma.net	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:19.839963913 CET	192.168.2.5	1.1.1.1	0xc094	Standard query (0)	www.eatbox.store	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:40.769581079 CET	192.168.2.5	1.1.1.1	0xd760	Standard query (0)	www.enelog.xyz	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:03:02.358901024 CET	192.168.2.5	1.1.1.1	0x412d	Standard query (0)	www.elnqdjc.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 16:58:55.378820896 CET	1.1.1.1	192.168.2.5	0xb485	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 16:58:55.378820896 CET	1.1.1.1	192.168.2.5	0xb485	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:58:56.556714058 CET	1.1.1.1	192.168.2.5	0x5fb0	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:58:56.556714058 CET	1.1.1.1	192.168.2.5	0x5fb0	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:59:11.446515083 CET	1.1.1.1	192.168.2.5	0x69ce	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 14, 2025 16:59:16.884042978 CET	1.1.1.1	192.168.2.5	0x48c2	Name error (3)	www.dj1.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:59:36.633454084 CET	1.1.1.1	192.168.2.5	0x1a1d	Name error (3)	www.olourclubbet.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:59:56.901618004 CET	1.1.1.1	192.168.2.5	0xcf96	Name error (3)	www.leurdivin.online	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:59:59.429285049 CET	1.1.1.1	192.168.2.5	0xc641	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 16:59:59.429285049 CET	1.1.1.1	192.168.2.5	0xc641	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:00:37.480067968 CET	1.1.1.1	192.168.2.5	0xf616	Name error (3)	www.oliticalpatriot.net	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:00:57.992129087 CET	1.1.1.1	192.168.2.5	0xd3ef	Name error (3)	www.oonlightshadow.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:01:18.384378910 CET	1.1.1.1	192.168.2.5	0xe62d	Name error (3)	www.ome-renovation-86342.bond	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:01:38.852811098 CET	1.1.1.1	192.168.2.5	0xb1c5	Name error (3)	www.eepvid.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:01:59.353140116 CET	1.1.1.1	192.168.2.5	0xeb12	Name error (3)	www.agiararoma.net	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:19.848644018 CET	1.1.1.1	192.168.2.5	0xc094	Name error (3)	www.eatbox.store	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:40.781064987 CET	1.1.1.1	192.168.2.5	0xd760	Name error (3)	www.enelog.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:03:02.370676994 CET	1.1.1.1	192.168.2.5	0x412d	Name error (3)	www.elnqdjc.shop	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:58:37
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\Payment Receipt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Receipt.exe"
Imagebase:	0x820000
File size:	663'040 bytes
MD5 hash:	D9D98D244F3D4779C8AA532562FFB536
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2099532221.00000000056B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2096067309.0000000003E00000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2096067309.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2094401397.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2096067309.0000000003BE7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:58:38
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Payment Receipt.exe"
Imagebase:	0x110000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:58:38
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:58:38
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xnnxAkrxh.exe"
Imagebase:	0x110000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:58:39
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:58:39
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpC62F.tmp"
Imagebase:	0x4a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:58:39
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:58:39
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x630000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:58:39
Start date:	14/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 0000000A.00000002.4536334313.0000000010EEF000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:58:40
Start date:	14/01/2025
Path:	C:\Users\user\AppData\Roaming\xnnxAkrxh.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\xnnxAkrxh.exe
Imagebase:	0xa70000
File size:	663'040 bytes
MD5 hash:	D9D98D244F3D4779C8AA532562FFB536
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2125103490.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2122551276.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 47%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:58:40
Start date:	14/01/2025
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	10:58:42
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xnnxAkrxh" /XML "C:\Users\user\AppData\Local\Temp\tmpD235.tmp"
Imagebase:	0x4a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:58:42
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:58:42
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xc10000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:58:42
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\systray.exe"
Imagebase:	0xf40000
File size:	9'728 bytes
MD5 hash:	28D565BB24D30E5E3DE8AFF6900AF098
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4521461890.0000000004520000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4521376943.00000000044F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	10:58:44
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\NETSTAT.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\NETSTAT.EXE"
Imagebase:	0x2a0000
File size:	32'768 bytes
MD5 hash:	9DB170ED520A6DD57B5AC92EC537368A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.2156428276.0000000003250000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:58:46
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	10:58:46
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	48
Total number of Limit Nodes:	4

Executed Functions

Function 01134204 Relevance: 3.9, Strings: 3, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp]q, xrefs: 011371F1
@C, xrefs: 011370C0
@C, xrefs: 01137138

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID:
String ID: @C$@C$Pp]q
API String ID: 0-3431496972
Opcode ID: b7c9f62f55d657b5cf2b3d1cc8fe3e9c293eca025430b800d35f28fe5b915b9d
Instruction ID: f2ac404115d4521f497c4864dfcc8c477f604f4f4ae35997e25ac6ef1381047c
Opcode Fuzzy Hash: b7c9f62f55d657b5cf2b3d1cc8fe3e9c293eca025430b800d35f28fe5b915b9d
Instruction Fuzzy Hash: B381A274E006089FCB15DFA9D981ADDBBF6FF88300F208529E819A7369DB345945CF50

Function 01137018 Relevance: 3.9, Strings: 3, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Pp]q, xrefs: 011371F1
@C, xrefs: 011370C0
@C, xrefs: 01137138

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID:
String ID: @C$@C$Pp]q
API String ID: 0-3431496972
Opcode ID: 0f6684755ef7e705302079f094e376a061baba039f7b58286ac326570567bc59
Instruction ID: e7cdb4c0b9daf853b260c891a2f20824748d1cb8b091a1bdd0b3ea42baba7db7
Opcode Fuzzy Hash: 0f6684755ef7e705302079f094e376a061baba039f7b58286ac326570567bc59
Instruction Fuzzy Hash: 4281B374E006089FCB15DFA9D981ADDBBF6FF88304F208529E819A7369DB345946CF50

Function 0113D372 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0113D3F6
GetCurrentThread.KERNEL32 ref: 0113D433
GetCurrentProcess.KERNEL32 ref: 0113D470
GetCurrentThreadId.KERNEL32 ref: 0113D4C9

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: c84a9c38239c6c73380cf8377a7b10a24a272b185df8242b7f8a39c51c064a89
Instruction ID: 06b1244e58b3786589eead8b67c7966b9edbb5da00f09f792d61d1c4c62931a8
Opcode Fuzzy Hash: c84a9c38239c6c73380cf8377a7b10a24a272b185df8242b7f8a39c51c064a89
Instruction Fuzzy Hash: 725134B09013098FDB18DFA9E549BEEBBF1EF88314F24C459E419A7260D738A944CF65

Function 0113D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0113D3F6
GetCurrentThread.KERNEL32 ref: 0113D433
GetCurrentProcess.KERNEL32 ref: 0113D470
GetCurrentThreadId.KERNEL32 ref: 0113D4C9

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5f849896988fa02e78fba06f5cd13d2e4bd45b05cdd6693b300eb685b5b994bf
Instruction ID: 5d86ee4935bb5a7889deeb0b519d0e3f1e5de6a2d95d2b89bf5d76019f02a8fa
Opcode Fuzzy Hash: 5f849896988fa02e78fba06f5cd13d2e4bd45b05cdd6693b300eb685b5b994bf
Instruction Fuzzy Hash: B55135B09013098FDB18DFA9E549BEEBBF1EF88314F24C459E419A7260D738A944CF65

Function 08C8F6D4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08C8F916

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0799bf8091563b8a7334fe5166d6b50ffd2be69b3e35a16f2b7ac4584553fed1
Instruction ID: 6954e9f67370e8420b1413e6f9aa164510f75ab714b066c585c566640089faa9
Opcode Fuzzy Hash: 0799bf8091563b8a7334fe5166d6b50ffd2be69b3e35a16f2b7ac4584553fed1
Instruction Fuzzy Hash: C5A17F71D10619DFEB24DF68C840BDDBBB2BF48319F14856EE818A7240DB749A86CF91

Function 08C8F6E0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08C8F916

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 176053587158cff2df67e3b4240535ddb0216e004dc4b1c9bef59d2e301deda4
Instruction ID: 821c74b3feb9d799e57b75977d7d333dd62b613bcc92dcca8258dee8bf6d6a7b
Opcode Fuzzy Hash: 176053587158cff2df67e3b4240535ddb0216e004dc4b1c9bef59d2e301deda4
Instruction Fuzzy Hash: 3C917E71D10619DFEB24DF68C840BEDBBB2BF48315F14856EE818A7240DB749A86CF91

Function 0113590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011359C9

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a5de5d7467b1d88c1365d529f30f9e4ea08bcb7c983a6fc35aec824ff2f23ba9
Instruction ID: da16714cd529a0d358eab2a8678c5e30103591bf2a6f235b211c94a1f17c1d46
Opcode Fuzzy Hash: a5de5d7467b1d88c1365d529f30f9e4ea08bcb7c983a6fc35aec824ff2f23ba9
Instruction Fuzzy Hash: A641E4B0C00719CBDB28CFA9C984BCDBBF6BF49704F20805AD418AB255DB766946CF90

Function 011344F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 011359C9

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 744954c45c2102676b0a036df513c9d3956c1a367206fd3a7960037af81fd9ce
Instruction ID: e96c885769a250a5edf77aae2fb057f96fba2f0a2b31d9d2157cae559d80f1a4
Opcode Fuzzy Hash: 744954c45c2102676b0a036df513c9d3956c1a367206fd3a7960037af81fd9ce
Instruction Fuzzy Hash: 8241E3B0C0071DCBDB28DFA9C884B9DBBF6BF89704F20805AD418AB255DB765946CF91

Function 08C8F450 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08C8F4E8

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e9c9b5b62392b26423805b12574f148af7f512f9e47883e7f4a1ff3e46b8350c
Instruction ID: 158e0fcb1d1b074fb91a91f48516a32a2f7e0f102a6be92979fde29a4ad8698d
Opcode Fuzzy Hash: e9c9b5b62392b26423805b12574f148af7f512f9e47883e7f4a1ff3e46b8350c
Instruction Fuzzy Hash: CD2148B59003499FCB10DFA9C945BEEBBF5FF48314F10842AE958A7240DB789945CBA0

Function 08C8F458 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08C8F4E8

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fc2c6f97b20252a0134b47c5c764765be83b549524fb0a47a5aa38afbb14ada2
Instruction ID: 7e378ec6be6244b12a18efdc2914949bd58167f21ad9546f9d511592b2133895
Opcode Fuzzy Hash: fc2c6f97b20252a0134b47c5c764765be83b549524fb0a47a5aa38afbb14ada2
Instruction Fuzzy Hash: BD2127B5900309DFCB10DFA9C985BEEBBF5FF48314F10842AE919A7240DB789945CBA0

Function 08C8F2B8 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08C8F33E

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 1585b5b67ef395166e175a2a9deee61081519b46edf6e7e9c421a7a3dc959a30
Instruction ID: 6bbc72e987bbae7d084239e28a64a5a0bdad32bb36b589ca30277bcc20317333
Opcode Fuzzy Hash: 1585b5b67ef395166e175a2a9deee61081519b46edf6e7e9c421a7a3dc959a30
Instruction Fuzzy Hash: 182137B59102099FDB10DFAAC4857EEBBF4EF88314F14842ED559A7240CB789985CFA1

Function 08C8F2C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08C8F33E

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: b54ce087529ce5d06eccefd88d7b26e07df79044aa2f6f0fd51c2f52b2569bbe
Instruction ID: cbfff2db46a8c0d2aa9741ed378a9ec8a2ae26a88c66cf3a737fb4afa75084d9
Opcode Fuzzy Hash: b54ce087529ce5d06eccefd88d7b26e07df79044aa2f6f0fd51c2f52b2569bbe
Instruction Fuzzy Hash: 772118B59002098FDB10DFAAC4857EEBBF4FF48314F14842DD559A7240DB789945CFA1

Function 08C8F548 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08C8F5C8

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f383d829beefeb0929ee0e192406ac916a71ad75552a45babb6d3072989b7a74
Instruction ID: ca9276c1da409804d1e8f112848c5ca9b5fcf1807e6550740278aba68bdb3705
Opcode Fuzzy Hash: f383d829beefeb0929ee0e192406ac916a71ad75552a45babb6d3072989b7a74
Instruction Fuzzy Hash: 3321F5B58002499FCB10DFAAC985AEEFBF5FF48310F50842AE519A7250DB789945CBA1

Function 08C8F540 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08C8F5C8

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 4d50a4477e09bfebafcb4477e90c725a5221b4d9041bf607468333d2820e7d1d
Instruction ID: 0b40024be4f6c5818a1bb606ae36018af52919b1d55ecf390eb8fb19e73bb32f
Opcode Fuzzy Hash: 4d50a4477e09bfebafcb4477e90c725a5221b4d9041bf607468333d2820e7d1d
Instruction Fuzzy Hash: B12116B5C003099FCB10DFA9C941AEEBBF5FF48310F10882AE919A7250DB389551CBA0

Function 0113D9C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0113DA4F

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 72c74c4d92eb1ba2ffd5f8f846615b33e9f5d1b86172c91a4802ef1cb7d9b4ad
Instruction ID: d1e9269b135038f3926fb27c540dc5506dd28b064c14bdc40f4776ed211c11c5
Opcode Fuzzy Hash: 72c74c4d92eb1ba2ffd5f8f846615b33e9f5d1b86172c91a4802ef1cb7d9b4ad
Instruction Fuzzy Hash: 2521C4B5900248DFDB10CF9AD584ADEBFF9FB48310F14841AE918A3350D378A944CFA5

Function 0113D9C7 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0113DA4F

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8302a3405e7624d9207649cceb923326a717d1d0d1db73e9ad9a17bea847f740
Instruction ID: cb4a42cd17283f4aab8c13cbbac91c685e81557f471afcf911350b617e52dd36
Opcode Fuzzy Hash: 8302a3405e7624d9207649cceb923326a717d1d0d1db73e9ad9a17bea847f740
Instruction Fuzzy Hash: E021C2B5900208DFDB10CFA9D584AEEBBF5FB48310F14841AE918A3350D378A944CFA0

Function 08C8F390 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08C8F406

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7bd73ebf63acbed57ca7ca352d0b6bcb7beba422857ecc8ccb2b6851ff2af9b3
Instruction ID: 210f4dac9c1f997d3a53179a1af8d787998ffc916c6322e63082cff43146efb7
Opcode Fuzzy Hash: 7bd73ebf63acbed57ca7ca352d0b6bcb7beba422857ecc8ccb2b6851ff2af9b3
Instruction Fuzzy Hash: 1B1159B58002489FCB10DFAAC844AEEBFF5FF88314F14841AE519A7250CB759540CFA0

Function 08C8F398 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08C8F406

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3eaa02822e37052dcb26f9f610b87739f694cc1b6b9e46ecdab6a0972f5e9df9
Instruction ID: a3018f4445faa3674b5bf2d4944e922702a4b6d8c49efc3b238a4f117b6d7e81
Opcode Fuzzy Hash: 3eaa02822e37052dcb26f9f610b87739f694cc1b6b9e46ecdab6a0972f5e9df9
Instruction Fuzzy Hash: 631137B58002499FCB10DFAAC844AEEBFF5FF88314F20841AE519A7250CB79A540CFA0

Function 08C8F209 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08C8F272

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 15a3a045824a06afe7220dbe41be217c3936a94fa810839176b934ed60151f8a
Instruction ID: ca3a787c3584fecf891b5c8f7b367fe25b3074b63e6edb75da5f9b6a5361f27b
Opcode Fuzzy Hash: 15a3a045824a06afe7220dbe41be217c3936a94fa810839176b934ed60151f8a
Instruction Fuzzy Hash: 241116B59002488FDB10DFAAD4457EEFBF5AB89314F248419D519A7240CB79A544CBA0

Function 08C8F210 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 08C8F272

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 857245bee09186fec18a6cb35ff10edcb3917ac7e3ad34d783c634bb2b85b133
Instruction ID: a99386701b35507127c194b4c280b3c81c18a40b346409f020f0c227eaaeadf7
Opcode Fuzzy Hash: 857245bee09186fec18a6cb35ff10edcb3917ac7e3ad34d783c634bb2b85b133
Instruction Fuzzy Hash: F61125B59002488FCB20DFAAC4457EEFBF5EF89324F208419D519A7240CB79A944CFA0

Function 0113B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0113B626

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f59628b2840fab5de72731bedd1782e1cd549beb6b341152c9813a1d1429f374
Instruction ID: 40a0458e430ce1987c759a182d6cff8a079ebf79d37d44ce232599a0d8b664dd
Opcode Fuzzy Hash: f59628b2840fab5de72731bedd1782e1cd549beb6b341152c9813a1d1429f374
Instruction Fuzzy Hash: 01110FB5C042498FDB14DF9AC444ADEFBF4AF88210F10841AD518B7211D379A545CFA5

Function 0113B5BF Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0113B626

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 41129fc36d4d8e4f607cbc57faad4b031a17f3e45d75f5522a938abc4e0ac8bf
Instruction ID: fd28511dd021f18573d4713948f179be4dea0e8c4e21c44db439cb110ca6d4f2
Opcode Fuzzy Hash: 41129fc36d4d8e4f607cbc57faad4b031a17f3e45d75f5522a938abc4e0ac8bf
Instruction Fuzzy Hash: DF111DBAC002498FDB14CF9AC544BDEFBF4AF88210F10841AD528B7211D378A545CFA4

Function 0113D9C2 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0113DA4F

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d4a1d1594e25436bb27e87cb507cdd7be6a8c5045ef4801fc555728b661dfde4
Instruction ID: e8ef085cc65175486afaebb53a4354a810f9c6775285996539df6dad7605e7ee
Opcode Fuzzy Hash: d4a1d1594e25436bb27e87cb507cdd7be6a8c5045ef4801fc555728b661dfde4
Instruction Fuzzy Hash: DC115B7590424ADEDF11CF9DD948BDEBFF0AB89320F148109E554A7251C3749855CB61

Function 00E9D1FC Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092729948.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6ec198608a25326a283babeb484a53a5e58606a75a8d308bd3c01787572715
Instruction ID: bfbac90246f1887994bdea50667bb795a30a2f668060e8a27cb43f0127d321a7
Opcode Fuzzy Hash: ba6ec198608a25326a283babeb484a53a5e58606a75a8d308bd3c01787572715
Instruction Fuzzy Hash: 0521F171508300DFCF05DF54D9C0B26BFA5FB88314F20C569E9091A266C33AD816DBA1

Function 00E9D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092729948.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d273344809ec68d461895a8c27b14ef51472d1870015d451f8d5f45fcbbdbe
Instruction ID: 6196a5446d2a00b3086aae607e804f16db17b263ed1f1b4505dfae03f01858d2
Opcode Fuzzy Hash: 24d273344809ec68d461895a8c27b14ef51472d1870015d451f8d5f45fcbbdbe
Instruction Fuzzy Hash: 8C2103B1508204DFDF05DF14D9C0B26BF65FB98324F20C569E9095B25AC33AE856DAA2

Function 00EAD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092922226.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ead000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccb7591b1be9c6adf6dbd32fbabffe21832533ad19a41c71315d76a7645be581
Instruction ID: 262332fc3ce2e0cad93a888a7d73e86c41576d43b4cf24d166ddeb9e32beea22
Opcode Fuzzy Hash: ccb7591b1be9c6adf6dbd32fbabffe21832533ad19a41c71315d76a7645be581
Instruction Fuzzy Hash: AB21F271608204DFCB15DF24D9C4B26BFA6FB89318F20C569D94A5F696C33AE807CA61

Function 00EAD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092922226.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ead000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6add8f58fce753017e1f2004d5cd13bb5d88bc085ddb5d0deacabc426dd0ed3d
Instruction ID: d2b1431a840a1206c35cd35c5d5b087c05b4adf13cb840ead9fcc38557ac59b9
Opcode Fuzzy Hash: 6add8f58fce753017e1f2004d5cd13bb5d88bc085ddb5d0deacabc426dd0ed3d
Instruction Fuzzy Hash: 02210771508204DFDB05DF54D9C0F26BB65FB89318F20C56DD90A5F666C33AE806CA71

Function 00EAD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092922226.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ead000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8298508aff8bfd4ebf9339b8808ab847bbc77b0dcd800dc1ebbebbf4c23ef39b
Instruction ID: 6bf88183d10a8bacbd93d5cd80bdff65e12f1a9e788006e0e2bf4147beb561f0
Opcode Fuzzy Hash: 8298508aff8bfd4ebf9339b8808ab847bbc77b0dcd800dc1ebbebbf4c23ef39b
Instruction Fuzzy Hash: 792141755093808FDB12CF24D9D4715BF72EB4A214F28C5DAD8498F6A7C33A980ACB62

Function 00E9D1F7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092729948.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction ID: f67b69d09496ba580b09e520bc72208d14c73f1e0997ba5598c9d85558a568dc
Opcode Fuzzy Hash: d06fae078f3ccc2112caf8552f6b645ede566e603d6c7b0d9faf10800b04cc1c
Instruction Fuzzy Hash: A421CD76408240DFCF06CF00D9C4B16BF62FB88314F24C5A9DD080A266C33AD82ACBA2

Function 00E9D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092729948.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 763b598c9da4c3f42549aca8fbdb9b998b534d7972911c0f2dc0ecf2b4f8ab48
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: B1112672404240DFCF12CF00D9C4B16BF71FB94324F24C6A9D9090B256C33AE85ACBA2

Function 00EAD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2092922226.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ead000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 6b05fd04ba5a153b9fa375c344e43c9ca634ef7cd2e92d60c0ca44268b29c027
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: A011BE75508240DFCB02CF50C9C4B15BB61FB89318F24C6A9D84A4F666C33AE81ACB61

Non-executed Functions

Function 08C83F60 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

4']q, xrefs: 08C84042

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 62b21f9ec43632ca795bae08070cdca5b1ba26eb24a6ed65e4a316ad3e8bdb02
Instruction ID: 477e8f0c7a7f111030e061052df28a77aeb9e5dd0c70445372722e4ec0735ae1
Opcode Fuzzy Hash: 62b21f9ec43632ca795bae08070cdca5b1ba26eb24a6ed65e4a316ad3e8bdb02
Instruction Fuzzy Hash: 0F612D70A15A099FEB08EFBEE94669ABFF2FF84304F14C529D0049B269EF345945CB50

Function 08C83F70 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4']q, xrefs: 08C84042

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 4732075723c21b59ada215714e90330637f191dace55b2acde88f26a944c4d98
Instruction ID: d4c16124827f8af88c086ed0dec7e340aec2d4fdabc5a38b3841ed12b4fa0bf3
Opcode Fuzzy Hash: 4732075723c21b59ada215714e90330637f191dace55b2acde88f26a944c4d98
Instruction Fuzzy Hash: B3611D70A15A099FEB08EFBEE94669ABFF2FF84304F14C529D0049B269EF345945CB50

Function 08C8C920 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95ff3321b252d85b1b3b5cc92169b118a379b724a7875cd1f7cd695708e42590
Instruction ID: a3fac518cfe695060f45baf31d9e838807e4d3b70163edfaf34f47627c4fee27
Opcode Fuzzy Hash: 95ff3321b252d85b1b3b5cc92169b118a379b724a7875cd1f7cd695708e42590
Instruction Fuzzy Hash: 16E1F874E00519CFCB14DFA9C5819AEFBB2BF89309F24C169D419AB356DB30A942CF61

Function 08C8CD58 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b1cfe57c149d0665b958e35fcfe16fa017d2bfe8ba3df0876cb1e330c326f9
Instruction ID: e432fc7bb0bf3ec52e3dd888840fc780b215ab01fa36e0ab7b8e80a095bee41d
Opcode Fuzzy Hash: 95b1cfe57c149d0665b958e35fcfe16fa017d2bfe8ba3df0876cb1e330c326f9
Instruction Fuzzy Hash: BEE11A74E04519CFCB14DFA9C581AAEFBB2FF89305F248169E415AB356DB30A942CF60

Function 08C8D190 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52e73cdb9e7d0fe47709c6ec466d1d0e27bac4196c6c0baae726a35b4a9eb9f7
Instruction ID: a3f1e32fa85f0fecc2252d6ca35bbb68477771bde75db9a153b1e03cb5a64c03
Opcode Fuzzy Hash: 52e73cdb9e7d0fe47709c6ec466d1d0e27bac4196c6c0baae726a35b4a9eb9f7
Instruction Fuzzy Hash: 78E11B74E00519CFCB14DFA9C5819AEFBB2FF89309F248169E515A7356CB30A942CF61

Function 08C8D5C8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa2e60423f12b4f9824c690ed5a8d608d0daa49fd3a3970c0f2426acd5ac8b25
Instruction ID: fec6e00bb1a6825a9e893dd93f25a0f6e948517e77fad311e7cb8f074848a0c8
Opcode Fuzzy Hash: aa2e60423f12b4f9824c690ed5a8d608d0daa49fd3a3970c0f2426acd5ac8b25
Instruction Fuzzy Hash: 5AE13C74E00519CFCB14DFA9C5819AEFBB2FF89305F248169E519AB356CB30A942CF61

Function 0113D8EC Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2093839004.0000000001130000.00000040.00000800.00020000.00000000.sdmp, Offset: 01130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1130000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7822e8681ab1211e2f9a3f03975f2ed0077001e5fa874cc82c7c333f1ccaa4e3
Instruction ID: 7f1ab51cf8455485d90576c2e3457ceb817d69a6223911df781e91aa1a7256e9
Opcode Fuzzy Hash: 7822e8681ab1211e2f9a3f03975f2ed0077001e5fa874cc82c7c333f1ccaa4e3
Instruction Fuzzy Hash: 73A15E32E0021ACFCF09DFB4D84459EBBB2FFC5304B15856AE905AB269EB31D956CB40

Function 08C85180 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2101327772.0000000008C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c80000_Payment Receipt.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5edff9ba238c49c1a854213401848cf3c5e9a625c9e17681697c67920727a258
Instruction ID: 605c384085e2712f8cea1201f0b1781ce261fc960d584963fc646f8a59f83aae
Opcode Fuzzy Hash: 5edff9ba238c49c1a854213401848cf3c5e9a625c9e17681697c67920727a258
Instruction Fuzzy Hash: 99911470D45219DFDB14EFAAD8847EEBBB2BF49309F009069D419A7351DBB10A86CF40

Analysis Process: MSBuild.exePID: 6692, Parent PID: 5264COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	58.8%
Total number of Nodes:	34
Total number of Limit Nodes:	2

Executed Functions

Function 01022B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01050DBD,?,?,?,?,01044302), ref: 01022B6A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f62efa9b9cbba44a136b5f50d7abc1a85674faafdddbf3a2ffbac3301378560
Instruction ID: cc88e656ca63e523141e2f60e75dc7170723d5a865119ed48ccdf773464f49a8
Opcode Fuzzy Hash: 1f62efa9b9cbba44a136b5f50d7abc1a85674faafdddbf3a2ffbac3301378560
Instruction Fuzzy Hash: 8590026120280003510571588414616401E97E0201B55C162F1418590DC52589927225

Function 01022C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0103FD4F,000000FF,00000024,010D6634,00000004,00000000,?,-00000018,7D810F61,?,?,00FF8B12,?,?,?,?), ref: 01022C24

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e76998d2c3a54d18d7dd151c7c0ef64fe9101d9bf36dbf610f5304d6736eccd8
Instruction ID: 57cc7a6a383508bd5361aa5cf3e49bde2ff89d04a1ccd148db5bde39707e9594
Opcode Fuzzy Hash: e76998d2c3a54d18d7dd151c7c0ef64fe9101d9bf36dbf610f5304d6736eccd8
Instruction Fuzzy Hash: 97B09B719019D5C5EA51E7A44608717795477D0701F25C1A2E2474741F4738C1D1F275

Function 01022BF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01037BA5,000000FF,?,00000000,?,00001000,00000000,?,-00000018,7D810F61,?,?,?,?), ref: 01022BFA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76cd1a50cd97be6d79cb7eae8edd4553f59a99db4d80ca1f7aef2e619fa4771f
Instruction ID: f594a9ab6accc7d150720231c82077e901f97ace63a0316fda9d306f0557ce67
Opcode Fuzzy Hash: 76cd1a50cd97be6d79cb7eae8edd4553f59a99db4d80ca1f7aef2e619fa4771f
Instruction Fuzzy Hash: 2A90023120180802E1807158840464A001997D1301F95C156B0429654DCA158B5A77A1

Function 01022AD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01059864,?,00000000,00000000,00000000,?,00000000,?,?,00000000,?,0102034A,?,?,?,00000003), ref: 01022ADA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d656c3ffe818a38cf617f086c04a2a3739febbc5965f97ebdf5fb0a72a97a022
Instruction ID: 5316136fb2ec3dd9c6fd191f95f9b73424d3d4675a365716a872e07c81c9456e
Opcode Fuzzy Hash: d656c3ffe818a38cf617f086c04a2a3739febbc5965f97ebdf5fb0a72a97a022
Instruction Fuzzy Hash: FC900225211800031105B5584704507005A97D5351355C162F1419550CD62189626221

Function 01022D10 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0106B508,00000004,000000FF,0000001E,00000000,00000000,00000000,C0000409,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 01022D1A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f51f3b3c6ff4662d12d9d7b25305d5c22e887fea99b6ff47d244d93b2e64ee98
Instruction ID: 4997f39daa428d07751de27ec4dea18260c3794bf23b0931728e31cea994a5c3
Opcode Fuzzy Hash: f51f3b3c6ff4662d12d9d7b25305d5c22e887fea99b6ff47d244d93b2e64ee98
Instruction Fuzzy Hash: AC90022921380002E1807158940860A001997D1202F95D556B0419558CC915896A6321

Function 01022D30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0100A52A,000000FF,?,010D67F8,010BC9A0,00000020,0100A460,010D689C,00000000,0000001D,?,00A52CD8), ref: 01022D3A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 43bcbbd446742a235e892b713e628f585262704fd0355affafe9e86baca73f33
Instruction ID: 0695f3c22dd4f66a2aac7d57ce57f4e89f42616a5f461c214e90fcc1f4d900d5
Opcode Fuzzy Hash: 43bcbbd446742a235e892b713e628f585262704fd0355affafe9e86baca73f33
Instruction Fuzzy Hash: DC90022130180003E140715894186064019E7E1301F55D152F0818554CD91589576322

Function 01022DD0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(010391A3,00000000,00000000,?,?,?,00FE8A1A,010BC2B0,00000018,00FD8873), ref: 01022DDA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbf4cd1e119dbb1d1b44c1717094f5db2b80f1d8000f720e6396780a89a1886c
Instruction ID: 719a8cf96098632a1f59823ac32789547cf8870fa1b6dd60ba5a518f6561c575
Opcode Fuzzy Hash: cbf4cd1e119dbb1d1b44c1717094f5db2b80f1d8000f720e6396780a89a1886c
Instruction Fuzzy Hash: 76900221242841526545B1588404507401AA7E0241795C153B1818950CC5269957E721

Function 01022DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0105E73E,0000005A,010BD040,00000020,00000000,010BD040,00000080,01044A81,00000000,?,?,00000002,00000000,?,?,0102AE00), ref: 01022DFA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c86dee6c68fbfd4b228d4842a968a70d7380e559e2074e6bd2ac922e68a3cbc4
Instruction ID: f4bf65beb5276a6559fbbdc01e3a5af35e5b4ea5709409326936319f78686d7d
Opcode Fuzzy Hash: c86dee6c68fbfd4b228d4842a968a70d7380e559e2074e6bd2ac922e68a3cbc4
Instruction Fuzzy Hash: 8790023120180413E11171588504707001D97D0241F95C553B0828558DD6568A53B221

Function 01022C1C Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0103FD4F,000000FF,00000024,010D6634,00000004,00000000,?,-00000018,7D810F61,?,?,00FF8B12,?,?,?,?), ref: 01022C24

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7fcae2e3170cbe81057f62dbc76bb27501a19150dc17ac5495f75ac5b77d46b
Instruction ID: a951a83b99feaa742b62770e47d0e1211d7e20a9222ea7e34554cb70200866ad
Opcode Fuzzy Hash: b7fcae2e3170cbe81057f62dbc76bb27501a19150dc17ac5495f75ac5b77d46b
Instruction Fuzzy Hash: 56A0027254A58695D201A6740C3C4859B28B9B111234DC3DFE5C7C555B5B182096B673

Function 01022C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00FDFB34,000000FF,?,-00000018,?,00000000,00004000,00000000,?,?,01037BE5,00001000,00004000,000000FF,?,00000000), ref: 01022C7A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f0c28cf5c6928d7e84b8cf99175084e18d1bfdae93897beb3b7b242470beb994
Instruction ID: 72ff88da6cb9ee299355fdf36825d6d36ebbdbeaad8fd9c7f72827049d479778
Opcode Fuzzy Hash: f0c28cf5c6928d7e84b8cf99175084e18d1bfdae93897beb3b7b242470beb994
Instruction Fuzzy Hash: 8090023120188802E1107158C40474A001997D0301F59C552B4828658DC69589927221

Function 01022CA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01003999,000000FA,00000001,?,00000050,?,?), ref: 01022CAA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9f4c81a99ec0b8c57fd1ac8893b2f5a1df341060c6613d4237f1f139937e35fc
Instruction ID: 3a3bb9b6a53663157b6012f56fe5797f745c7c9b158dd53cf4e7386c66b2c9ed
Opcode Fuzzy Hash: 9f4c81a99ec0b8c57fd1ac8893b2f5a1df341060c6613d4237f1f139937e35fc
Instruction Fuzzy Hash: C090023120180402E10075989408646001997E0301F55D152B5428555EC66589927231

Function 01022F30 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0106B4E6,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000000,00000000,00000000,00000058), ref: 01022F3A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a304ddede3de76e393641c9e42b3b4e95bd9cd022e9c406b9d7966b5617ebe11
Instruction ID: 16702bcc21cf09cca26525173401de4ac9cc441a1d0233a8bbb6fe7e74aeb8a0
Opcode Fuzzy Hash: a304ddede3de76e393641c9e42b3b4e95bd9cd022e9c406b9d7966b5617ebe11
Instruction Fuzzy Hash: F790026134180442E10071588414B060019D7E1301F55C156F1468554DC619CD537226

Function 01022F90 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0105CF47,000000FF,?,?,00000000,?,00000000,?,?), ref: 01022F9A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c04a247d3ca77d49919f46f2a21b07f90e14653e8aa2c2764bf0c459d3dd6154
Instruction ID: c97a261c14037af3089675d4607b5ea6b1659b7b293fd1ce6c5296a43402d5ac
Opcode Fuzzy Hash: c04a247d3ca77d49919f46f2a21b07f90e14653e8aa2c2764bf0c459d3dd6154
Instruction Fuzzy Hash: 7E900231201C0402E1007158881470B001997D0302F55C152B1568555DC62589527671

Function 01022FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(010205E3,00000000,00000000,00000001,00000000,00000000,00000000,?,01022380,010203B6,00000000,00000000,?,00000000,?), ref: 01022FBA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a0306c0e389a6bfde9b441ae82220ebd2a9c3c9c65c0073c0d20437162e7fc18
Instruction ID: 76f82eb08f09e4144ccccb66d8530514a29add4c40c2307277417ef51f610687
Opcode Fuzzy Hash: a0306c0e389a6bfde9b441ae82220ebd2a9c3c9c65c0073c0d20437162e7fc18
Instruction Fuzzy Hash: 8F9002216018004251407168C8449064019BBE1211755C262B0D9C550DC55989666765

Function 01022FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(010217E5,00000001,C0100080,00000018,?,00000000,00000080,00000005,000000FE,00000068,00000000,00000000,?,00000000,00000000,?), ref: 01022FEA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 33dd6c1a03a762fac1c90013b25d9e4a1fd4dab852a85593d70e6e7a1a215798
Instruction ID: 55d2ed1969f8dfd5ee1bb06f9c11e42b060777fa700b38db962cacff49c8b814
Opcode Fuzzy Hash: 33dd6c1a03a762fac1c90013b25d9e4a1fd4dab852a85593d70e6e7a1a215798
Instruction Fuzzy Hash: 06900221211C0042E20075688C14B07001997D0303F55C256B0558554CC91589626621

Function 01022E80 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0106809B,?,?,?,?,?), ref: 01022E8A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ec74d060eace0d0af4ac71741a0774e9a41a7f41dfb6f183ed4541f2da03da6
Instruction ID: 2a27cf4324a281a423ca1367ffc726c8fb8591c1bfc5cfc9337e132afe643fc0
Opcode Fuzzy Hash: 8ec74d060eace0d0af4ac71741a0774e9a41a7f41dfb6f183ed4541f2da03da6
Instruction Fuzzy Hash: 7090022160180502E10171588404616001E97D0241F95C163B1428555ECA258A93B231

Function 01022EA0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(01041B8A,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 01022EAA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5855768f039b16bb2b0a21a5cc17342442809f18ac6927acc83cb05a0ad887ac
Instruction ID: 3e325ad968726556b1c86fa837c520136ed8ee99efd909d69000a62b6e0d7522
Opcode Fuzzy Hash: 5855768f039b16bb2b0a21a5cc17342442809f18ac6927acc83cb05a0ad887ac
Instruction Fuzzy Hash: 0E90027120180402E14071588404746001997D0301F55C152B5468554EC6598ED67765

Function 0041F06D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2148681853.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction ID: bbcd9e0c7495b4b3c71782add9bd9e92ecbfcf2a3e8267f7fc475ee2e27bc91e
Opcode Fuzzy Hash: 02b2a21052558e81bac1299893efe0f5989b8ec20f12056ef22405cdcc0cabd1
Instruction Fuzzy Hash: 63B0127495531E03041035B0264316977148581408B0003999DCC0F192EE01842302C3

Function 0041F070 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2148681853.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_41f000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction ID: 799c57cb42787c0bf5d1ce17ac39346a2abfc1e09e798fb22bcb30c317675207
Opcode Fuzzy Hash: f0823cfae073da212eb333ff970e5c6e7a9f36da7609cc17c3dd2c68a5e4798d
Instruction Fuzzy Hash: A2A022A0C2830C03002030FA2B03023B30CC000008F8003EAAE8C022223C02A83300EB

Non-executed Functions

Function 01064755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01064809

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01064899
LdrpCheckRedirection, xrefs: 0106488F
Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01064888

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
API String ID: 3446177414-3154609507
Opcode ID: 7ae529bb58fd4d30365312256b87df6ddaa029d73ce46484e619522c8767720e
Instruction ID: 56c0243d2d439b81d5e14bbd1195220ae7006e3b05bb968dcf9ae311c9673674
Opcode Fuzzy Hash: 7ae529bb58fd4d30365312256b87df6ddaa029d73ce46484e619522c8767720e
Instruction Fuzzy Hash: DF41D132A047519FCB61CE6CD940A6ABBECFF8AA50F0605A9EDC8D7351D735E800CB91

Function 0102096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON

Download Yara Rule

APIs

Part of subcall function 01022DF0: LdrInitializeThunk.NTDLL(0105E73E,0000005A,010BD040,00000020,00000000,010BD040,00000080,01044A81,00000000,?,?,00000002,00000000,?,?,0102AE00), ref: 01022DFA

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01020BA3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01020BB6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01020D60
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01020D74

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
String ID:
API String ID: 1404860816-0
Opcode ID: 0f4cb0ee4e339cba53034728adc156ab74e43bf6e47a1c396a7c927418a1b106
Instruction ID: fb67573b6f1493f58407f54f306906f12a373c446aaa005109ddd5d525cd67ac
Opcode Fuzzy Hash: 0f4cb0ee4e339cba53034728adc156ab74e43bf6e47a1c396a7c927418a1b106
Instruction Fuzzy Hash: B8426B75900715DFDB61CF68C880BAAB7F5FF04314F1485AAE989EB245E770AA84CF60

Function 0100EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb66b6915d2a9c9c39899d379928f949d08b243b958be01e12d1253f40b690ea
Instruction ID: 7e88ee56d94e50416ccbd2c7c5f69d798ad129bf1c12e18e7dceac6ff0d52a8e
Opcode Fuzzy Hash: bb66b6915d2a9c9c39899d379928f949d08b243b958be01e12d1253f40b690ea
Instruction Fuzzy Hash: F2E11470D00609DFEB66CFA9C980AADFBF1FF48314F14456AE986A72A1D774A841DF10

Function 00FEEA80 Relevance: 6.1, Strings: 4, Instructions: 1073COMMON

Download Yara Rule

Strings

{, xrefs: 01044643
R, xrefs: 00FEEB62
, xrefs: 00FEF299
T, xrefs: 00FEEB4E

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: $R$T${
API String ID: 0-4276472446
Opcode ID: ec8f2fbf338512d367ff7bbf1f4b48e6c5ceaf056e776bcc2b8d10a3f6e6c2ec
Instruction ID: 8516100dc067a4bfd4941f2ccac110b8127587fc582241de76d06aa2f4d67112
Opcode Fuzzy Hash: ec8f2fbf338512d367ff7bbf1f4b48e6c5ceaf056e776bcc2b8d10a3f6e6c2ec
Instruction Fuzzy Hash: 54A259B1E0566A8FDB64DF19CC887ADB7B1AF85310F2442E9D84DA7290DB349E85DF00

Function 01014C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

Flst, xrefs: 01014C96
0, xrefs: 01014CC3

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0$Flst
API String ID: 0-758220159
Opcode ID: 929f43f427563484d4189f6991912de86bf13dc0a7d62ce10dbf02fe2d1ca74a
Instruction ID: 35a215eb61a7a596283bc63ae5fccd82f804dac17904a21d20d59bf0a240d5d0
Opcode Fuzzy Hash: 929f43f427563484d4189f6991912de86bf13dc0a7d62ce10dbf02fe2d1ca74a
Instruction Fuzzy Hash: 9E519BB1A002088BCF66DF98D4846AEFBF4FF44358F5580AAD489DF265E7749985CB80

Function 01064F40 Relevance: 5.2, Strings: 4, Instructions: 246COMMON

Download Yara Rule

Strings

.DLL, xrefs: 010650C7, 0106519C
/, xrefs: 01064F6D
\, xrefs: 01064F66
.Local, xrefs: 01065170

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\
API String ID: 0-80926707
Opcode ID: 59464b52d15aa19d64027259458d483d98a64a473635de40f6d105bf786f6db4
Instruction ID: d2a2d4a149492a16b52f111e9e00d501e22e5fad28db43c451e971ae76473161
Opcode Fuzzy Hash: 59464b52d15aa19d64027259458d483d98a64a473635de40f6d105bf786f6db4
Instruction Fuzzy Hash: B091C076E0061ACBDB21CF5CC881AAEB7F8EF48350F5941A9E994EB350D735DA41CB90

Function 00FFAD00 Relevance: 4.3, Strings: 3, Instructions: 509COMMON

Download Yara Rule

Strings

LdrpInitializeDllPath, xrefs: 010480AD
DLL search path passed in externally: %ws, xrefs: 010480A6
minkernel\ntdll\ldrutil.c, xrefs: 010480B7

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: DLL search path passed in externally: %ws$LdrpInitializeDllPath$minkernel\ntdll\ldrutil.c
API String ID: 0-109579469
Opcode ID: b984fbe3d0fb8e67f7a2d23ff12937422f15e938e13ff3ed8f779db791743690
Instruction ID: d512ebdcd24ff5c9c4a33d99263adb1bf4a283e9d026ce09f0efc6c4d4454ca2
Opcode Fuzzy Hash: b984fbe3d0fb8e67f7a2d23ff12937422f15e938e13ff3ed8f779db791743690
Instruction Fuzzy Hash: 7512D6B1A093498BD324DF14C480BBBB7E4BF84714F04495EFAC99B2A1D735D944D752

Function 01006962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01006C24
, xrefs: 0104CA51

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: $@
API String ID: 2994545307-1077428164
Opcode ID: cb9133e8357a3c973e843eea91a73a9ecee536b8c38c3a993424abc366155fc9
Instruction ID: 0beff594754e7adda69555e5ff4da0fd6c87779bc485b639f6fd7b6d12a7a4b8
Opcode Fuzzy Hash: cb9133e8357a3c973e843eea91a73a9ecee536b8c38c3a993424abc366155fc9
Instruction Fuzzy Hash: 6FC280716093419FE766CF28C881BABBBE5BF88754F04896DF9C987281D735E804CB52

Function 00FE04E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE055E

Strings

kLsE, xrefs: 00FE0540

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: kLsE
API String ID: 3446177414-3058123920
Opcode ID: 0134c94b17a88436dc1cf304594ed8953e99ae1ae4fe85da1e31f8e38eaba39d
Instruction ID: b1a7f3cfbb6650304b6ced8336a2e723c8cb22d1e59f0143aa0342a09e291c53
Opcode Fuzzy Hash: 0134c94b17a88436dc1cf304594ed8953e99ae1ae4fe85da1e31f8e38eaba39d
Instruction Fuzzy Hash: 7451BF719047869FC724EF66C4407A7B7E4AF84314F04483EE9EA87240EBB4E985DF92

Function 01062349 Relevance: 3.6, Strings: 2, Instructions: 1117COMMON

Download Yara Rule

Strings

@, xrefs: 01062942
@, xrefs: 01062B74

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 6cffe70e2deb3da91194c9ac8e78a948e2931b0fa79eb1ec6ecbc185e676b464
Instruction ID: 8c2cb9fba5bb607a014e74ec76680e4ed97a67c43924d93b90a5127ff3917e56
Opcode Fuzzy Hash: 6cffe70e2deb3da91194c9ac8e78a948e2931b0fa79eb1ec6ecbc185e676b464
Instruction Fuzzy Hash: 73927C71608342AFE721DF28C881B6BB7E8BB84754F04492DFAD5DB291D774E844CB92

Function 01014D1D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01014D64

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01053640, 0105366C

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3711822496
Opcode ID: 28b453ec1c34ffe810f61fccda60357e9dab0a60ab879403e8ba3df851f5ae02
Instruction ID: 55cb5e6b8b93d2967e9201e00e74a64aa145289c114f8021b7724cee14a12ddd
Opcode Fuzzy Hash: 28b453ec1c34ffe810f61fccda60357e9dab0a60ab879403e8ba3df851f5ae02
Instruction Fuzzy Hash: 45315031900211AADF71BB0CD849F6676F4BB01758F8640A9EDC8DB179D76CDD808792

Function 00FE6EE0 Relevance: 3.1, APIs: 2, Instructions: 107timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE6F79

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 064f9ab0c2c18b257b53b3fcbf4cd1ba4eae9341a6444fceef5410c6f8c42cc0
Instruction ID: 94ec8f584f466130428b7d81983107fa4cb72ac2cd502780b11945a0d5bb9c80
Opcode Fuzzy Hash: 064f9ab0c2c18b257b53b3fcbf4cd1ba4eae9341a6444fceef5410c6f8c42cc0
Instruction Fuzzy Hash: 0841BF36700686EFCB169F69DC84B9ABBA5FF88340F144065E94187651DB34F860EB90

Function 01024F03 Relevance: 3.0, APIs: 2, Instructions: 28timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01024F1F
RtlDebugPrintTimes.NTDLL ref: 01024F55

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: d1f558fadacce5962e137f7bd2fd57846a602553362be2a45ebde96cac965d8c
Instruction ID: e7a8b9b1685f43ec0b0c5ec1b08c3335ad40b63482b53f7ed2cbc6546a83210a
Opcode Fuzzy Hash: d1f558fadacce5962e137f7bd2fd57846a602553362be2a45ebde96cac965d8c
Instruction Fuzzy Hash: 90F03A71149A92CFD368DF14E549B6973E5FB84700F044839FC8687A94D7796D04CF52

Function 01012CF0 Relevance: 2.7, Strings: 2, Instructions: 218COMMON

Download Yara Rule

Strings

.Local\, xrefs: 01012D91
@, xrefs: 01012E4D

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: 77ea33e2e437b4fb8d9379447fd5cbc6f1423f6d38102e507b4356fb7c55cd52
Instruction ID: 4878b9e6718cef60003e473cfad2000b8a271f104a5867e45277ae361f4e3e4b
Opcode Fuzzy Hash: 77ea33e2e437b4fb8d9379447fd5cbc6f1423f6d38102e507b4356fb7c55cd52
Instruction Fuzzy Hash: 2081CA711083029FDB51DF19C890AABBBE8BF86700F55889DF8C4CB245D778D944CBA2

Function 00FE6A50 Relevance: 2.0, APIs: 1, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12eab3580cf2c240fab9102e111357e45663229c9370a230afe018a30c19af0c
Instruction ID: 4a16fe379d865f4edbde754c36377770eecf1b7f73f0baf045f1033c3bc5ba00
Opcode Fuzzy Hash: 12eab3580cf2c240fab9102e111357e45663229c9370a230afe018a30c19af0c
Instruction Fuzzy Hash: 2F32AE71A00249CFDB25CF69C880BAAB7F1FF98310F2485A9E995EB391D734E841DB50

Function 00FF0770 Relevance: 1.9, APIs: 1, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2895c9e2077a41210f9211064b8a31a3a64e33627e80148bde05320fc0c11648
Instruction ID: 15cdab9b3102c78a3a2c73ecf3df9ec89bb864021fa7671ebc337e72e2b3804e
Opcode Fuzzy Hash: 2895c9e2077a41210f9211064b8a31a3a64e33627e80148bde05320fc0c11648
Instruction Fuzzy Hash: 77F1C071A0060ADFDB25CF68C890B7AB7F5FF45300F1481A9E6469B3A2DB74E941DB90

Function 00FECC74 Relevance: 1.9, Strings: 1, Instructions: 607COMMON

Download Yara Rule

Strings

9, xrefs: 00FECBA1

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2473173378
Opcode ID: e869181391582ed43e7619b1760b3d18f3a5c5bfce46352e7b17ff8ab6a45541
Instruction ID: 019104726d19ba7b3802d564f31eb95fc0dbedb9d05572c9ef3c97bc3b8cb2af
Opcode Fuzzy Hash: e869181391582ed43e7619b1760b3d18f3a5c5bfce46352e7b17ff8ab6a45541
Instruction Fuzzy Hash: 28424C76D002988FDB24CFAAC9807EDB7B1FF48720F148169E919AB794D7349D42EB50

Function 0100E5E7 Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727dc6181cc5550fb0281afa629de10a4ee3993c19100289b03142ac1425eec5
Instruction ID: 4d3b5ce7a092f65863512a4a9be2393d582e1b764f80589f68d69eda12c013c8
Opcode Fuzzy Hash: 727dc6181cc5550fb0281afa629de10a4ee3993c19100289b03142ac1425eec5
Instruction Fuzzy Hash: 7FA1F571E0021A9FEB229B5CD984BAEBBE4BB04754F050565EAC0BB2D1D7789D40CBD1

Function 0101CDB1 Relevance: 1.7, APIs: 1, Instructions: 197timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0101CE7D

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: a110027805a215ce1e23127beff49a0fba2a95d6dde944ca1509461d335c130d
Instruction ID: fdfaed56f0bf0c2fe9d6beeb91d0a2b133778591079ec2a75a6941830bc4ce2d
Opcode Fuzzy Hash: a110027805a215ce1e23127beff49a0fba2a95d6dde944ca1509461d335c130d
Instruction Fuzzy Hash: 6961E171A00206DFEB59DFA8C980AAEB7F5FF08314F14816AEA51EB295DB35D901CF50

Function 00FF03E9 Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01044D8A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: c019ef06856a8d74d7dd74c4374ad9d9cf621fcc5f28d6bc56306adac440c096
Instruction ID: 7e6c7b3a5c6ddc620014c9e3c4e49bf4d76a3d9226732277d5419ddd1baa8e22
Opcode Fuzzy Hash: c019ef06856a8d74d7dd74c4374ad9d9cf621fcc5f28d6bc56306adac440c096
Instruction Fuzzy Hash: 3C712CB1A0014E9FDB05DF98C991FAEB7F8AF08704F144065EA45E7252EA38EE01DB60

Function 010129F9 Relevance: 1.7, Strings: 1, Instructions: 411COMMON

Download Yara Rule

Strings

@, xrefs: 0105259B

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8382cfa541314b7cb1f5a82c867379cf6dfa19b2d352f7e3923f7bb487f453cd
Instruction ID: 7264fb8cae4ca109b5091e8097760edc04364c8fd278810e7172cbef367d0551
Opcode Fuzzy Hash: 8382cfa541314b7cb1f5a82c867379cf6dfa19b2d352f7e3923f7bb487f453cd
Instruction Fuzzy Hash: D80260B1D002299BDB61DB54CD80BEEB7B8AF54304F1041EAEB89A7241DB749F84CF59

Function 01000C44 Relevance: 1.7, APIs: 1, Instructions: 152timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01000CDC

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2bf4dafa409da87d301395ad6855d92c3040ec243f582f2efbfb332605b859e2
Instruction ID: 54e04b07201cccb1485a1fd68cb7eff90c49d8cb1f2c1ad2846a7a9dd3a595bb
Opcode Fuzzy Hash: 2bf4dafa409da87d301395ad6855d92c3040ec243f582f2efbfb332605b859e2
Instruction Fuzzy Hash: 9F51DEB4B40205DFDB29EF68C981EBEB3F0EF48704F14406DE982D7255E63AAA41CB10

Function 00FDAE90 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90e1f0adb484df14d3223de72c964967d072f7dd19a4de8e3ea0c1a55206fb0
Instruction ID: 0c8a00003c0b65da8e93790e7a7f8cbd350baef860991cd3b457e0c1be651b9a
Opcode Fuzzy Hash: b90e1f0adb484df14d3223de72c964967d072f7dd19a4de8e3ea0c1a55206fb0
Instruction Fuzzy Hash: B85115B1E04645DFDB25EF68C5807ADBBE6BB44320F18056BE886E7381D3359C40E75A

Function 0101C720 Relevance: 1.6, APIs: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0101C7BF

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: fc559372e589a21ed2eef5d33ad7a153e0364f2cdfb45363804e58829350a577
Instruction ID: 3e8e9e6bb27fdb2d9f62e80641b0fef85e0d80878c6a34c87da1aad3d770f0ec
Opcode Fuzzy Hash: fc559372e589a21ed2eef5d33ad7a153e0364f2cdfb45363804e58829350a577
Instruction Fuzzy Hash: D4411171545300ABE761EB68DD45BAB7BE8FF48750F04482AFEC4D32A5E7B9D8008B91

Function 0100EBFC Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39dd6019172af0cf9c15b94d93173590eaa692b36c0995353ffd5bf8d6e8e9a
Instruction ID: 1f13647ee2cd6cb7d1028117db974a7d8f1c37f8a612889e390ce2f8e77926e3
Opcode Fuzzy Hash: b39dd6019172af0cf9c15b94d93173590eaa692b36c0995353ffd5bf8d6e8e9a
Instruction Fuzzy Hash: 7B41E6B12043059FE765EF28C880A6BB7E5FF88314F044C7AEAD6D7252DB36E4458B51

Function 00FD64BA Relevance: 1.6, APIs: 1, Instructions: 123timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FD656C

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 71ac2254ec0ac0c65f505e3be0b25b87f55a0db8c4abaadcce9e66fc3dad9c7a
Instruction ID: a3ffb41389e9fef66291ce02afdf80b1ca7b3630e649f59bea14455b074b36b3
Opcode Fuzzy Hash: 71ac2254ec0ac0c65f505e3be0b25b87f55a0db8c4abaadcce9e66fc3dad9c7a
Instruction Fuzzy Hash: FF41E1712087059FD724DB24DC42FAB77E9FB84748F08051AF9C5AB291D775E900EB92

Function 00FE262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE2710

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 724e6d65a9048a7468a87d6d6dd487a8f58390d66fe90a117ac1a26c0531cf74
Instruction ID: 9fd039d286edcc616fc2a18669c452cea968883f49b572a52f3894d70eb95b6d
Opcode Fuzzy Hash: 724e6d65a9048a7468a87d6d6dd487a8f58390d66fe90a117ac1a26c0531cf74
Instruction Fuzzy Hash: 8941F4B1901744CFCB61EF2AC941B69B7F9FF94320F1082AAD4469B2A1EB349D41EF51

Function 010607C3 Relevance: 1.6, APIs: 1, Instructions: 114timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0106083C

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 30e9317df91d20ca76c2cf36d19f7b1b2acba655215c894ada7c7b8ce8a56a81
Instruction ID: ca35ee33c2932d7f6c6a0b868f659cadcbace5b613816d9bb64c04fb23241c0e
Opcode Fuzzy Hash: 30e9317df91d20ca76c2cf36d19f7b1b2acba655215c894ada7c7b8ce8a56a81
Instruction Fuzzy Hash: D7416B715083059FD360DF28C845B9BBBE8FF88654F008A2AF9D8C7295D7749904CB92

Function 0100245A Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc72127222320ddfbb561e89a7a88e0369c779cabeb66c9a5551b370496f9a6b
Instruction ID: 3137841bbf505d620db823d3e40b739008603a346149c6d2cc4b75efa10010e2
Opcode Fuzzy Hash: fc72127222320ddfbb561e89a7a88e0369c779cabeb66c9a5551b370496f9a6b
Instruction Fuzzy Hash: 513148B5740301EBEB319F59D886A6EB7F4FB84704F160069FD816B245CB759981C740

Function 00FE4859 Relevance: 1.6, APIs: 1, Instructions: 111timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE48F7

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 2dc579584e109fff71478b342b8b760745ad33d3da5009edb5a7fe041c205528
Instruction ID: b819e3e8c71b91d2577b1cc86bfb0f7c832a94b00925e6c44743802a92d8893e
Opcode Fuzzy Hash: 2dc579584e109fff71478b342b8b760745ad33d3da5009edb5a7fe041c205528
Instruction Fuzzy Hash: 08410630A003418BC725CF29D894B3BB7EAEF80364F15446DF9919B2A2D735ED01DB51

Function 00FD8A00 Relevance: 1.6, APIs: 1, Instructions: 85timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FD8A8B

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5a2b4f5091b999dd8e5772d71b197cd2bcb20b9236924c18b36b7c29949becaf
Instruction ID: a656b33d9924b3e4a3167cc411255dd149047c5b898820c9b2d4c5ecfa5e8754
Opcode Fuzzy Hash: 5a2b4f5091b999dd8e5772d71b197cd2bcb20b9236924c18b36b7c29949becaf
Instruction Fuzzy Hash: CE314572600A4AFFCB22DF60D940BACB7B1FF48310F18055AE80257741CB39E851EBA0

Function 00FF2ED9 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

, xrefs: 00FF31A3

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ac6a909542f8e4bdb5d0208f63270a281d5d5ac5b9baf6ae662a2b20fce7f6d1
Instruction ID: 60f98d73d975bbecee5e1a874252b41b1e4b37f2b1a4d5b05259e3adb3efeb7a
Opcode Fuzzy Hash: ac6a909542f8e4bdb5d0208f63270a281d5d5ac5b9baf6ae662a2b20fce7f6d1
Instruction Fuzzy Hash: 4ED15871E042489FDB25CFA8C884BADBBF1EF48310F14846AEA55AB761D734AA44DB50

Function 01012F98 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

@, xrefs: 01013180

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: ec79fef96e7020f0955645239df5df04360bbdb57953ddc937bb2859349b06f1
Instruction ID: c22b44b9657ea2bd70428cc5b6a294d3ebf38af133f2a94911cf621456e67e47
Opcode Fuzzy Hash: ec79fef96e7020f0955645239df5df04360bbdb57953ddc937bb2859349b06f1
Instruction Fuzzy Hash: 41C1B171901229DBEB61AF59CC85BBAB7F4FF54710F0440E9E988AB250E7349E81CF51

Function 0106892A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2555ce003474a9d7c3456417b273884ec3a00a27a76eb83221569edb0844a42e
Instruction ID: df0c69c93922b49cd876a7ec445712d5ff268155a54d2ad9f1c08e98c8524f46
Opcode Fuzzy Hash: 2555ce003474a9d7c3456417b273884ec3a00a27a76eb83221569edb0844a42e
Instruction Fuzzy Hash: 6501F7312013019FE6345E55DC85B6A7BA9EF86394B0C002EFAC106552CB25A844C7A6

Function 0106A4B0 Relevance: 1.5, APIs: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0106A51A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 273088b38f024f80d982d361cab796d782026ef5344cb233d1ad4aa21921aef2
Instruction ID: 3434f0978060c83e1489670f6104f3a22b9ddfe7299c900764d8dafc97cfe621
Opcode Fuzzy Hash: 273088b38f024f80d982d361cab796d782026ef5344cb233d1ad4aa21921aef2
Instruction Fuzzy Hash: 00018936211119EBCF129E84DC40EDE7FAAFB4C654F058101FE5866220C736D970EB81

Function 01068D20 Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01068D6A

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e484e9e0234421b76d38f64b1c29186893cb5fc9d573db255c8d857c97e82022
Instruction ID: 406f644c9a3729bb9b6e8de61dcbf530397a71c3c56ffaf79cf92430b08f29df
Opcode Fuzzy Hash: e484e9e0234421b76d38f64b1c29186893cb5fc9d573db255c8d857c97e82022
Instruction Fuzzy Hash: 4DF0E9325003846BD7317A1CEC44B6ABBADFBF5714F49445AFDC52715186396C84C7A0

Function 01066420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 010665C1

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: a69cb900cf504091eb1d8066734f487459b4ab0649040fafcc274cb08191b471
Instruction ID: be8c0424f6600ecc297bcc0e04b45c7c86d5fd79a454f9e30d0e35f217f92efa
Opcode Fuzzy Hash: a69cb900cf504091eb1d8066734f487459b4ab0649040fafcc274cb08191b471
Instruction Fuzzy Hash: 49916F71A00619AFEB22DF94DD85FEEBBB8EF08B50F104065F640AB191D775AD00CBA0

Function 01018402 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

@, xrefs: 01018591

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 237fd5db62fb0b19ff2e2262ea9614726453994d405c8f67519c8f78f0e13278
Instruction ID: 1887b66de69891b20e704a08b47708c240e4bfa6c334db6a365b44386b97268c
Opcode Fuzzy Hash: 237fd5db62fb0b19ff2e2262ea9614726453994d405c8f67519c8f78f0e13278
Instruction Fuzzy Hash: FD91B971548345AFD722DF65CC40EABBAECFF88784F40492EFAC492155E738DA049B62

Function 0101273C Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

.Local, xrefs: 010128D8

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local
API String ID: 0-5346580
Opcode ID: 35543ed77877944e292a962bc119fc007569870c9947843392f1ec083dd9c24c
Instruction ID: f2554680526414a51f3fbf7dabd1852f47efa6a3857914ae23a6044974ef9094
Opcode Fuzzy Hash: 35543ed77877944e292a962bc119fc007569870c9947843392f1ec083dd9c24c
Instruction Fuzzy Hash: 8AA1E13590022ADFDB64CF68DC84BAAB7B1BF58354F2541E9D988A7255D7349EC0CF80

Function 00FDA197 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\??\, xrefs: 0103C1E4

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: \??\
API String ID: 0-3047946824
Opcode ID: a210abf08a200c46d79da4734d7f32720de4fca3385eee2ff2a74ba02fc3e874
Instruction ID: d013d62b19aa7e60e6060b32c59ef694d4f694ed88f5489758aade749676ab04
Opcode Fuzzy Hash: a210abf08a200c46d79da4734d7f32720de4fca3385eee2ff2a74ba02fc3e874
Instruction Fuzzy Hash: E0A17C759012299BEB31DF68CD88BEAB7B8EF44710F1041EAE949E7250DB359E84CF50

Function 01018620 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

8, xrefs: 010552E3

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: 8
API String ID: 0-4194326291
Opcode ID: 1c14d5e1e09305a6a5741d5c814c0feb34ca6a2f9565bc235ddb56661195e129
Instruction ID: f105025483283ac36d2915941a17b7f0037e0e11f0be20922277f10c135d2ab2
Opcode Fuzzy Hash: 1c14d5e1e09305a6a5741d5c814c0feb34ca6a2f9565bc235ddb56661195e129
Instruction Fuzzy Hash: 7F81ABB0A00359AFDB60CF98CD42FAEBBF5BB08B14F14815AF944B7281D779A941CB50

Function 01018BF0 Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

(, xrefs: 01018D3B

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 43e3e754ef0ccee98876e36497014e19cc43e72abc49992b65b3655d1766dade
Instruction ID: 0c2b178f6565d3e08d1c17bfeb2837dfa9100f3de41e2d38f0d21432ee488d5a
Opcode Fuzzy Hash: 43e3e754ef0ccee98876e36497014e19cc43e72abc49992b65b3655d1766dade
Instruction Fuzzy Hash: 30916671D00749CFDB21DFA8C880ADEBBF5BF59314F20816AE855AB391D779AA01CB50

Function 00FF2A45 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

u)j, xrefs: 00FF2C2D

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: u)j
API String ID: 0-1146774532
Opcode ID: 74bfc310167a63294bbb5f7dc2c898bcc864fabf84d68cfd70fa71a77f3f435f
Instruction ID: 30587956bb77a8cc9c30ecf9f9c5c9f71378c8bef7a9f9f24f39ad9319de863a
Opcode Fuzzy Hash: 74bfc310167a63294bbb5f7dc2c898bcc864fabf84d68cfd70fa71a77f3f435f
Instruction Fuzzy Hash: F1510532E046198FDB65CF59D8407BAB7B1FF84720F14405AEE459B2A0D77AAC42EB90

Function 00FDCCC8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

@, xrefs: 00FDCD63

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 58716131c16827b7fb61f505ae1a40a9d30e2bd429d343186781c18ead44c2fc
Instruction ID: ab328ec4dd7b7b2c9a04e94febd69bae9ed3a86436b2fe03a31464061c693b48
Opcode Fuzzy Hash: 58716131c16827b7fb61f505ae1a40a9d30e2bd429d343186781c18ead44c2fc
Instruction Fuzzy Hash: F651CC76604356DBC711DF68C844AAAB7E9AFC8714F04096EFAC4D7240EB34DA05DBA2

Function 00FDA580 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(, xrefs: 00FDA668

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 359fe5c612a9a0bfc87237e0d2ca840c07e0d48fb45fe543a5cc505b09564492
Instruction ID: 957347826762878b85b97d52752b3c3f928313738163e0d72d1630442c338dea
Opcode Fuzzy Hash: 359fe5c612a9a0bfc87237e0d2ca840c07e0d48fb45fe543a5cc505b09564492
Instruction Fuzzy Hash: 2B5126B1A1135ADFCB11CF99C980ACDBBF9FF08714F14822AE408AB351D7B4A941DB94

Function 00FE2140 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(, xrefs: 00FE2253

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 373a9829dfc96ac6c9b76b626dfae4e53561d256527cf5b45c1453a212e09613
Instruction ID: 2a25d204f1116d464e92433c8e970fc15cdffbf0123b778bf354729f1d16cd91
Opcode Fuzzy Hash: 373a9829dfc96ac6c9b76b626dfae4e53561d256527cf5b45c1453a212e09613
Instruction Fuzzy Hash: C7515DB1D01659EFDB50CF9AC88069DFBF4BF48720F50422EE918A7680D375A951DBA0

Function 00FF28D0 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

twj, xrefs: 00FF28FA

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: twj
API String ID: 0-1637908201
Opcode ID: 87233e9ee977b02a40d2bb4e6eaa79a8ca617d58c6aa8797fcbad9cff2e67a7e
Instruction ID: 51c526ad3fd49c7518814df0b5320dba297030244b1e6e42b077af6c98f58f1c
Opcode Fuzzy Hash: 87233e9ee977b02a40d2bb4e6eaa79a8ca617d58c6aa8797fcbad9cff2e67a7e
Instruction Fuzzy Hash: D951D2B1B003089BDF35DF98C884BEEB7BAAF81710F24401DD9856B294DB769C01DB50

Function 0101C6A6 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrredirect.c, xrefs: 01058181, 010581F5

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrredirect.c
API String ID: 0-3694840737
Opcode ID: 9ce50fec95fac7b5175bd842f5ed165d15bc5bf59496bb0d5fa8c7201ea53ba2
Instruction ID: 859cccd048c20d9ceb0b1b84cc651c066835c557778f60b7fd683d85d86ff64e
Opcode Fuzzy Hash: 9ce50fec95fac7b5175bd842f5ed165d15bc5bf59496bb0d5fa8c7201ea53ba2
Instruction Fuzzy Hash: E131F1B17443069BD320EB68D946E6B7BE4AF94B10F044958FDC5AB2D1E624ED04CBA2

Function 01064DD7 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrutil.c, xrefs: 01064E06

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: minkernel\ntdll\ldrutil.c
API String ID: 0-4055692389
Opcode ID: ddf48f7358d3a3b351ed528f3b4ac844510bd2206d08f0020c964a84b456fb2b
Instruction ID: 33847833e46bfa1ed2ac9858d3426624abefcf3a5519b9c391f0d1c2ba9c0c2d
Opcode Fuzzy Hash: ddf48f7358d3a3b351ed528f3b4ac844510bd2206d08f0020c964a84b456fb2b
Instruction Fuzzy Hash: A9215B72188103BBE728AA6CDD46E667BEDFB85BA0F144149F6D1DA581C560DF20C222

Function 01008DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822ac39f346e987e1b06c895dc0ee9a6230134ac276390974c53e29ae36c6928
Instruction ID: 878f037bfe32d2fd4e7c4b27fc5cf1daeb564414140f8be19a5162da9ef5ab7d
Opcode Fuzzy Hash: 822ac39f346e987e1b06c895dc0ee9a6230134ac276390974c53e29ae36c6928
Instruction Fuzzy Hash: 20225FB0E00156DBDB56CFA9C4809BEFBF6BF54704F1480AAE98597242E774DD81CBA0

Function 00FE28F0 Relevance: .4, Instructions: 446COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc29cb9c21e935b953cc06871b0fe9ad035a4db2b86b1b3da3aa25823cd67239
Instruction ID: df3c304bd5566ab9d3ea4625ea005f1fd155d000cfe35f4c26f97f61ac72e54d
Opcode Fuzzy Hash: dc29cb9c21e935b953cc06871b0fe9ad035a4db2b86b1b3da3aa25823cd67239
Instruction Fuzzy Hash: 99F10471A043918BD765CF2AC84076BB7E9BF88720F18492DF98587391E779DC40EB92

Function 01004A35 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction ID: 8f201f1c00b33f662f2c40ccf65bcba52dcbfdac6ca14a81196006fb9450d6be
Opcode Fuzzy Hash: ebc7f223a89905c55a10d9bd692523c34124fc1ad656d048a5470a2d6266029e
Instruction Fuzzy Hash: 12F18170E0060A9BEF56DF99C980BAEBBF5BF48710F048169EA85EB280D774DD41CB54

Function 00FEA9D0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d029cccfbe69ca3b76e8e19bbee156870f3fec8234beaff0e10581baea9a2d5
Instruction ID: ed4912926edc60b9262b1bc1dcb1ff850db2e2440201c8ee03d4429ff3f28185
Opcode Fuzzy Hash: 3d029cccfbe69ca3b76e8e19bbee156870f3fec8234beaff0e10581baea9a2d5
Instruction Fuzzy Hash: 98E1B0B1E00259EBEB21DE9ADD80BAEB7B9BF54710F104076F941EB251D738E940EB11

Function 00FD8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac4a6f668b3ca6cba6f61e5e0f73431fd625f31e1b4d1541f9c45ca509964b3
Instruction ID: a3061d58a949aa312bdf2581976c9cd94385a421ba24e354ffd9e4e9ebbb9ab4
Opcode Fuzzy Hash: dac4a6f668b3ca6cba6f61e5e0f73431fd625f31e1b4d1541f9c45ca509964b3
Instruction Fuzzy Hash: 49D1D472A002069BCB14DF65CC81BBA77E6FF84358F18416AF955DB381EB34D942EB50

Function 00FE65D0 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d92cd3eda9e58ee33876fdefceb2dc0ce9373b6f023727f60a7834774b441b3
Instruction ID: e3dce9fe0f862ade68b85d1f0496b80113fbaffd4cf80e0e6e8e6086beef6926
Opcode Fuzzy Hash: 0d92cd3eda9e58ee33876fdefceb2dc0ce9373b6f023727f60a7834774b441b3
Instruction Fuzzy Hash: CDE1AE71908386CFC714CF29C480A6ABBE0FFA8358F14896DE895CB351DB31E905DB92

Function 01068243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction ID: bc08dc7ebacfe490a7a33d8e58cd44cedbdc5fb0ac4edaaceb2b6dc719814dac
Opcode Fuzzy Hash: 44fc8e8e43da417eb9280bef980917e355e266e3dfe67b355ffa181fa1ff9558
Instruction Fuzzy Hash: 09B15074A00705AFDF64DB99C940AABBBFDBF84304F14846EAA8297794DB35E905CB10

Function 00FF0535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction ID: 91c443a59904e0faae016365342cabe80ca262c33702cb0e8a701235693c71eb
Opcode Fuzzy Hash: 7fd700fbd03bf2adbb2211fea5898c4dae515c14471c26ec91a7b73b47cf98cd
Instruction Fuzzy Hash: 4FB12F72600649AFDB15DF68C890BBEBBF6AF44300F1801A5E691D7392DB74ED41EB50

Function 01000DE1 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca0235c992b9cf7608b89b1353f88ac4a38dd197da41dc3b5485a26cfc1fa37
Instruction ID: c1db23030786c38b871e6f2d159bd2bec8cf501b77d1fbed86e1d04ef6d9e60f
Opcode Fuzzy Hash: 0ca0235c992b9cf7608b89b1353f88ac4a38dd197da41dc3b5485a26cfc1fa37
Instruction Fuzzy Hash: 38C17C70E00359DFEB26CFA8C980BADBBB5FF48344F104129F985AB299D775A941DB40

Function 00FE83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75ae3e44e9f7dbe4fe4c38933dee936a8fedca00c4e2504cab2cddf6e3ba147
Instruction ID: bdd2c68f4b36a2102df29776503acec10fd8605614e45fe5c2f32c19ce6de6c9
Opcode Fuzzy Hash: f75ae3e44e9f7dbe4fe4c38933dee936a8fedca00c4e2504cab2cddf6e3ba147
Instruction Fuzzy Hash: C9C188B46083818FD760DF19C484BAAB7E5FF88344F44496EE98987290DB74E949CF92

Function 00FDC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e8cc5deed8cec0a04cc25016666c028298c364072fdf67b1e40e6a41a3c2f3
Instruction ID: 768103f1985a879380710ed244de2ea60892020b1658b4b8a40a216a0ae2bc9c
Opcode Fuzzy Hash: d9e8cc5deed8cec0a04cc25016666c028298c364072fdf67b1e40e6a41a3c2f3
Instruction Fuzzy Hash: F1B1A170A002668BDB64DF54C890BA9B3F6EF44700F1885EAD54AE7381EB34ED85DF60

Function 01020185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2cb0bec07209f0ea73d66e9e3930b34951656fefbe8f59b838be6351f5e61b5
Instruction ID: 702832939e9a4736ed1bebba8a9c98fdd33879662536b051940972568f4708c3
Opcode Fuzzy Hash: d2cb0bec07209f0ea73d66e9e3930b34951656fefbe8f59b838be6351f5e61b5
Instruction Fuzzy Hash: 56A1C1B0B0072ADFDB65CF69C890BAAB7F5FF44314F008169EA8597285DB34E815CB50

Function 010660E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8329dfd124aa74c0527d4945e9ba9cc47c10ee31a1f3050bf8ba3947009c52b
Instruction ID: b6e3335c3aa4284456efdc5cee773a40db190c345b1fd3c5961ad51314c7035a
Opcode Fuzzy Hash: d8329dfd124aa74c0527d4945e9ba9cc47c10ee31a1f3050bf8ba3947009c52b
Instruction Fuzzy Hash: 4991C671D00626AFDB15CF58D890BBEBFB9AF48710F154159E690EB341D736DE009BA0

Function 010163FF Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae5a57446489b9b3f124ecb021b13a7cd55579a9229e8bdfa6e302cebcb8f852
Instruction ID: ee76a8fcc6e160ec284dfcb1790d70a631fc863be91c3959828b7027a2869e7e
Opcode Fuzzy Hash: ae5a57446489b9b3f124ecb021b13a7cd55579a9229e8bdfa6e302cebcb8f852
Instruction Fuzzy Hash: B1912571A413259BEBB5DF58DC45BEE7BB1BF40B14F000168EDC0AB285EBBA9841C791

Function 00FFE3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e08832f93ab93b373041d903d5191a0aadcafc7cff0d406e6ca219556b91fd54
Instruction ID: 8a63a3ac83c984882f8acd186fb33e76555a59c93c2ac8e73e1141e4482ece3e
Opcode Fuzzy Hash: e08832f93ab93b373041d903d5191a0aadcafc7cff0d406e6ca219556b91fd54
Instruction Fuzzy Hash: AC910776A00619CBDB24DB58C880B7EB7A1EF88718F1940B9EE45DB3B1E638DD01E751

Function 00FF0C00 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a28f48c244dc9bf0c4b9ace8392f8268c86a6750227bc9afed69a06b39590d
Instruction ID: 09fdd768205004980645158a8b1ebe8e59541a25643cc7dea75f658616f17d7a
Opcode Fuzzy Hash: b6a28f48c244dc9bf0c4b9ace8392f8268c86a6750227bc9afed69a06b39590d
Instruction Fuzzy Hash: 0DA10470A0064A9FD724CF68C890BBAB7F1FF54710F14856DE6868B792DB34E844EB91

Function 010689B3 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0500a417a418eaedb8a122244c98f2f68bec4601f11cd477cd01ca66b5de1b2
Instruction ID: dcbfc3718875175d0e1b7174ca89cca4d8ea71b52d5f4558d9d9b9b89e6a1285
Opcode Fuzzy Hash: b0500a417a418eaedb8a122244c98f2f68bec4601f11cd477cd01ca66b5de1b2
Instruction Fuzzy Hash: 30912572601316AFD721EF68CC81B6A77ECAB55714F04845AFEC06B285C739EC04CBA2

Function 01014AD0 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dd4478bc0bd5518c5315587a03c51abb1a5501951e37e879d85d53a4a87f87
Instruction ID: b7366ce1998b7c35db3708812effb88e91a29754599bd23267280e04e3d99728
Opcode Fuzzy Hash: 73dd4478bc0bd5518c5315587a03c51abb1a5501951e37e879d85d53a4a87f87
Instruction Fuzzy Hash: D5611532600B129BD7A28F1CC882B2BBBE4BF80B50F158599E8D5DF251CB74F841CB91

Function 01036ACC Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 666aa8efb8c0be06ed76cdb932dbcf2e1f86d5a4d1282b22ea87011bdfc08117
Instruction ID: ada87a84f3e28985a79973eb3b041d8ad18de47f389259330f713374c64471b4
Opcode Fuzzy Hash: 666aa8efb8c0be06ed76cdb932dbcf2e1f86d5a4d1282b22ea87011bdfc08117
Instruction Fuzzy Hash: 87819671E00619AFDB18CF69D890ABEBBF9FB88700F04852EE585D7640E735DA41CB54

Function 00FD6D10 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdaf80f4013bd686a34d9a6625f1a10bde4b0307f22010dbac2bce9b1f3fd08b
Instruction ID: 4a91dffcf1b9153764d9a95ba23b2247bfe292c21b85c14cbb6716862db778f2
Opcode Fuzzy Hash: cdaf80f4013bd686a34d9a6625f1a10bde4b0307f22010dbac2bce9b1f3fd08b
Instruction Fuzzy Hash: 3B71B0756143069FDB61DF19C880B6AB7ECBBC4358F05496AEA95D7200E7B0E844CB92

Function 0101E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5b8115de934bf1f9a59f5fcab04cf55e36d533cfdc05ad58f4d1bc4ca9deac
Instruction ID: be67b11fcb25e7f5ff7dfe57bc77d38da0299abc1cd7842b0655f1076c05e1d0
Opcode Fuzzy Hash: 8a5b8115de934bf1f9a59f5fcab04cf55e36d533cfdc05ad58f4d1bc4ca9deac
Instruction Fuzzy Hash: B1818471A00609DFDB56CFA9C880BEEBBF9FF48314F108429E995A7254D734AC45CB60

Function 00FE64AB Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27588ea8f77a864ac8d85c3518947465cbfebb6b13c1685b926239f59a6d2d68
Instruction ID: fca1bbd119960d23f8fe2dc45face9d89222a3f0a89ceae7f0dc7b9fb795cf78
Opcode Fuzzy Hash: 27588ea8f77a864ac8d85c3518947465cbfebb6b13c1685b926239f59a6d2d68
Instruction Fuzzy Hash: 2D71F4B1A043599FCB20DF15C884F977FA8AFA47A4F140469F9888B286D734D588DFD2

Function 00FFC640 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cebc73e05ac008b3c3dff30363f21c80291ba4470a405d43d078e5b0340b48e
Instruction ID: 89942795cc7a576a48ab6abd626ae1ce2aefc6d4c9569c01bfd5a0e06919531e
Opcode Fuzzy Hash: 3cebc73e05ac008b3c3dff30363f21c80291ba4470a405d43d078e5b0340b48e
Instruction Fuzzy Hash: 7071E2B6C05629DBCB259F98C5807BEBBF0FF48710F14856AE982AB350D3349800DB90

Function 0101A660 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0374e6f53c25d0eeb0a41fc810bc67cc73da9b4254c5092c23ac9cd8ef1d4f
Instruction ID: c48baa3c0ca473e6ebd2addd60df9e331ae2ac872767a0cb6756c5eb59c4c60d
Opcode Fuzzy Hash: 6c0374e6f53c25d0eeb0a41fc810bc67cc73da9b4254c5092c23ac9cd8ef1d4f
Instruction Fuzzy Hash: D3718FB5E0020ADFDFA8DF9CC5906EEBBF1BF48710F54816AE985A7241E7368841CB50

Function 0106035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction ID: 2033b522c2298fc990bbaef6838da57cb8a053dc24c914cbf755203db9a2af7b
Opcode Fuzzy Hash: a2f0af9a4cc35be43268488dd58ae78b3cd43133769d1ae5baa3c223ab0f1c10
Instruction Fuzzy Hash: 40714C71A00619EFDB10DFA9C984AEEBBF9FF48700F104569E645EB251DB34EA41CB50

Function 00FE8AA0 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 394fea1ed9c24e670dfd6512fab78f4f5a3eabb0c75ca57a81f594afb7a99ae3
Instruction ID: eee04bcecddca86581b4a5882414eae72a0eb404ea2288b11ed45883b03a5e99
Opcode Fuzzy Hash: 394fea1ed9c24e670dfd6512fab78f4f5a3eabb0c75ca57a81f594afb7a99ae3
Instruction Fuzzy Hash: 3A8101B2B05345CFDB24CF98E584BAD77F2BF88310F1541A9E944AB291CB399D01DB90

Function 00FEA471 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3774e98e6245a7b0dcc0cafb3f72af9df1525a3e792c25781af85aa56728f12a
Instruction ID: b3e26087b173f13a1b52dbb732f2fb7c0e97fc930d508cbfc42e6df7cae2a8b5
Opcode Fuzzy Hash: 3774e98e6245a7b0dcc0cafb3f72af9df1525a3e792c25781af85aa56728f12a
Instruction Fuzzy Hash: 39718C756083868FD711CF56C540B6AB3E4FF84704F04886AF985DB290E374EA4AEB57

Function 00FF0A5B Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fd64cf058f5ca077fdf0126ef0e8da101f09a3091d31bbd37f610fa6e34b409
Instruction ID: e131aead5759678f03046da70d214a8ddcac1abe12f0c27eab5d221979c29380
Opcode Fuzzy Hash: 2fd64cf058f5ca077fdf0126ef0e8da101f09a3091d31bbd37f610fa6e34b409
Instruction Fuzzy Hash: 9261B171600305DFDB29CF28C880B7ABBE1FF45704F1485AAE695CB2A6DB74E841DB91

Function 00FF61D1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc6e43035b62ae4af0d1b1cd1ab6125a0cf4545edeea3b92a89f65c41974c17
Instruction ID: da05601f6ffa3f6e01ef77cd7f5e1726b8d725f93c590c79ffdfa59ba810ff10
Opcode Fuzzy Hash: 1bc6e43035b62ae4af0d1b1cd1ab6125a0cf4545edeea3b92a89f65c41974c17
Instruction Fuzzy Hash: 37719D34E0162A8FCB25CF98C4907BDB3B1BF55314F244558D996EB3A4DB34AD42EB80

Function 0105E6F2 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef81eeaa6d6dec308c63524eb78965536a817adc135688f6997c5ee62e2d402f
Instruction ID: e6bc195a8efcba6d64d69b305fcd5d5b19496eb4917bdfa8c22f18780550fa09
Opcode Fuzzy Hash: ef81eeaa6d6dec308c63524eb78965536a817adc135688f6997c5ee62e2d402f
Instruction Fuzzy Hash: 5B611B71E006199FDB55DFA8C940BBEFBB9FB48700F144069EA99EB291D731AA40CB50

Function 00FEAC50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28416942b5b6dc87451e10a82a474c012c682ee5ea3adbc4366224ed9c14a115
Instruction ID: 82cca3c893d3054c395bbae9a2fbf4c6ad1f1aaf37b1c04c7c4d6d3aa4eb10c0
Opcode Fuzzy Hash: 28416942b5b6dc87451e10a82a474c012c682ee5ea3adbc4366224ed9c14a115
Instruction Fuzzy Hash: 88612372A00699DFEB21CFAAC880BADB7B4FF54711F144469E841EB790D778E940D721

Function 01022160 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbab6dc53b3e02d5d394105ac4942bd2060872ce7c0e4e643d07760f13f57971
Instruction ID: b43ea4e98be6a03bc914909ae5c2b772bee66415d542d6b63d8eb3c8b081ba55
Opcode Fuzzy Hash: dbab6dc53b3e02d5d394105ac4942bd2060872ce7c0e4e643d07760f13f57971
Instruction Fuzzy Hash: B5515F71A00619DFDB50CF9CC940BEEBBF5BF48360F25826AE9A5E7280D335A944CB54

Function 0100EDD3 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4919f5701adefad8cb37068ddc751a9a6bf38ca3c0bc132ed399ebeeb9792700
Instruction ID: 9644063c3b5a44ff5604399f0b514b8f25c422e4e6467bf5d4ff88466b53198b
Opcode Fuzzy Hash: 4919f5701adefad8cb37068ddc751a9a6bf38ca3c0bc132ed399ebeeb9792700
Instruction Fuzzy Hash: 0951A071600789DFEB36DB5AC884B6BB7E9BF44709F100C6DE182A7692D778E844CB40

Function 0100CDF0 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction ID: a20f434ca976e038d0361a44689e26376ce1207814081323b95043f85ea123b8
Opcode Fuzzy Hash: 6851680e3e689f07d8311deac1a97bfa9ae5f47be04d730b0759b45304561ce1
Instruction Fuzzy Hash: 37514FB5E0064ADFDB15CF9CC5C06EEBBF1FB48310F1981B9D995A7240D638A942CB98

Function 00FF2CDC Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dfe43989bc211e2b6fadffed8cc01f277ab493daa74d12f2ce549ef967be4e7
Instruction ID: eb96f18bdf7e126c528df7f092317014b1fee56833ea1acae621f5402374fd18
Opcode Fuzzy Hash: 1dfe43989bc211e2b6fadffed8cc01f277ab493daa74d12f2ce549ef967be4e7
Instruction Fuzzy Hash: A871CD71E04649DFDB65CF28C144BB9BBF0FF04328F288099D5499B2A1C779A986EF50

Function 0101E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27a3f165e996e464034615f6fbff7843b510a2fce6a119f72ef2973d21408578
Instruction ID: ef5ab607b72901d0322a3273dcc81811357e6ec576b245e458d81dc6ed6f78be
Opcode Fuzzy Hash: 27a3f165e996e464034615f6fbff7843b510a2fce6a119f72ef2973d21408578
Instruction Fuzzy Hash: F6516171640615DFCB62EFA8C990EAAB7FDFF04784F4104A9EA8297661D738ED40CB50

Function 010045B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction ID: cdb56877cc9c9eb3452bebce302b07a14783407af43e789b1cf8e39e1abdfd20
Opcode Fuzzy Hash: f1f940062bb164c30f98cd5f3406246ca69af4dfd6fb89726bbd0b8788f8d1b5
Instruction Fuzzy Hash: 2951A571E0021A9BEF16DF94C840BEEBBB5BF49350F0440A9EA45EB280D774DD44CB94

Function 0106E9E0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction ID: 6f90c451a72a6cce90f3664872cd90747813eb78beea6121bf341688dfe1cd32
Opcode Fuzzy Hash: 08e4cd0a40312db3601c2ec88b8b3ba4937567036288613210d62cd3e5d467c2
Instruction Fuzzy Hash: 8751A635D00319EFEF21DF94C884BAFBBBDAF00324F154665D69267191D7349E448BA0

Function 00FFE627 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8223c63ad81768f9f8a5a3d6e1ef9663e2050ffc529e3d86b02c44dbf45a4e
Instruction ID: 242732a0173024e3f8ab0c8f1af9dbe2aa87c8659f7d47b7cae90c14137950a0
Opcode Fuzzy Hash: 5f8223c63ad81768f9f8a5a3d6e1ef9663e2050ffc529e3d86b02c44dbf45a4e
Instruction Fuzzy Hash: 3841C37250831A9BD710EA75C880BBBB7D8AF88714F04092DF694E71B0E778DA04E797

Function 0106CBF0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 822c9c6bd5a7ad42db91a2ae0e92de7244d8f644e751907d12f7902f5f07851a
Instruction ID: 91eb6f7132f812502aa0874d19b946525e7a8844892865db02c429ef0d36e273
Opcode Fuzzy Hash: 822c9c6bd5a7ad42db91a2ae0e92de7244d8f644e751907d12f7902f5f07851a
Instruction Fuzzy Hash: 0B519D71900219DFDB60DFA9CA809AEBBF9FF48358B144559E9C5A3305DB39AD01CB90

Function 0101CC00 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4454454a8deccf186e34184ae0f45c21dbcf31e7a88e756dd61a04ab91894568
Instruction ID: d50ceddbfbe43e14c1e44ceae618bcd64ecf021cda24672af111d629338d4c9f
Opcode Fuzzy Hash: 4454454a8deccf186e34184ae0f45c21dbcf31e7a88e756dd61a04ab91894568
Instruction Fuzzy Hash: 8651F93024030E8AFBA58E5DD74173A7AD1FB41255F18C5AAEDC2CA15AD639CC81CF51

Function 0101A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da539971669d9fe893ff7bba3d225e4d0e4f4670cdd8a2da86a9677c7290966c
Instruction ID: b266f6de77560de89323d199d0fa9afef68aa0bbb8a1cdbc07d80b0fad4dd277
Opcode Fuzzy Hash: da539971669d9fe893ff7bba3d225e4d0e4f4670cdd8a2da86a9677c7290966c
Instruction Fuzzy Hash: E8410671742241DBDB69EE68D881BBA36A5EB58708F41006DEEC19B249DBBFD800C760

Function 010101F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbda24b17c31595749ed0314efe5d968fcc631ce64cb4ec52f79d37d97aaf815
Instruction ID: d022c11f3dd9ce452d83b78d3aafd56d041e05e6e83c987fedd43aa458caefe3
Opcode Fuzzy Hash: bbda24b17c31595749ed0314efe5d968fcc631ce64cb4ec52f79d37d97aaf815
Instruction Fuzzy Hash: 1F41BD36A00219DBDB14DF98C440AEEBBB4BF48710F14816AF9D5FB258D7399D81CBA4

Function 00FDCDEA Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea65d2855084b34fbf2039cd3acdb554f598def44aaadb2eb5f06f6e101e5b09
Instruction ID: 2e88059166bcdeb464e83336dfbdc19a46382efd56a93634ee1bcc26f1c1f6b7
Opcode Fuzzy Hash: ea65d2855084b34fbf2039cd3acdb554f598def44aaadb2eb5f06f6e101e5b09
Instruction Fuzzy Hash: 4741B372E00219EADF25DB98CC81AEEBBFCFF84720F14415AE591E7290D7749A41CB90

Function 01022750 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction ID: 3e691c79fc77b33968e88a83593241d7348ba182592908c2d0bef593d2fd7c22
Opcode Fuzzy Hash: 4e5994e520c12837e1c977685754e7d15b60516a2f9191962b35c18b1936a3e0
Instruction Fuzzy Hash: 4C517C75A00219CFCB95CF98C480AAEFBF2FF84714F2482A9D995A7351D770AE41CB90

Function 00FE6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af66279d6f6db2257c8ba3332ff7e643bddfd1e2fd2bfe02f4b494d715cf3b8
Instruction ID: 526572786df9011835dae4c7a9b9934dfee5a79d370715b48614f0d7f7fa1c67
Opcode Fuzzy Hash: 2af66279d6f6db2257c8ba3332ff7e643bddfd1e2fd2bfe02f4b494d715cf3b8
Instruction Fuzzy Hash: 655106B090025ADBDF65CB68CC41BE8BBB1EF11314F1482A9E669E72D1D7399981EF40

Function 00FE0BCD Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c5f12ef7275a3a9c523f9cc694a4c813d552ab7b29aa2776d35f1f770c59c4
Instruction ID: b68a89984a35d67803df107904639ccc41a59fd3a3d8009566fee7d8931187e0
Opcode Fuzzy Hash: f9c5f12ef7275a3a9c523f9cc694a4c813d552ab7b29aa2776d35f1f770c59c4
Instruction Fuzzy Hash: 4C41BF32A002689BCB61EF6DCD44BEA77B8EF85750F1101A5E948AB241DB74DE80DF91

Function 00FE0D59 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f590d8815a722134d9b5d770ee5f0242684577250bd6833a0cd613cc87822b26
Instruction ID: e8f2c5063e0205d374c61ad4430b9f168a51c2bbe714955562c71e78bbc99add
Opcode Fuzzy Hash: f590d8815a722134d9b5d770ee5f0242684577250bd6833a0cd613cc87822b26
Instruction Fuzzy Hash: 2841F571A00358DFEB31DF25CC81FAA77E9AF45710F1008AAE98597281DBB4DD80DB52

Function 01016F60 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41dc82b6aaa3f336d647b5f0a924741e7367bbb2e957f3408cfaf1ff29190f27
Instruction ID: d05b19103ede99f5c6487390b61fb5d82a9f9691e9ac295ed06c9a3b016e5131
Opcode Fuzzy Hash: 41dc82b6aaa3f336d647b5f0a924741e7367bbb2e957f3408cfaf1ff29190f27
Instruction Fuzzy Hash: 1E5156B5A00709CFDB62CF69C480B9ABBF1BF48314F10846DE9AA9B311D739A940CF50

Function 0105C730 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e088d19250e66e858308525059d1750617d1a711d0bd9acca8cf7f4b33fba9f7
Instruction ID: 3c9d3671004538308fe7d0c0513dd1ab22742bed5f218500eaeb1da98a3f8b76
Opcode Fuzzy Hash: e088d19250e66e858308525059d1750617d1a711d0bd9acca8cf7f4b33fba9f7
Instruction Fuzzy Hash: F04132B1D0062DAAEB61DB50CD84FEFB77CAB45714F0045E5EA48AB140DB709E89CFA4

Function 00FE0887 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080b3d72ce27400b9e51b96c0c8d4903bf49eba8c7329d9d0d0a43a68d7e8cb4
Instruction ID: 668110093d0c7252859bfce8ac76e3917a8eae181073412776da9a586d6e51d6
Opcode Fuzzy Hash: 080b3d72ce27400b9e51b96c0c8d4903bf49eba8c7329d9d0d0a43a68d7e8cb4
Instruction Fuzzy Hash: F841F6716007459FD725CF26C880A2AB7F9FF48314B104A6DE58787752EBB4F885EB50

Function 0100A470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ad8258268bb91c9a1b84f78ff36b7c57e41d3dd798efbcc86b317b783ea1af
Instruction ID: eaa2ed3b6a47a581eecdfe684ac21cc132644a1d1fce6934aa7f418f28c41534
Opcode Fuzzy Hash: a1ad8258268bb91c9a1b84f78ff36b7c57e41d3dd798efbcc86b317b783ea1af
Instruction Fuzzy Hash: 04418E72A41304CFEB62DF68D8947EE7BB0FF44361F1501A5D595AB2E1DB3A9900CBA0

Function 00FE8BF0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fcb9e16ef4c30f02df1456f4328b180a6adc62dde0374f053480c77044296d
Instruction ID: 5b80ee2717ca1a90dd5820d173bcff360bbfa94f1314320bb11c5ec23740d3e0
Opcode Fuzzy Hash: 92fcb9e16ef4c30f02df1456f4328b180a6adc62dde0374f053480c77044296d
Instruction Fuzzy Hash: 83415872A01241CBD724EF4AD880B5ABBF1FF85744F20806AE9459B665CB39D802DFA0

Function 00FD8918 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5746bcd783ecf450fd7c8113d611ceee928f37f2a92321f7e3c1c10b1ece41f
Instruction ID: e295c1080ddd018c5f76af180a4877acdf43061f847a3557b9b4be6c039e8b5a
Opcode Fuzzy Hash: d5746bcd783ecf450fd7c8113d611ceee928f37f2a92321f7e3c1c10b1ece41f
Instruction Fuzzy Hash: 15415C325087069ED312DF64C850A6BB7E9EF84B94F45092BF9C4D7250EB31DE059B93

Function 00FDA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 4c1dc30dab174335d9668e74c4c9c0783c7116c0e59cb7fbc362eb96651513f7
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: D4413B32A00211DFDB21DE69C4447BEB7A6EFD0758F1980ABE9858B341D7368D40EB96

Function 00FE09AD Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1880aa03f2a1de0140b2b1c9b1b54fc1d1df932b4874a072e71a3d01aa5d98
Instruction ID: 437a70c7aa2cb451f5566a00e3c13bf4ee06181114648e85fb3b18948a7a112a
Opcode Fuzzy Hash: fe1880aa03f2a1de0140b2b1c9b1b54fc1d1df932b4874a072e71a3d01aa5d98
Instruction Fuzzy Hash: 52417C71A00744EFD721CF19D841B2AB7F4FF44714F24896AE449CB252EBB5E982DB90

Function 01010710 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction ID: adc5ca8acf8aea4d8cd59d320d88499f683ef6b9b2c55c666150feddd63135b4
Opcode Fuzzy Hash: 9f0c50458855a09be12f916f7edb5fbf22469515b4fabd68e5ac243ec6b2fef0
Instruction Fuzzy Hash: B8411871A04605EFDB24CF98C980AAABBF4FF18700B10496DE5D6DB659D334EA84CF90

Function 00FDC156 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2756a480e34cb6048ebcea103cea11d9278729520015544e0dc0cfa6be02cb67
Instruction ID: 06ffb34b41e4eaac21161a8a053b3166e5d8a7b99012737a043ef856f59edb75
Opcode Fuzzy Hash: 2756a480e34cb6048ebcea103cea11d9278729520015544e0dc0cfa6be02cb67
Instruction Fuzzy Hash: 374138719002108BCB21DF68CC81BE977B8BF44308F5881A9ED859F343EE75A946DB90

Function 00FEA2C3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d214d75c31d673c56abdebc5f5871a86e34fe8d71b256eec217cf6ea93761851
Instruction ID: 3ff0bab681b002f5416bd5f5738c3ef40d207b13f7e9017776ca7bb2e55a0dee
Opcode Fuzzy Hash: d214d75c31d673c56abdebc5f5871a86e34fe8d71b256eec217cf6ea93761851
Instruction Fuzzy Hash: A241BE71A00689DFDB11CF5AD880BAEB7F4EF84710F2440A5E954DB2A1E376EA40DB91

Function 0101C8F9 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55477f4958c9ec3641767e16f1319c321e6931a10a721c11bf1c1ab05b7cc58d
Instruction ID: b83d679db201add7137d9884e81a764920e42dd367882374db8e8c6092836439
Opcode Fuzzy Hash: 55477f4958c9ec3641767e16f1319c321e6931a10a721c11bf1c1ab05b7cc58d
Instruction Fuzzy Hash: 0E3179B2A40245DFEB52CF68C540799BBF1FB09724F2081AED559EB251D736D902CF90

Function 00FD80A0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b74b305936c8f165079c7440d423f967e2aa51c2d8b5bceefc35774b0841305
Instruction ID: 134ecfbea02d207b453e2cf721bfb11b56354c91741e0b5938e6aa281c2eace7
Opcode Fuzzy Hash: 9b74b305936c8f165079c7440d423f967e2aa51c2d8b5bceefc35774b0841305
Instruction Fuzzy Hash: 9941D372E05515AFCB01DF19CC406A8B7B6BF447A0F28822AE815A7380DB34ED47AB90

Function 00FD8B50 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95f63231a711ff908b417c51b5575eb7d3b712bac5187433c9c234ceaad74a9
Instruction ID: 3db0c8501065996ef81f9e2930cf802f53222164ecc2363dc9e6c6b3be6e0256
Opcode Fuzzy Hash: a95f63231a711ff908b417c51b5575eb7d3b712bac5187433c9c234ceaad74a9
Instruction Fuzzy Hash: 33419372E11604CFCB14CF69C98059DB7F2FF88364B28866BD466A7350DB349902EF50

Function 01012674 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7071cf3b4330e54aa264dfdf911b84411887fcc11fb02fc28ee6c589dfcb095d
Instruction ID: e5059b6af99775cc4387d034facc4672cf34f4de0458e23c91a7f5c041a99577
Opcode Fuzzy Hash: 7071cf3b4330e54aa264dfdf911b84411887fcc11fb02fc28ee6c589dfcb095d
Instruction Fuzzy Hash: 0831F836F40316B7E7219A9A9C45F9F7BB8EF64B50F150059BB44BB184D270DE00DBA1

Function 0105CCA0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3d78cd574870f80ba31c40512e4429a79a4421134a1d56e9e182808865ec7e
Instruction ID: 33dd95fb4d0034f84ca1ebd57d02167fca20e483162dc28f7a1e2c6bd06b5198
Opcode Fuzzy Hash: 7f3d78cd574870f80ba31c40512e4429a79a4421134a1d56e9e182808865ec7e
Instruction Fuzzy Hash: 89317232940619BAEB62AA94CD41FEFBBBDEF44750F01006AFA40EB151D6759E41CBA0

Function 00FD8CD0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d438bf800fe8bcb3c4f6dee221ae49999877abea8480bd51178432b0142f00
Instruction ID: a05347cbcb96cb0d1286938c75d5d47d4d8d890007991af9f9d39ef7e73b15f6
Opcode Fuzzy Hash: 34d438bf800fe8bcb3c4f6dee221ae49999877abea8480bd51178432b0142f00
Instruction Fuzzy Hash: FA31C3729002049FCB20DF59C84066AB7F3EF98764B28456BE456A73D1CF359D02EB90

Function 00FF02E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction ID: 72e1955fc8b05631cc43181663d1f57b5b6e59515f0b313c5504b9a052477775
Opcode Fuzzy Hash: 5edc165bbdfc8be8ee3faece5a37676e1d6bd213eca9610b85a78c39bba728db
Instruction Fuzzy Hash: 12312A32A04248AFDB219B68CC80BEABFE9EF44350F0441B5F855D7363C678D984DBA4

Function 00FF26EB Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction ID: 59bf530deade6af62c864b28d89e8cdef2831b007d63d875295ee8c49d372ca7
Opcode Fuzzy Hash: 77993d3f09c14a64daaf5de3e0ed3c6e731ad8a59e5a2c4d89f2138cff726e65
Instruction Fuzzy Hash: C34118767042469FC756DF18C49073AB7E1EF84310F1884AAE994CB362DB38DC45DBA1

Function 00FE4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e4e9c4021e6f2ec07b326dbe5a86798fbd75cd90e388f9c9f944e99e504899
Instruction ID: a54ec291a6c3b23fad1226673a653b2e79586db48edbaf50daf5c572d527058d
Opcode Fuzzy Hash: e3e4e9c4021e6f2ec07b326dbe5a86798fbd75cd90e388f9c9f944e99e504899
Instruction Fuzzy Hash: 1B41DD72200B458FC722CF29C981BD67BE8BF08350F10846DFAA99B291C774F800EB50

Function 0105EB1D Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d85d2df2db1bc922282f5cb3352613546b37d964e29d0f7ea6c7a07b162003
Instruction ID: a4dc4ac96fd58a9845b38407f3fc26fb0b843bc68f216457a5b9047f9f4ce241
Opcode Fuzzy Hash: b9d85d2df2db1bc922282f5cb3352613546b37d964e29d0f7ea6c7a07b162003
Instruction Fuzzy Hash: E031C3317416899BF3A2975CCD48B6BBBD8AF40740F1900E0BFC58B6E2DB68DA41C220

Function 0100EB20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387e13086539bb6fc586ebc2ce2a66064c60cba434b9cfb4809a2cdfc00c15e0
Instruction ID: be21fda32469062f1c86851fb513b83d55db5522b2e97bb3333a3914a4a35ca0
Opcode Fuzzy Hash: 387e13086539bb6fc586ebc2ce2a66064c60cba434b9cfb4809a2cdfc00c15e0
Instruction Fuzzy Hash: AB31C872E00615AFEB22DEA9CC40AAFBBF9EF44750F014465E595E7290D6749A008BA0

Function 00FE07AF Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23cec5ece8170f4e3d68c3babb43ff117ba7325a231e294958152a07c871f35f
Instruction ID: 091cb2de9be956a6d8c43c5b7f602773fad51e845a3687416c288126e01d9090
Opcode Fuzzy Hash: 23cec5ece8170f4e3d68c3babb43ff117ba7325a231e294958152a07c871f35f
Instruction Fuzzy Hash: 18313332A04396DBC712DE26C880E6BBBE5AFD4360F054529FC85AB311DE74DD41A7E1

Function 0105CA72 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4af13735479e10b5ed3cefdc4dcfca5c6fcfeef334b7e64265089c259207909
Instruction ID: 93c50c5f1f9f378f850dc5949d79c61095e6f66d6b42278a2dab570e7b969d62
Opcode Fuzzy Hash: b4af13735479e10b5ed3cefdc4dcfca5c6fcfeef334b7e64265089c259207909
Instruction Fuzzy Hash: 9F313636900619AFFB56DB58CA55EBFBBB8EF80720F014169ED41A7251D7319E00EBE0

Function 0100AF69 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fe6962caca3c213a2a9f7dbc456606a8eb77e832b86e63649cbab035b87b8d
Instruction ID: 39d266528adde787ff7b01fad0a3312d3f347203b04f91643a2263e705e5a0a8
Opcode Fuzzy Hash: 60fe6962caca3c213a2a9f7dbc456606a8eb77e832b86e63649cbab035b87b8d
Instruction Fuzzy Hash: D3317075A011299BEB21DF19CC48BAFB7B8FF54740F0500EAF948E7290DA349E80CB91

Function 0101A6C7 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction ID: cc548991c0e34359c4229bd87484850e428103e18cd62554bf71dfa3c7843259
Opcode Fuzzy Hash: e136c029909a3ccf1237e4fc7d16277c3fe1d3b2d70fb0f0b3587283bfba0b1c
Instruction Fuzzy Hash: D4314AB2B01B41EFD7A1CF69DD40B67BBF8BF08A50F04096DA59AC3650E634E9008B60

Function 0100438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db3b454aae970ef8e3578a17de04608aef1ee11a3fb11ae7718087801273f302
Instruction ID: 18690f16ece0d8d9f779bdd144954e4707e3fafeaea4c5a94957caa70970e0b6
Opcode Fuzzy Hash: db3b454aae970ef8e3578a17de04608aef1ee11a3fb11ae7718087801273f302
Instruction Fuzzy Hash: 7A310571B003059FE721EFB8C981AAEBBF9EF84304F018529D685D3291DB35E941CB90

Function 00FDCB7E Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction ID: b7b5e8d169dfa33aa7bff67073b496371d92bcd5c54f205867ffb36cd8a87d72
Opcode Fuzzy Hash: 7790bd36a42e865f7c718a67dc22d3f79e787f24dbf99b6834416aa25bbd7ff7
Instruction Fuzzy Hash: 2A210B32F4125BAAD7119BB58801BAFBBBAAF44750F198176AE95F7340E370D900D7E0

Function 00FDE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e27ac351a984ef2b88297f608fa45dbdeb3fe0fd8fc171c926bf1931ddac977
Instruction ID: 9c5be417b80ef54e63c14d36c843fd042d96e10190d70887b3db0bde36fcc3c0
Opcode Fuzzy Hash: 7e27ac351a984ef2b88297f608fa45dbdeb3fe0fd8fc171c926bf1931ddac977
Instruction Fuzzy Hash: 23310836A0012C9BDB31EF14DC41FEE77BAEF15750F0901A6E645AB390D6749E80AF90

Function 00FE6E71 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927643ab888714ff636d01b1b2d1b85134e832b2f197df81777c8b1c02571431
Instruction ID: 087442748e2cf7f527ee655a1d94adba448d2466daf08670d535bae90853c81a
Opcode Fuzzy Hash: 927643ab888714ff636d01b1b2d1b85134e832b2f197df81777c8b1c02571431
Instruction Fuzzy Hash: 4131D2715002099BEB249FA9C880BAEF7F4BF44314F1842AAE5559B1D2CB70E981C791

Function 01014588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction ID: f822817ad50043dd9548282a30f8039f8823dd76a5d4476d96ee3891ce679980
Opcode Fuzzy Hash: 277169c50a7bdf1e1def58b38a3c1dedac02a8c9ac2be01cc5a137e0a7ffea9f
Instruction Fuzzy Hash: A9218031A00709EBCB11CF58C980A8EBBA5FF48758F108465EE55DF255D779EA058B90

Function 010144B0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8238788f8ab6f703c7afd24104326fbbb9e308cd7e3cfcf3a4e880e04de6b7
Instruction ID: 8ef4ad0d795f49ec52cbbabe22fa9049f90eadb5866dbc69a2a4e7ff5b2f97f5
Opcode Fuzzy Hash: 3d8238788f8ab6f703c7afd24104326fbbb9e308cd7e3cfcf3a4e880e04de6b7
Instruction Fuzzy Hash: 1721D2726047459BCB22CF18C880B6B77E4FF88760F014569FD949B696D734E901CBA2

Function 00FDE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction ID: 2da9686d831c2dd8a8837f17c057990d9308966e83fa575412c53734d65334d3
Opcode Fuzzy Hash: 44134b3cc04c3b9165643a468610c299cbef36331bc2ea93ac49eb48e3b8bc4a
Instruction Fuzzy Hash: DE318A31600604AFD721DB68C884F6AB7FAEF85354F1445AAE5528B391E770EE01EB50

Function 0105E609 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f672e88c7840a2b5f8b0e24b75d9cbb3c3a6b9851840a252cec673e72a5854a
Instruction ID: 9d0a909f63eae620cdc4e313eb6736a05b7349c0281ee7bd0953bb6b8bbab879
Opcode Fuzzy Hash: 3f672e88c7840a2b5f8b0e24b75d9cbb3c3a6b9851840a252cec673e72a5854a
Instruction Fuzzy Hash: 1E315E796002059FCB54CF18C8849EFB7F5EF88384B15845AECC99B391EB71EA50CBA1

Function 01008CB1 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction ID: d0f69006a454ac172c453b30074e489381ca1d6e35e46bbde20cc258b9f5cfb4
Opcode Fuzzy Hash: be42928480fe83a6920f429437d80c1551646c43924c5eabe80f3f6a5d3481a8
Instruction Fuzzy Hash: 83210A76900529BBEB23AA98C884F5F7BFDBF61650F058177FA459B154C634CD008790

Function 00FE8D59 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction ID: 973fc1d9c3ff5ea00f209a63387c02002110b8ce89d5f82ee4454386f53b2476
Opcode Fuzzy Hash: 771e0484a404b195372877301509bf43f816fb0c262265de74eede4d8511304c
Instruction Fuzzy Hash: 6A2127B27016859BE726A72DEC85B3577E4DF80790F1900B0FE85876E2EAA8DC419110

Function 010606F1 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1a470c040e9571464a4742d0bfb8e6bd13180d827e61d1817b3a6c8e8aa243
Instruction ID: 6f723795ac70b9fb0a633c39c2ddfafe807c92ee23e54eccbcf976e46ba002ce
Opcode Fuzzy Hash: dd1a470c040e9571464a4742d0bfb8e6bd13180d827e61d1817b3a6c8e8aa243
Instruction Fuzzy Hash: 5421A071D006299BCF24DF59C881ABEB7F8FF48740B550069F981E7254D778AD41DBA0

Function 0106019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9686a45eb6500175a06584b35d438e785d508fea0cae5358fdf95a01b3c0a391
Instruction ID: 40f231e5044bb0509daf705ff86040de6d4dc0fe7686d40d15dfc2e8c4329b0c
Opcode Fuzzy Hash: 9686a45eb6500175a06584b35d438e785d508fea0cae5358fdf95a01b3c0a391
Instruction Fuzzy Hash: DE218971600649ABD715DB68DC80E6AB7E8FF48740F1400A9FA44DB6A1D638EE40CBA8

Function 01060283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d11663b220e1160c2ceeecfeaaf1762ff6eb809a13b87736fc91e6267c88ca5
Instruction ID: efe309a48dd69d158ae1397a592eaad66f8907235029b7dd4e3d45d358ea2057
Opcode Fuzzy Hash: 7d11663b220e1160c2ceeecfeaaf1762ff6eb809a13b87736fc91e6267c88ca5
Instruction Fuzzy Hash: 1021C5729443469FD712DF59C944BABBBECEF90740F084496BEC0C7265D734DA04C6A1

Function 01002835 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b25870474ecdef2591c7ec3a668a549b016947f0f98c07b7de408ea421211a
Instruction ID: a701366dbd5319b415a45e62fced8baa8f2019b530c6c5001df2712fc343cf8d
Opcode Fuzzy Hash: 60b25870474ecdef2591c7ec3a668a549b016947f0f98c07b7de408ea421211a
Instruction Fuzzy Hash: 5021D771785685DBF323676C8C48B293BD4AF41774F2903F4FAE29B6E2DB68D9018210

Function 00FE6C50 Relevance: .1, Instructions: 73timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FE6D8C

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction ID: 48a921b5b7e318f06cbc439770578f27ff1f10f5a8ce76ba0ce4f584f30d2a6f
Opcode Fuzzy Hash: e8ccae6e2f7e35f84e7bb989f2678c939a5afa5094da6a1dc038476e0161c08b
Instruction Fuzzy Hash: C73189B5601644CFC761CF69C480B16BBE8FB88754F2484ADE9898B792DB31ED42CB90

Function 0101A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60fac75969ad75bebbe74e6a2b413c0a2e437b61d38f2625e4bfe188af21db09
Instruction ID: a2c89703e12e0195c1bf4645e17ed4ebe602736f75655dde1f0cb95b0513f454
Opcode Fuzzy Hash: 60fac75969ad75bebbe74e6a2b413c0a2e437b61d38f2625e4bfe188af21db09
Instruction Fuzzy Hash: 7621AF35241741DFC725DF29CC01B5677F5AF08704F1484A8A589CB761E335E942CB94

Function 01060946 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6a70da0faca8e126e463419d2bfa76166532b23b0bc9c4d585b5542ce18d07
Instruction ID: 3cd6cc6ec6a4bf5a069c5fe6dd7ee27265f2bef3793551de0f52254594a4172a
Opcode Fuzzy Hash: 1d6a70da0faca8e126e463419d2bfa76166532b23b0bc9c4d585b5542ce18d07
Instruction Fuzzy Hash: 922116B1E40309ABCB20CFAAD9819AEFBF9FF98710F10416FE445E7244DA749941CB60

Function 00FF0BBE Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b8247ac6af7163858b32a68204913f2b93fdcee194dc830fc71af048921a50
Instruction ID: 82a2e4713f4e9e7d507d19432e3e9ae3cead69739bdeb575070798e6ff525ce1
Opcode Fuzzy Hash: 95b8247ac6af7163858b32a68204913f2b93fdcee194dc830fc71af048921a50
Instruction Fuzzy Hash: 1911D271315145DFDB28DB14CC91B79B3A5EF80B2AF18816AE646CF262DF34D840D751

Function 01010124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction ID: 8491101303f69fcfd6adc948bdb771c98b4e3268a1e78115c69620a13a958e74
Opcode Fuzzy Hash: 46eb36b7a6c8140c37ab79ae24ad727a5b013edb67e3bfdf748b7c30626e4c0d
Instruction Fuzzy Hash: BB110473640609BFE7229F84CD41F9ABBB9EF84754F104069F6848B194D779EE84CB50

Function 00FE8770 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf203ca6e4a5efe839ce4760a1f993c5d1a2f0d9554c182d26cd9e184c7a4ba0
Instruction ID: 37148d720229b3125576e6f2c8be30ec99e0f7f01f6dcd5a52fef6913ab3319d
Opcode Fuzzy Hash: bf203ca6e4a5efe839ce4760a1f993c5d1a2f0d9554c182d26cd9e184c7a4ba0
Instruction Fuzzy Hash: EC119835B016919FCB11DF4BC9C0A56B7E5AF467A4724406DED0C9F205DAB2DD02D790

Function 0101AAEE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction ID: 36936fda466b373ae3bc4a0806fecbe6fdb01399c8d578c0c1517550b3db2a24
Opcode Fuzzy Hash: 24a1be8a3b3cecc6c09c2884dded5306318366361ede00ec49aaa0184f86d080
Instruction Fuzzy Hash: 39217F71A01681DFDB758F49C580A66BBE6FB84B10F15887DE58597616C738ED01CB40

Function 00FE80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b35bfc11886c38e2a5feb8a8e2dbf888640068a2347ad83f50b9a81cb96b58d3
Instruction ID: 93185240c3aa355fd5a167ba0374374fcb767509bda8c0cde34f4735723615a5
Opcode Fuzzy Hash: b35bfc11886c38e2a5feb8a8e2dbf888640068a2347ad83f50b9a81cb96b58d3
Instruction Fuzzy Hash: 24218E32A40245DFCB14CF59C581B6EBBB5FB88358F20416DD109A7310CB75AD07DB90

Function 0101674D Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9279edd561fc8976e17d6266f76bb4b3147446640394cede3d4e50aba71bf1e
Instruction ID: 65605e1b59d935c86dd70a28096caef9638ee9b4699800522a9257784f3bf444
Opcode Fuzzy Hash: b9279edd561fc8976e17d6266f76bb4b3147446640394cede3d4e50aba71bf1e
Instruction Fuzzy Hash: 2F218C75600A00EFD7608F68CC81BAAB7F8FF44350F04882DE5EAC7251EAB5A940CB60

Function 00FDEA80 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c568b363f560b22e3f8b7915c3014c246744cbe854160357efc7712e355900
Instruction ID: 17b2499fceed1369421543c71a0c83288ef033c873de2dee30205f7685cf4596
Opcode Fuzzy Hash: 34c568b363f560b22e3f8b7915c3014c246744cbe854160357efc7712e355900
Instruction Fuzzy Hash: 5711ACB1511B45AFE3219F26CD84E17BBF8FF44744B40882EE68A87621D775E804DBA0

Function 0100E8C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1815eb309e0a3158428e13a0e152789d6769f3edc6b89316c262ebab1d5df5
Instruction ID: d92ebef3b01251c972e66fdde3c6e2f1daf34133eceecdb629d0bbff12494a1a
Opcode Fuzzy Hash: 1c1815eb309e0a3158428e13a0e152789d6769f3edc6b89316c262ebab1d5df5
Instruction Fuzzy Hash: 2E1104723001199FDB1ADB28CD81A6F7297EFC5370F254979EA62DB291E9319802C690

Function 00FF2B79 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction ID: 7db11a0a546e1fce347c68d8d1c80bc8da000f263481f64007130df42ebbf4df
Opcode Fuzzy Hash: e531b1b116e796ede91b05f1854db9c15806d6ee9a8b6133ec4facf08ddfcfd2
Instruction Fuzzy Hash: CC118C72E0565C9BCB229F44D884BBEB7B4FF44760F184096EE00A73A0D378AD40EB90

Function 010166B0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b8274db89351fe07057bd50fb092b2ce1f9956a0ed55b9b257bbbcd32946b7
Instruction ID: 28b3a80e19b6813acba483259ee661a58bec88bfc5c07e763d4672aa61e61699
Opcode Fuzzy Hash: 81b8274db89351fe07057bd50fb092b2ce1f9956a0ed55b9b257bbbcd32946b7
Instruction Fuzzy Hash: E011E376A01208DFCB65CF59DD80A5ABBF4FF84710B0640BDE9859B319E6B9DD00DB90

Function 00FE0AD0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction ID: 7495c763a508cfe0ccc97efa017fab5166c7142ab7f0dd8855c513106f8fb68c
Opcode Fuzzy Hash: a0cb38f11a0ce4d193993f42e92a8429a61735cfa4d33da09d4f786176161830
Instruction Fuzzy Hash: 1F2106B5A00B459FD3A0CF29D481B52BBF4FB48B20F10492EE98AC7B50E771E854CB90

Function 0106E7E1 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction ID: 8b3df985b80004f031c038eb471a661c0a3367890205fab17b1cc57e8fdc481d
Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
Instruction Fuzzy Hash: 0E119E3A600700EFEB61DF49C840B5ABBE9EF45750F058469FA8D9B160DB75DD40DBA0

Function 010027ED Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823b5f8e03b011fbf077edf85f841450b49c27da9f914b1b1d54ce9fe9559f90
Instruction ID: 5eef829056fe421326a6c8925506dbdbf102860bfebb6c04c317d3f61038f6ad
Opcode Fuzzy Hash: 823b5f8e03b011fbf077edf85f841450b49c27da9f914b1b1d54ce9fe9559f90
Instruction Fuzzy Hash: 7F01C875746648EBF317626D9C88F6B7BDCEF40354F0500B5F9828B291D954DD00C361

Function 00FE4690 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f3d5906f81fa974c9edcb47d7f149cb92a9d44eb26ca9f7bebaeafaeaf1790
Instruction ID: 2744fdf3de8a783e33af7c1978c5923bf7ba498e5293670718d24681beb23ba0
Opcode Fuzzy Hash: 52f3d5906f81fa974c9edcb47d7f149cb92a9d44eb26ca9f7bebaeafaeaf1790
Instruction Fuzzy Hash: B611AC36644684AFCB25CF5AD880B567BA9EB86B64F10411AF954CB290C774FC40EFA0

Function 01016620 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d03840d44cfcddfb208c11b086049ce3b7293579584cdcccb3bae2ca26351c
Instruction ID: 8c4c635dbd10a31aa91daf343c937b24b74986865464f5eae204d085c1de503f
Opcode Fuzzy Hash: e2d03840d44cfcddfb208c11b086049ce3b7293579584cdcccb3bae2ca26351c
Instruction Fuzzy Hash: 2C11C272A00715AFDB21DF99CD80B5EFBF8EF88740F510894EA41B7205D77AAD018B50

Function 0100E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: f066a6f41e182ffb9a8da8cfa45e60d894f03b49f2875ba5610e52a77e8f51f3
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: C611E5B22016C69BF723972CC994B297BD4AF00748F1908F0EEC1A7693F729C842C250

Function 0106E75D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction ID: 7c0adc2f05dfa2a6b524a9a7ac8ab292df4d9558b4f89b1b11ccea2ce09c7169
Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
Instruction Fuzzy Hash: F701C03A600305AFEB21DB59CC00B9A7AEDFF40B50F158065FA859B260E779DD40D790

Function 00FDC301 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction ID: a7ddfd1b4b4b94de4a0e73d2050bdff64f6b9191752b3aabb30da1c04d254ecd
Opcode Fuzzy Hash: 778c373ea81032540963c18d56f6d779ce83a666a1fd403f9c7d5110ae95739e
Instruction Fuzzy Hash: 6EF0B4336516339BCB375A598C51B67B69B8FC4BA0B2D4037F2049B344CAA48C01F6D0

Function 00FDA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: a00f362ec6bd6c488375a9ffa8d06bf3cd0bcf0c831c86dd584a269707fe9f6a
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: F2012632904B119BCB308F16D840A367BE6EF55B71708892EFC958B780C331D800EB65

Function 0105E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68c54f317c7ccc55e9c24ad98eeda498025c8689924ef68996fd8b53650fe51
Instruction ID: 22683632c940f859fe314e4301a8117d3524dd91a9894d020ee53c210b0448a4
Opcode Fuzzy Hash: d68c54f317c7ccc55e9c24ad98eeda498025c8689924ef68996fd8b53650fe51
Instruction Fuzzy Hash: 8211A131241640EFDB66EF19DD91F56BBB8FF44B84F1000A5FD459B6A1C635EE01CA90

Function 00FE6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e0927e238128d31b7f8886773188fe2326dfb8097e8e2b011cc34c354dbaf6a
Instruction ID: 87b25ad20a4d95bff14bc4b73596efe684b8f9383b458f64ce8d6670afa657ee
Opcode Fuzzy Hash: 2e0927e238128d31b7f8886773188fe2326dfb8097e8e2b011cc34c354dbaf6a
Instruction Fuzzy Hash: BC115A7194122DABDF26AB64CD52FE9B2B4AF18710F5041D4A358E60E0DA709E81DF84

Function 01016DA0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction ID: 0a471f15ee0fd7c41e916446f0da2a9222a7da75aaedffb2d447f0d6ffeea373
Opcode Fuzzy Hash: 7b57f4f4dfdc694a89b6360ad5c5c3f3bcd20a529a5f65e9c4b2c9bdc8e4456f
Instruction Fuzzy Hash: 560124726042156BEF299B29CC04BAF7FE8DB80B50F044259BA865B294D7FDD880C3E0

Function 00FE208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: 1aaad8a58f5e8de36bc0e621882e7d9c386a6a4adfdba8b8c254a93f90a79af5
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 67014C33A001418BDF558E5ADC80FA2776EBFC4710F1544A5EE41CF296EA71CC81E390

Function 01066050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9856be460b98d6679beb2ba7cd457a6470b471dbd0f9af7f545664f8026cd3ef
Instruction ID: 43163bfb6bcbefe46995a7f34e8ff64f96e6e9f13dccf31f257d518aea7f0b08
Opcode Fuzzy Hash: 9856be460b98d6679beb2ba7cd457a6470b471dbd0f9af7f545664f8026cd3ef
Instruction Fuzzy Hash: 6811177290001DABCB15DB94CC80DEFBBBCEF48254F044166E906E7211EA35AA15CBA0

Function 0106C810 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 354520571b026e7a94a6261e5d2277a1125a0d3671cc0e58c288dedb4551ff89
Instruction ID: 017fa1895eb9649f942514bab356564a602494401f2248710f1ca87eacdba502
Opcode Fuzzy Hash: 354520571b026e7a94a6261e5d2277a1125a0d3671cc0e58c288dedb4551ff89
Instruction Fuzzy Hash: 6A11ECB1E0021D9FCB14DF99D541AAEBBF8FF58350F10806AF945E7351D674EA018BA4

Function 00FDC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 38436471dc789d04714da30ae0b48ef4bb846d459628f242a122845dcf2fda9a
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: 2801B53210070ADFDB2396A9C844FA777EEFFC4350F55441AA586CB680DA74E502D7A0

Function 010220F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db2f63d0fd2956e393e2e5fba8d2891b928eae43092e4f0364ca34f7ba441766
Instruction ID: 2644bb9f9c9ab0dbe6a04deb62ccf5428a0ca734664c942df97f27a8855a06a9
Opcode Fuzzy Hash: db2f63d0fd2956e393e2e5fba8d2891b928eae43092e4f0364ca34f7ba441766
Instruction Fuzzy Hash: 65116D75A0125DEFDB05EFA4C851EAE7BB5EB54340F104099F9419B250DA35AE11CB90

Function 0101E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d104375d85b5bcc042e6dcda182a084ade29a77b3783b779e3af1452066f0634
Instruction ID: b688606815c4519b21d5288d6ea576b7fb750e97d800941434da132772c7671f
Opcode Fuzzy Hash: d104375d85b5bcc042e6dcda182a084ade29a77b3783b779e3af1452066f0634
Instruction Fuzzy Hash: 5601DB71201609BFD751BB79CD41E67B7ECFF44794B050665B60493572DB68EC01C6E0

Function 0106C460 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11855f0d118a32767bc401d67545cf14cf03c6ac81bae008987d24c26a6d72e8
Instruction ID: 7a32477b3ea708e67e342dd81d5b83ecb4bf8618144626b6feea6a7c6c8fc7a3
Opcode Fuzzy Hash: 11855f0d118a32767bc401d67545cf14cf03c6ac81bae008987d24c26a6d72e8
Instruction Fuzzy Hash: DC115B71A0120DABDB15EF68C944EAE7BB9EF48350F004099FD8197350DA35EE11DB90

Function 0106C97C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b2faef327358d82cc3b98c24a689eb37bfd5202c563da6b06bc1f435e7708d
Instruction ID: 7e1434f57b77a7b29e73cb1ce97546c37e74ae6e2c63ddb1509db583083c7085
Opcode Fuzzy Hash: d9b2faef327358d82cc3b98c24a689eb37bfd5202c563da6b06bc1f435e7708d
Instruction Fuzzy Hash: 80115BB16193089FC700DF69D54699BBBE8EF9D710F00855EFA98D7391E634E900CBA2

Function 0106CA11 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 304fdebab4fb2858149bd4e3b489ff064c8c14aafa695a1d60ede7d60c448534
Instruction ID: 175bffbe7fc2c8766ea90ad146d7ee849f26c89d75d3cffbef20bc2de667a7fd
Opcode Fuzzy Hash: 304fdebab4fb2858149bd4e3b489ff064c8c14aafa695a1d60ede7d60c448534
Instruction Fuzzy Hash: 111179B16083089FC300DF69C54199FBBE8EF99350F00855EF998D73A0E634E900CBA2

Function 00FFE016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 601daac003cc87dbecbf3614a7ba869cee59f14e09da4ec162e23af42c08f7ee
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: B0018BB22006889FD322871DC948F3A7BEDEF85754F0944A1FA45CB6B2DBB8DC40D625

Function 01042045 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction ID: 3ddcb64d2c8778919b9638605b2c73ace7480036bb9a04bc9c3b0297663d34a7
Opcode Fuzzy Hash: d070d009cec517deda217c49c1204ab4902f8b4741d5b4904d4d9fbd3867cc99
Instruction Fuzzy Hash: 63019E727083018BE750DF1AD840A2AF7E2EF98710F0449A9F9C9A3261D731DC40D791

Function 00FD826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e587bd9e55fdf16f028ac3b46b57fee576686f4f60ba44e98d094ac0df7473
Instruction ID: 5547137b1a72f25c8e171e2f717ea0135a8136305ef7c82db7b545ef4b01af3e
Opcode Fuzzy Hash: 86e587bd9e55fdf16f028ac3b46b57fee576686f4f60ba44e98d094ac0df7473
Instruction Fuzzy Hash: 3201F772B00605DBC714EB69DD01AAE77BEFF80360F19802AD942D7344EE30DD02D691

Function 01064C0F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0db1bffac8153d60033f8748e0209c156450465d17d8f5b39a02f5f840841ef
Instruction ID: 0a1d86104b63a985a04176474b97111cb89dc0aa67fbfc466614a61ebfcc0152
Opcode Fuzzy Hash: c0db1bffac8153d60033f8748e0209c156450465d17d8f5b39a02f5f840841ef
Instruction Fuzzy Hash: 7C01DF72B00309ABDB219F99D9C0A9DBBECAB88760F010068EA4497305D7B59D048754

Function 00FE2582 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de6fbd9729d24d86a3cab39e446177ba1f4675d4b34f45d71d09ef4a3b7cbef2
Instruction ID: 4f0a85801e28b88c50b68ee2143195713306e5ebd1d3dfb40b44457bc896e626
Opcode Fuzzy Hash: de6fbd9729d24d86a3cab39e446177ba1f4675d4b34f45d71d09ef4a3b7cbef2
Instruction Fuzzy Hash: 5EF0F433A41B64B7C7319B5B8D45F17BAAEEF84BA0F154028B60597650DA34ED01EAA0

Function 0100C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction ID: 8c7b6589bbae6f3707644e522feb23ba59154c412da9bb9064c47949202d7208
Opcode Fuzzy Hash: 186ba59089a022de0fe75da19e9f9a25daa67385135c4d0e061e5f5da52e9a9e
Instruction Fuzzy Hash: 2CF0C8B2600615ABE325CF4DDD41E57FBEADFC1A80F048268F655C7220E631DD04CB50

Function 0101CA6F Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction ID: 7be6bc654c873bf6575738dfe566db1870539426e130eeeabe4ba9a8901f1f90
Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
Instruction Fuzzy Hash: 9A0181322406899BE363965EC905B5ABFD8EF41758F0980A6FE848B6A2DA79C900C651

Function 010620DE Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84311df96d431af9a448b49e93fe73fa551a4c8dd032f857569c4b3774068e6
Instruction ID: 055d4d2aa72c77f78efd3dea992345348a1651304e87759cc3e4c08b938c9f5c
Opcode Fuzzy Hash: f84311df96d431af9a448b49e93fe73fa551a4c8dd032f857569c4b3774068e6
Instruction Fuzzy Hash: B7F02274640309ABE724E60CCD07FDA37ACFB40B04F100069FB80BB2C1D2B0A910DA82

Function 010663C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction ID: 94745306c6d0e23b9ff8d6d0fee768791414ac32f31910d2280dddf1a4209952
Opcode Fuzzy Hash: b8876ef4560123714944e026a14010e42f3722aa8b4e83154c385705386cccce
Instruction Fuzzy Hash: 4FF0127210001DBFEF019F94DD80DFF7B7EEF55298B114125FA1192160D636DE21A7A0

Function 00FDC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6e711cfcbac5c3350f8b853ac4ad259d3c43f92f74463b5bf2042eacaa18cf
Instruction ID: 062f2cf3c71332e747abb5a42e0e4725d2ed76bd23c529e24f1d6fcafe000dab
Opcode Fuzzy Hash: af6e711cfcbac5c3350f8b853ac4ad259d3c43f92f74463b5bf2042eacaa18cf
Instruction Fuzzy Hash: 21F0BB727043525BE764A6169C02B62329BD7D0761F2D8077E6058B7D3F971DC01E7E4

Function 0101656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0173266682f720eb6fe2289f9197da0647ae87335453550d61d5e81b1efaa5e6
Instruction ID: cf20c3df54c5bb89cebd8db0a7189d19004781fcbba233690e1b059facc593ba
Opcode Fuzzy Hash: 0173266682f720eb6fe2289f9197da0647ae87335453550d61d5e81b1efaa5e6
Instruction Fuzzy Hash: C80144702416859BE3B29B6CCD49B6A37E8AB40B44F4845D0FE81CB6EFE7ADD541C610

Function 0101A5D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 453aa4f3572e1969d7b5f054a9687d2e8de5d3391ad874bd56dc86d5030da643
Instruction ID: b74ef76add5f712e52def4be399f5d6c11b43983b1b99f4dbdba7029a4f8e6ca
Opcode Fuzzy Hash: 453aa4f3572e1969d7b5f054a9687d2e8de5d3391ad874bd56dc86d5030da643
Instruction Fuzzy Hash: 7501F4B2245740EFE311DF14CD45F5677E8E798B25F048939E688C7194E739E804CB46

Function 00FF0218 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249b9a04e91768f9f8d3c655b25b4971d8228f348063c1fa0e9d5862b86502e5
Instruction ID: 26dfa767b7ea219dc5f471ad09646a94471bb3339dcabf5c982417ee67c42516
Opcode Fuzzy Hash: 249b9a04e91768f9f8d3c655b25b4971d8228f348063c1fa0e9d5862b86502e5
Instruction Fuzzy Hash: 06F09AB1D42708CFE3669F54C80473077A0BF01710FA2016AE6818F2B2DF7AAC44EB62

Function 0106E872 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction ID: b68e2089ae9734e7395c6789e011d7057f7e49e312b34a170f3a06c4a63196c5
Opcode Fuzzy Hash: 8131d6dfb1e0f05e7222055ba00f4a0047b676927548f67fe4833d003efa681a
Instruction Fuzzy Hash: A3F05E367117129FE721DA4DDC80F16B7ECAFD5A60F6A00B5A648AB260C760EC0187E0

Function 0106C89D Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c707e53d2463e4b6fe27d86f1a32f6b9af9b3c827871d11c5a9be53a5ff7122b
Instruction ID: e161c8c32958b7d498956a23739a29c9cc66b329817681d7f3b8b6893bd6b06f
Opcode Fuzzy Hash: c707e53d2463e4b6fe27d86f1a32f6b9af9b3c827871d11c5a9be53a5ff7122b
Instruction Fuzzy Hash: 4CF0A4706053089FD310EF28C541A1EB7E4EF98710F40465AB8D4DB390EA38E900C756

Function 00FF266C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65baa8fc20357ad384835db89ebad307f3c597e38ffc9a229501467d8e96e3cd
Instruction ID: 98de220e3cbcb6d61f57d35b05e24bfc19f4f82824680cb098d3e899c182390c
Opcode Fuzzy Hash: 65baa8fc20357ad384835db89ebad307f3c597e38ffc9a229501467d8e96e3cd
Instruction Fuzzy Hash: 75F0F0727146458FC352CF6DD841766B3E4FF46311B0441B6F984C7202E738D912CB90

Function 01010854 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction ID: db7c291f941365076f4e213d35a1d0ff58d3c2a937af8a0664bb9ea27d8a3434
Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
Instruction Fuzzy Hash: 04F02472604204EFE314DF21CC01F56B6E9EF9C340F148079AAC4C7268FAB4DE41D654

Function 0106C912 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3079046874842456987dbd02b2cae4df9000a749f081e03e6964d9707277622
Instruction ID: 9bd231ef74498e4c7301a63b8cb549da0c780c0f12058c42d9db2a5ba37fbf30
Opcode Fuzzy Hash: f3079046874842456987dbd02b2cae4df9000a749f081e03e6964d9707277622
Instruction Fuzzy Hash: 6CF04F70A0124D9FDB04EF69C555AAEB7B4EF18300F508059B995EB395DA78EA01CB60

Function 00FE47FB Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1846b6cb5d26732ff794be22885e07e44d7bf5d5157fb81205f0543976b1d59f
Instruction ID: 74433202fd2bd715773237b8ca54501540aaf0d29a11ea6d64ed74af21df049b
Opcode Fuzzy Hash: 1846b6cb5d26732ff794be22885e07e44d7bf5d5157fb81205f0543976b1d59f
Instruction Fuzzy Hash: 97F02E32C062E08FD732CB6AC054BA1B7C4AB10730F1C896ED49983102C328FE80E600

Function 0101C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba69c94751c177838e7fac9d2afe6d4beaf66f075fdf13ea18fe73969f8ad7db
Instruction ID: df02a6b072d26cd892bd82144bb93f4fa370c7006a44bd92c81f21343ae63149
Opcode Fuzzy Hash: ba69c94751c177838e7fac9d2afe6d4beaf66f075fdf13ea18fe73969f8ad7db
Instruction Fuzzy Hash: E8F0E2715916909FF3A2971CC348BA97BE8BB487A0F08ADA5D58AC7517C36CE880CA50

Function 01022619 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction ID: 4a0bdb52d33267e203685d7b5878d21649285d316b20682e4394b6aa08331ee2
Opcode Fuzzy Hash: 45c25d90bbb005ca3a51a0e548ad18c23c0ce8c105f3add510330fe6c677b30c
Instruction Fuzzy Hash: 3BE0D872300A112BE7219F59CCC4F577BAEDFD6B10F040079FA045F252C9E6DD1982A4

Function 0101CF80 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction ID: 3205898be802f2598a15b789552d676084789c8ef4c5549ff4c2240c952e00b4
Opcode Fuzzy Hash: 0f2503cf4af7cb7b09027b56ae64a80349c60eadc7eba6a9026732afcc48f9fb
Instruction Fuzzy Hash: 1BF0273220410AEFEB029B5ADC04E9EFBAAEF80710F048016FD848B222D735E861C710

Function 0105035C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction ID: 8a89519a9c541f73ec158357a09b045888dad7a550905eaca9ad8f0011403181
Opcode Fuzzy Hash: d686609aa5636bbeb8eb45ce840330d6a3fe488abb698859fe5c2a4ac7472896
Instruction Fuzzy Hash: 83F01D31259AC2DFF3779B1CC848B1A3BE8BB01B60F1943D0B9A18B6E6D7689940C605

Function 010501DA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction ID: 430ac6e4988c80000ea70b063d10ed512369eaf009da1bf4b2ed5ca8e4bf624d
Opcode Fuzzy Hash: 695efabd4245ad5634dfe4a889b4c53fedba2a3276a13ee318552dc71ff97b6c
Instruction Fuzzy Hash: 3AF0F974604B82DFD3A1CFA8D551B5AB7E4FF58740F00466AF594CB6A1D778E840CB11

Function 00FE0710 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction ID: 1f69a7f707823e37286a32b4c5f535c42d204a0d861f55cbc83c302255e06c1a
Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
Instruction Fuzzy Hash: 28F0E53A204384DBDB16DF1AD050AA97BE8EB41350B100094E8828B351DB75F982EB50

Function 010149D0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction ID: aa70838993ea44fdf2fa8ca4c4e8c6f63f5b593c0d2ada438d1efe195bc3f110
Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
Instruction Fuzzy Hash: 2AE0D833244645ABD3211A59C801B6A7BE5DBD07A0F970429F280CB174DB78DC40D7D8

Function 00FDEC20 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction ID: b28917b9479e6af7edee6f511873642ffc1e27526b731b5a441a9c229839f736
Opcode Fuzzy Hash: b2902f53431a9e488bb3a35122719d683f2200cde1b251d880592bb7dfab3b44
Instruction Fuzzy Hash: A0F0E531124288AFEF19EB00C845F55379AEB10334F08851BF4188F692CB74DD84EB04

Function 01064CA8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction ID: bd9daca79d60caeca4590c5ba4d51f63ad02423d4344d7f6f758e104f5d44689
Opcode Fuzzy Hash: 43eecd3c08fe7f7df93ce42b225f7ebba8bd63f8cfa5a27548bae60b679425d2
Instruction Fuzzy Hash: 7CE0263320014666EB31736A9D08FD37F9AEF80BB0F140035B689C7590CF25C431D250

Function 00FE25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c839e417a81c85c2950ac8969203ff53f82762ba1f70a91a2528cf0872be5b3b
Instruction ID: c3320339807f9a1debf39e8a737f17a82d1c57b9aebd71016264a382f117a068
Opcode Fuzzy Hash: c839e417a81c85c2950ac8969203ff53f82762ba1f70a91a2528cf0872be5b3b
Instruction Fuzzy Hash: E8E092321005949BC722BF2ADD02F9B779AEF94360F014529F155571A1CB39B910D784

Function 01064000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 8dec4113df36827c642b9b1826ce3528c097adffdbecfea078ee8c8be920fe77
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: 1DE0C2343003168FE755CF19C044B627BFABFD5A10F28C0A8A9888F305EB32E842CB40

Function 0101CA38 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b1a18ee74a980acfa030aa4c6f970a27223faddb6a774bfde70c8b6f0dfaa4
Instruction ID: 2f979d52912697403ab17f1c27f755422d45ce14be666fe0a91b366d0ade0dd2
Opcode Fuzzy Hash: 43b1a18ee74a980acfa030aa4c6f970a27223faddb6a774bfde70c8b6f0dfaa4
Instruction Fuzzy Hash: 01D02E334C20306AEB77F228BE04FE33A99AB40764F0648A0F688E2029D52CCC8192C4

Function 0103E1D8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction ID: f82365382b3cdce8c31e4d8e10d00d56f396710f01a93e0a82f5a7955ef911c5
Opcode Fuzzy Hash: 1fa6682665435e3bf81aac6b3c1c2a3abb7dabd95150390b2ab7a04d4b5ac629
Instruction Fuzzy Hash: 21E08C722145509BD201960CD890D3BFBEDFB88201F100266F885D3610C229AE219BA1

Function 00FD823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction ID: ccef759ff80ddaf180881dc03d44399ef3835888af36fabb7d8fb273750055f1
Opcode Fuzzy Hash: 0dde1fb00fd2b926610cb540773fb9450d19403d8368e537e34001dc73afbaa9
Instruction Fuzzy Hash: 3BE0CD32500520DFDB322F15DC01F5176E6FF64B51F25485AF0C1161A48B745C82FB44

Function 00FD8C8D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction ID: da88e2a90561cbb58d8d169665f2532ffc4f8ecf60800ad91f8af6f7bfa8d08b
Opcode Fuzzy Hash: e6a1cdd19ba1a5464da095337881f18fe8733fdfe244ff243a2ac1a8627d2a69
Instruction Fuzzy Hash: 30E07D31051630DEDB316F02ED00F5276F6BF50750F14442AF042055B0CF74AC82F650

Function 00FE2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1a7da9531524a6f10fc09594cbf06d2afdc41047d04c06138a46f4915aa40a
Instruction ID: d8101e7e8bfede622f20139d518ae5228f9a21a7fd0b37c264eea58f57058f65
Opcode Fuzzy Hash: de1a7da9531524a6f10fc09594cbf06d2afdc41047d04c06138a46f4915aa40a
Instruction Fuzzy Hash: 09E08C321004946BC611FA5EED12E5A739EEF94360F010225B150972A1CA29BD00D794

Function 01018A90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction ID: 3955de86e663fe53303fbe44addf806ed2e6414fd0bb88293782af2dd9799652
Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
Instruction Fuzzy Hash: 74E08633111A1487D728DE18D511B7677E4EF45720F09863EA65347784C634E644C794

Function 00FE2324 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction ID: d095ce8c35a26ddddb1280ed0f6a91a4fd719da033a3ff019b2e764d3fa88dc9
Opcode Fuzzy Hash: 30376b8f6942b512d21a7ff22882938c19e04cf1545c63af249bf3b6d6559961
Instruction Fuzzy Hash: 3AE04F3185018A9FDF579B59CA54BA9BBBAFB88300F550094E44432161DB385950DB50

Function 00FDA740 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction ID: 862d5600ab9fad6c78de103e981aee51e2685805d9efb81367241bf12244c3ec
Opcode Fuzzy Hash: 80a23e6447b73173346f2999f4b3a87c02860673b62991cded2a1bd378972dde
Instruction Fuzzy Hash: B4E08631500445EFEB579B56C954FA9BAB9BFC8300F040456E14476562C728A890EB54

Function 01036AA4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction ID: 7d070f8408e737dbffcb608b93d4c00577b6abef139a684db1f2ddfca17c6532
Opcode Fuzzy Hash: fb32f8a4abc51be972f9ddb29922803d5ff50af5a24517df2a19369e20eb1f2c
Instruction Fuzzy Hash: ECD05E36511A50AFC7329F1BEE00C13BBF9FFC4B10706066EA54583920C671A906DBA0

Function 0101E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction ID: 5b492bffab929dea0a8ec6037eeb5ad44dc233302300b1ab1b034284402006d0
Opcode Fuzzy Hash: daaa7d3009ea744d07f9e08accc962f8ae29a2b4d64e956cf5d4d68ea4780215
Instruction Fuzzy Hash: 65D0A932204620ABDBB2AA1CFC00FD333E8AB88760F060499B008C7061C364AC81CA84

Function 0105E908 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction ID: bec390ab46fb634e04cb35dc0b2adf515200db7a45b77998b8525998d4743ce5
Opcode Fuzzy Hash: ca9a9a0ba620b78d8a2c60997a25aa35dfde848f9b98ee4321ba6aa288af4782
Instruction Fuzzy Hash: DCE0EC35950684ABDF92DF59DA40F5AFBF5BB84B40F150494A5886B661C628AA00DB40

Function 00FDA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction ID: c6ead05cba39c75d8448e606fb4acc1192f43838320a3fa78564736135a0ff7c
Opcode Fuzzy Hash: 6fae157940f5a138273a1c795e13f34e5419f85a62f40bfb8e3377858a39b448
Instruction Fuzzy Hash: 72D0223321603093CF2856606C14F6379069F80BA0F1E006E340AA3A00C0088C42F6E4

Function 0101A830 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction ID: 6ac73228a0e003d8b7eefea19a62c965dd8ba1ce5cbcd67ca8801ea6034f8b26
Opcode Fuzzy Hash: 0eb8aa549dbf07f54bc0b203a27983cb9c38d34c775957e4477bfa26f88d2c7e
Instruction Fuzzy Hash: 01D012371D054DBBCB119F65DC02FA57BA9EB54BA0F454020B604875A1C63AE950D584

Function 0101CA24 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: befec7ac20c2b3a20e89185c4d95f80a9f7e4194dd3e4a6e10697195c9e3408f
Instruction ID: d843a8b62e1558cd90113e8949baf077d744d6ff147f52c80ade7c341c16ec3b
Opcode Fuzzy Hash: befec7ac20c2b3a20e89185c4d95f80a9f7e4194dd3e4a6e10697195c9e3408f
Instruction Fuzzy Hash: 46D05E315450418BEF57CB09CA1492E3AB0FB04640B8000A8EFC051020D72ED801CA00

Function 0101CF50 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85153ab6f71a205a1358ec9e632102a5f508bde325e54b35591b749372c9cf0
Instruction ID: 8fdf477e44c255c20749de30ab1f5f4b360ab0fbdd0db55f7dcc75c9aa624b0f
Opcode Fuzzy Hash: c85153ab6f71a205a1358ec9e632102a5f508bde325e54b35591b749372c9cf0
Instruction Fuzzy Hash: 6AD0A732000148ABC711EF09DD41F153BAEEB98740F010020B50447222CA35FD60D648

Function 00FF02A0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction ID: e2b8565b1b29974c669f97b42b4cc57f6fdef9e5d7796cc862703e2d82446e5c
Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
Instruction Fuzzy Hash: FED0C975652E84CFC71ACB0CC5A8B2533A4FF44B44F8504E0E541CBB32DA2CDD40CA10

Function 0101CF1F Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c5a6504a3476c8a04c4bd1fb6ead82f54563736e24c1388d141ec5b2b2c43a
Instruction ID: 42feef53f7a6ea651de55626e521187fd631f1119d87f4a161af60aa9394f400
Opcode Fuzzy Hash: 71c5a6504a3476c8a04c4bd1fb6ead82f54563736e24c1388d141ec5b2b2c43a
Instruction Fuzzy Hash: C4D05E72151440DFEB2ACB08CE46F2677E4FB00704F4540BCA1458B925C72DE900DB40

Function 0101C700 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction ID: 288df94414747e0f3ea600a2fbf54c75209c999922a2e63ad1d59faf98d3a176
Opcode Fuzzy Hash: 4437e647b2b4e703394cfa8271e7a9dde31e81d5545b5ce8aedd04872345699a
Instruction Fuzzy Hash: 47C08C33290648AFCB12EF98DD02F127BE9EB98B40F010061F3048B671C635FD20EA84

Function 00FDE0D0 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1252cdb67b9b7deb422a15b9c4ad0fa4fbb55e87a7b00adbb86d222eb1022d37
Instruction ID: f4b2f1048fd0d7734b6b8f72f228aaa6c1768fba5223d60bb58788edb8c64073
Opcode Fuzzy Hash: 1252cdb67b9b7deb422a15b9c4ad0fa4fbb55e87a7b00adbb86d222eb1022d37
Instruction Fuzzy Hash: A2C04CF3B11190AA8714EB619905B76758B97D4301F49C06AB195C6249DE3FC4019A25

Function 01000310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: fa2dc1c3df4c8347b6fe0c25406f2ccc7458cef33b62c3b329888632b65876c5
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 0BD01236100248EFCB02DF41C890E9A772AFBD8750F108019FD1907650CA31ED62DA50

Function 0101C7F0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction ID: 56157c0db7d6d7204d7fd821fca21c1d2593747ef9acc884a19a489808d7f234
Opcode Fuzzy Hash: 2a93b78b4f3aab30918e7eb6a748612c734bffc3b04e31a2f267280f2c313703
Instruction Fuzzy Hash: C5C002343016498FCF52CB29C685A5D77E4AB45740B4984D0F944DB722D664ED019B00

Function 00FE0750 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction ID: 3354dbfbfe93dbc28cc3fcde93fd2548ad994f1f7d0d08ace59ac66fa87b8ae9
Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
Instruction Fuzzy Hash: 36C08838300A088FCF02CB2AC280F0833E8FB80300F0008C0EA00CBB22E228E802CA00

Function 0101C68B Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ffa61c071e8a77c30fd2afca0e598a6106ba30edebe979677bfd77968deeab
Instruction ID: d2f2ab81b814ace31916cbc7c2a67efbe6955c90d9ab813fc7f300699827066a
Opcode Fuzzy Hash: c0ffa61c071e8a77c30fd2afca0e598a6106ba30edebe979677bfd77968deeab
Instruction Fuzzy Hash: 0AC09232152450AFCB22EB08DE92F123BA9FF18794F8500A0B244D2572C62EE920DB54

Function 0101A060 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction ID: c391b9be899f385b4e931259a79fe9c22c5d70f3d3599ac4553eb1af114e1e4c
Opcode Fuzzy Hash: 75e1cf65d9f8c0e9fa4e3eee3b949005c21d4aa932b739b658db39a27f3808d6
Instruction Fuzzy Hash: 59B012730214C09BC71A6B05FD00E013765E7C8730F350468B006478614A28DD11E504

Function 0104634C Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction ID: df680b053bba5605a8e36b905455f1bb0a5eeceeb2a07142aaa3baf712329d16
Opcode Fuzzy Hash: ab27d0e19bc8b3d3cc183f932446174a87e1dae8b67ccaab3f7db6ffdfc867e2
Instruction Fuzzy Hash: E0B011B3202880CBC202CB88C088B2033A0FB00B80F0000A0A002C3A22C228E800A802

Function 0101A950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction ID: 94480b3422fb0c9b4c5a2a04804064340c851a384b9de49bdeee9d031f19336c
Opcode Fuzzy Hash: 581a630ff1c3e78aa7bd7181688fc29c6c476f27700cb95cafc8dc3a50891ae5
Instruction Fuzzy Hash: DCA011320208C08BCB22AF00CA00A00B220BB80A00FC000A0A00002822822C8800AA00

Function 01042BF6 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction ID: 442e760dea9fc7e7c2207da3e85308cf668a66d8fb1d6e4fac9bcfee82de4ab3
Opcode Fuzzy Hash: fb6497d98dbca5d8ab111afa168aff7ee6b11b9e5a0af3185f73636f9294bcf1
Instruction Fuzzy Hash: E7B011B2202C80CBC203CB08C088B0033A0FB00B00F0000A2A80283AA2C22CEA00E802

Function 01010A50 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction ID: c3c4684d31a626166b0fe44ccff0c7f71f4ec95fc895d90542546019d225ded4
Opcode Fuzzy Hash: 3b0b307c3be0d404b29e4e027334f1b7dbcccb1ed22bba2e199e3f74ee91561b
Instruction Fuzzy Hash: 12A0223B0A0880CFCB03BF00CA00F003330FB00A00FC080A0B08283838C22ECC00CA00

Function 01024A80 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 51timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01024A8F

Strings

0Iv, xrefs: 01024AD0, 01024AD5
0Iv, xrefs: 01024B04, 01024B09
0Iv, xrefs: 01024AFA
0Iv, xrefs: 01024ADA
0Iv, xrefs: 01024B14
0Iv, xrefs: 01024AEA, 01024AEF

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$0Iv$0Iv$0Iv
API String ID: 3446177414-2083360775
Opcode ID: aa860a1dea6684a8658d68b34b3350ae2c0f69ec6406a763119275a5949d6ce2
Instruction ID: 61ee4e25a66d7ddadd639233a78acb0461886cf80c62351f7ad976b8b999cf5c
Opcode Fuzzy Hash: aa860a1dea6684a8658d68b34b3350ae2c0f69ec6406a763119275a5949d6ce2
Instruction Fuzzy Hash: 44017136E062216ED7759E38B8047863EE1B789728F05419AFDC8DB289D77A4C41D790

Function 01022890 Relevance: 9.2, APIs: 6, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0102293C
___swprintf_l.LIBCMT ref: 0102295E
___swprintf_l.LIBCMT ref: 010229A3
___swprintf_l.LIBCMT ref: 0105A52E

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID:
API String ID: 48624451-0
Opcode ID: d761064f69be406982e979547c51074e4a8b1ba005ee8116fca2292713fb77fa
Instruction ID: 7274b9b94156da34496bbc86cd4cdb2e855328443ccf3c84d955e3d379e37990
Opcode Fuzzy Hash: d761064f69be406982e979547c51074e4a8b1ba005ee8116fca2292713fb77fa
Instruction Fuzzy Hash: DD5107B2B04126BFCB61DB9C888097EFBF8BB49244B548269F5D5D7641D374DE008BA0

Function 00FFA250 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 404COMMON

Download Yara Rule

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010479FA
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 010479D5
SsHd, xrefs: 00FFA3E4
RtlpFindActivationContextSection_CheckParameters, xrefs: 010479D0, 010479F5

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
API String ID: 0-929470617
Opcode ID: c792ae78fad209c0169f5c1fe4e82245d16036ca77007da9b88f1500985ad049
Instruction ID: a5f70be30f2a971eadaaf0126f2d02ca97bd360f913521d68c883379054c9e51
Opcode Fuzzy Hash: c792ae78fad209c0169f5c1fe4e82245d16036ca77007da9b88f1500985ad049
Instruction Fuzzy Hash: 46E1B5B1A043068FD724CF28C484B7AB7E1AF84364F184A2DEA99CB2A1D771DD45DB53

Function 00FFD770 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0104948C

Strings

SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 0104936B
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 01049346
GsHd, xrefs: 00FFD874
RtlpFindActivationContextSection_CheckParameters, xrefs: 01049341, 01049366

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: GsHd$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
API String ID: 3446177414-576511823
Opcode ID: f0ac834e42dd5f5bce895dffa559228b6ac23ee474e32daffcb22646ec622f7d
Instruction ID: bbe88073b6f84766446d1f54d79a302aad70939382a0ae7975d056c1f2600dc8
Opcode Fuzzy Hash: f0ac834e42dd5f5bce895dffa559228b6ac23ee474e32daffcb22646ec622f7d
Instruction Fuzzy Hash: A8E1C171A043068FDB20CF58C4C0B6BB7E5BF89318F144A7DEA958B291D7B1E944DB82

Function 0102B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0102B6BF

Strings

+, xrefs: 0102B65A
0, xrefs: 0102B66F
0, xrefs: 0102B695
-, xrefs: 0102B650

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction ID: f923538ffa2548f97496163c74099301c4727e4bd009c514bc7fb3a5ab891f94
Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
Instruction Fuzzy Hash: 2981E230E052698EEF25CE6CC8947FEBBF1BF45320F18419AD8E5A7291C7748841CB51

Function 00FE9126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01042559

Strings

@, xrefs: 00FE9175
$, xrefs: 00FE9191

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$@
API String ID: 3446177414-1194432280
Opcode ID: de1d0d3910a89ea0433fba554e9a99f57462401689673f050f9161ff3d45f616
Instruction ID: 7419e2bbc65248ac412457204fa55ce27a417e36ff12945aa91cf081b31b4ab0
Opcode Fuzzy Hash: de1d0d3910a89ea0433fba554e9a99f57462401689673f050f9161ff3d45f616
Instruction Fuzzy Hash: 9D812AB1D002699BDB31DB54CC45BEEB7B8AF08750F0041EAEA59B7280D7759E84DFA0

Function 01024960 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 010249A4

Strings

X, xrefs: 010249F0
0Iv, xrefs: 01024A23
0Iv, xrefs: 01024A13
0Iv, xrefs: 01024A03

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0Iv$0Iv$0Iv$X
API String ID: 3446177414-728256981
Opcode ID: 488224923564ba27df5e2f9315a8d3e37552a38181d90b7235886af8483b524b
Instruction ID: 9381a8743610ee9122e6a8ebb12bdbfba7420377db561a8e884e39943c5ccbee
Opcode Fuzzy Hash: 488224923564ba27df5e2f9315a8d3e37552a38181d90b7235886af8483b524b
Instruction Fuzzy Hash: C931B13590131AEFCF22CFA9D840B8D3BF5AB88758F0A8059FD84D6241D3798A50CF85

Function 0100DB00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0104F611

Strings

RtlUnlockHeap, xrefs: 0104F65D
, passed to %s, xrefs: 0104F662
Invalid heap signature for heap at %p, xrefs: 0104F653

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
API String ID: 3446177414-56086060
Opcode ID: 82f77f3df46a02b8dfc9d12d2fd021568b9ae0a7e3d2147cb8ad2a8f15bbe453
Instruction ID: 90a55ace42cce61512d0c2411eefb0e56980bfb7b18b1dc1e7aea7f900f1d5b7
Opcode Fuzzy Hash: 82f77f3df46a02b8dfc9d12d2fd021568b9ae0a7e3d2147cb8ad2a8f15bbe453
Instruction Fuzzy Hash: EC413A71600742DFE722DFACC495BAAB7E4FF44724F1441A9E581877D1CB789880CBA1

Function 0100DBA0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0104F757

Strings

RtlLockHeap, xrefs: 0104F7A3
, passed to %s, xrefs: 0104F7A8
Invalid heap signature for heap at %p, xrefs: 0104F799

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
API String ID: 3446177414-3526935505
Opcode ID: 05edc5af47b1fdb7b4177b332e34aa62e11e793d846e93ef6345ffb56602d8ad
Instruction ID: 76f628eeda02a6bfc3e9441f168ded6db3fa1355b87f1a932cf6adc92182ec10
Opcode Fuzzy Hash: 05edc5af47b1fdb7b4177b332e34aa62e11e793d846e93ef6345ffb56602d8ad
Instruction Fuzzy Hash: 1631E730105785DFE762DBACC85AB997BE4FF01750F054099E48687692C7ACA480C722

Function 00FDC070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FDC0B4
RtlDebugPrintTimes.NTDLL ref: 0103D623
RtlDebugPrintTimes.NTDLL ref: 0103D651

Strings

$, xrefs: 00FDC07C

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: b0f8b4614b7976f94e8a8e94a2d3d8bacd385ddb8c22328a4417b46a0df26705
Instruction ID: 03fbc7ad5be6f8ac13dae75321fd378993b59083a0fad7aa253886a1a2a65b2c
Opcode Fuzzy Hash: b0f8b4614b7976f94e8a8e94a2d3d8bacd385ddb8c22328a4417b46a0df26705
Instruction Fuzzy Hash: BB116536905219EBCF159F64D8486DC7B71FF84364F108519FD66672D0CB765A00DF40

Function 0105EF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0105EFE1
RtlDebugPrintTimes.NTDLL ref: 0105F009
RtlDebugPrintTimes.NTDLL ref: 0105F0AC
RtlDebugPrintTimes.NTDLL ref: 0105F160

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 4595c06a4465e057f8279e85da36bc35c2b44a8d5dc9cba1ea39b34437ccd9ce
Instruction ID: b0a93ba867fa057906b38bb4c98e27eac5ac5ddee23891148ba6ad9b5c92e59e
Opcode Fuzzy Hash: 4595c06a4465e057f8279e85da36bc35c2b44a8d5dc9cba1ea39b34437ccd9ce
Instruction Fuzzy Hash: 43714771E0121A9FDF85DFA4C884ADEBBF5BF48314F04406AE945EB254D738A901CFA4

Function 0105F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0105F26D
RtlDebugPrintTimes.NTDLL ref: 0105F292
RtlDebugPrintTimes.NTDLL ref: 0105F324
RtlDebugPrintTimes.NTDLL ref: 0105F378

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7c56aac8babbab01af8499189de525e70a9c8722d5d306ba16408ab9172af018
Instruction ID: 7ff76ab2ebe87dbc6fdaef3a20adc5fbdfa27ecfd18b627948262dfa9784dd9d
Opcode Fuzzy Hash: 7c56aac8babbab01af8499189de525e70a9c8722d5d306ba16408ab9172af018
Instruction Fuzzy Hash: CF5143B6E0121A9FEF48CF98D844ADEBBF1BF48354F18816AE945BB250D3389901CF54

Function 01017B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 01017B52
BaseThreadInitThunk.KERNEL32 ref: 01017B5C
RtlDebugPrintTimes.NTDLL ref: 010549ED
RtlDebugPrintTimes.NTDLL ref: 01054A70

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes$BaseInitThreadThunk
String ID:
API String ID: 4281723722-0
Opcode ID: 65108b233915fdd16c78ba42318aae85c0064310abee62af26cdc9db2016654f
Instruction ID: 9d5462a3398e12f3fd6454d5e8ce4f171f36257f92dbb9b70fc3d96f4b859495
Opcode Fuzzy Hash: 65108b233915fdd16c78ba42318aae85c0064310abee62af26cdc9db2016654f
Instruction Fuzzy Hash: 64313475E012199FCF65EFA8D844ADEBBF0BB48720F10412AE851F7284D7365940CF54

Function 00FE59C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

@, xrefs: 01040AA7

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 52e20e9c9f0c14ba683b1852524de9b64e2c67d298ac3876ff679adade67c732
Instruction ID: 5318669c0d3c309ef13fe5d664707960402c32b67c2aa5a6dafb1e67ab4a1756
Opcode Fuzzy Hash: 52e20e9c9f0c14ba683b1852524de9b64e2c67d298ac3876ff679adade67c732
Instruction Fuzzy Hash: 00326670D046A9CFDB21CF65C884BE9BBB0BF18718F1041E9E549A7242D7B49A84EF91

Function 01027D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01027E8B

Strings

-, xrefs: 01027DDD
+, xrefs: 01027DE8

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction ID: 553860277fa63db38302bbca2a5a015d41daf9a16df06004f680005c9c274587
Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
Instruction Fuzzy Hash: 7F91C171E0423A9BEFA4DF6DC881ABEBBF5AF64320F14455AE9D5A72C0D73089408721

Function 00FFD02D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FFD3A4

Strings

Bl, xrefs: 00FFD48C
l, xrefs: 00FFD46B

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: Bl$l
API String ID: 3446177414-208461968
Opcode ID: 38cef9113e80ade821640b5b2badd8d00a3f08f40080608347861d988547fc22
Instruction ID: 22cef648a5b639e0d4fbf1d41bdce81ab70d1d7bff104f5bd20343be4ce97762
Opcode Fuzzy Hash: 38cef9113e80ade821640b5b2badd8d00a3f08f40080608347861d988547fc22
Instruction Fuzzy Hash: 88A1BF31E0132D8BEB31DB54C890BB9B7B6BF45314F0440E9DA49A7260CB75AE84EF52

Function 01025DA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 01025E34

Strings

pow, xrefs: 01025E0C, 01025E29

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 71d82ba76a11c47d8408f8c3932b5094bfafe874031022ada50340a63342c5ee
Instruction ID: c498e9ad5a8d01e47589898e1f374ca0dd77b1cb14a080e238b2af076797ac33
Opcode Fuzzy Hash: 71d82ba76a11c47d8408f8c3932b5094bfafe874031022ada50340a63342c5ee
Instruction Fuzzy Hash: 81519C7090862696EBA6771CCD413FE7FD4EB00700F20CD98F4D686299EB39C4949B4A

Function 0100D7B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0100D959

Part of subcall function 00FE4859: RtlDebugPrintTimes.NTDLL ref: 00FE48F7

Strings

$, xrefs: 0100D86D
$, xrefs: 0100D900

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $$$
API String ID: 3446177414-233714265
Opcode ID: 87f89ec25b849231a9f83d78b87a55af05c7f8e09b634fcf5e159ea4e772947e
Instruction ID: e8beb5c7e48b5a2b55ce8437d3e1a62967101e8a76711cc7d1cad29434a4d829
Opcode Fuzzy Hash: 87f89ec25b849231a9f83d78b87a55af05c7f8e09b634fcf5e159ea4e772947e
Instruction Fuzzy Hash: A8513371E003469FEB22DFE8C8847ADBBF2BF44304F144068D8856B2C1D779AA41CBA0

Function 0105FD82 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0105FE73
RtlDebugPrintTimes.NTDLL ref: 0105FE95

Strings

$, xrefs: 0105FE3D

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: $
API String ID: 3446177414-3993045852
Opcode ID: fc945cea78d3f10b6ecbbb0d285acf3d28e53baf607ad058702c0af0e9701dd4
Instruction ID: 79890ac4f00f69c1fd514666839a5170c95c60225e8fe75edf763cd4666fdc50
Opcode Fuzzy Hash: fc945cea78d3f10b6ecbbb0d285acf3d28e53baf607ad058702c0af0e9701dd4
Instruction Fuzzy Hash: 43418EB5A0120AABDBA1DF99C980AEFBBF5FF48704F140059ED80A7341D7759911DBA0

Function 00FDDF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 00FDE040

Strings

0, xrefs: 00FDE00B
0, xrefs: 00FDE020

Memory Dump Source

Source File: 00000009.00000002.2149435564.0000000000FD6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: true

Associated: 00000009.00000002.2149435564.0000000000FB0000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000000FB7000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001036000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.0000000001072000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D3000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000009.00000002.2149435564.00000000010D9000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fb0000_MSBuild.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 92cf1b7442ffb58dc6a86a422a037729b6236081944d878ad889e572ac28d0da
Instruction ID: b864a7f4469ef8599d6a8aa67d706ae614b9f70735cddc22cf3679bb127a2cca
Opcode Fuzzy Hash: 92cf1b7442ffb58dc6a86a422a037729b6236081944d878ad889e572ac28d0da
Instruction Fuzzy Hash: 20418DB2A087069FC310CF28C484A1ABBE5BF88314F08496EF989DB341D775E905DB96

Analysis Process: explorer.exePID: 1028, Parent PID: 6692COMMON

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.1%
Total number of Nodes:	69
Total number of Limit Nodes:	7

Executed Functions

Function 10ED7232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 10ED7449

Strings

`, xrefs: 10ED741D

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: d3636ee697f4334e67dc5666e2f26d0f00a7bf0c18fa2834ee25b083e0e4fef8
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 08225070A18B899FC749DF69C4956AEF7E1FB58305F41022EE49ED3250EB30E852CB81

Function 10ED8E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10ED8E67

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 073b8b211eca85723c34cba871f3fb8672634cfa708a9b2caeb6509a0259c379
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 3401B134668B884F8788EF6CD48122AB7E4FBCD314F000B3EE99AC3254EB70C5424B42

Function 10ED8E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 10ED8E67

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 3f445113194c2dac0521107791cf4c138b22f8cdecf28d0ad6dc7b654f934651
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 7401A234628B884F8748EB6C94512A6B3E5FBCE314F000B3EE9DAC3240EB21D5024B82

Function 10ED7F82 Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 815
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 10ED812E

Strings

tion, xrefs: 10ED8331
dat=, xrefs: 10ED8290
nnec, xrefs: 10ED832A
&un=, xrefs: 10ED84F1
&br=, xrefs: 10ED8509
&sql, xrefs: 10ED8471
: cl, xrefs: 10ED8338
Co, xrefs: 10ED8323
GET , xrefs: 10ED8318
ose, xrefs: 10ED833F

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: getaddrinfo
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 300660673-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: 86eb874810233f7abec5a65e93c3f2c9a2a331e1b3a42236fa0f1b77064448d8
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 9852AE34618B488FC759EF69C8847DAB7E1FB54304F50462ED4AFC7242EE30A94ACB81

Function 10ED28C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10ED29A0

Strings

urlmon.dll, xrefs: 10ED2959
nt: , xrefs: 10ED291E
User-Agent: , xrefs: 10ED2935, 10ED2948
on.d, xrefs: 10ED2902

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 0c9f5eaa9b0d6c4e552c9e4080359e26acfb5dccc7a29c7d0a639b9328235daa
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 0231F131610B4C8FCB00EFA9C8957EEB7E1FB68215F40022AE44ED7340DE749646C789

Function 10ED28BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 10ED29A0

Strings

urlmon.dll, xrefs: 10ED2959
nt: , xrefs: 10ED291E
User-Agent: , xrefs: 10ED2935, 10ED2948
on.d, xrefs: 10ED2902

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 21d37dfbee408a64930eb88bc6957aaf0ecf2358c35661f83a98f0d0d45d36c8
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 1D21E170610B4C8ECB04EFAAC8957EEBBE5FF68204F40022AE45AD7340DE7496068789

Function 10ECEB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 10ECECCA

Strings

el32, xrefs: 10ECEBA0
kern, xrefs: 10ECEB99
.dll, xrefs: 10ECEBCD

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 7481d3afa2e4df4e4443e507a6094af2410b65453f252d6abf81e269f9c0e148
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 49417D74918A088FDB84EFA8C8D5BED77E1FF58300F00417AD84ADB255DE309946CB85

Function 10ECEB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexExW.KERNEL32 ref: 10ECECCA

Strings

el32, xrefs: 10ECEBA0
kern, xrefs: 10ECEB99
.dll, xrefs: 10ECEBCD

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 589fad711a7135b06f2f365cf772876368307d29c3807770c5c8f05341b9d5e2
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 1D414C74918A488FDB84EFA8C895BED77F1FB68300F40417AD84EDB255DE309946CB85

Function 10ED45B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 10ED4611

Strings

sock, xrefs: 10ED45D9

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: 6d620d8f33a4e6d26610a5e48feeb62181cdf5495a087d30d6d6153e68e86402
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 920171706187588FC784DF1CD048B50BBE0FB59314F1545ADE45ECB326C7B0C9818B86

Function 10ECC2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 10ECC32D

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: 8608892b2ee7c21cc25547306bfed3ff78d8e0ae515047bea58dc482e7027b48
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 8D316D74614B8DDFDB54DF2A9288395B7A0FB55304F4482BFC91DCA206CB36A4A1CF91

Function 10ECC412 Relevance: 1.5, APIs: 1, Instructions: 46
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 10ECC461

Memory Dump Source

Source File: 0000000A.00000002.4536334313.0000000010EB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 10EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_10eb0000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: 41037d84f2fcab7f85fa613129fca3e361f02d553aee9e04b7662e767ae4c482
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 11F0C234268B484FD788EB2CD84563AF3D0FBE9215F41463EA58DC3264DA29D5828716

Non-executed Functions

Function 102F3D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

M, xrefs: 102F4082
ll, xrefs: 102F3F13
32.d, xrefs: 102F3F0B
user, xrefs: 102F3F03
S, xrefs: 102F4073
net., xrefs: 102F3F44
wini, xrefs: 102F3F72
el32, xrefs: 102F3F27
kern, xrefs: 102F3F5A
.dll, xrefs: 102F3F2F
dll, xrefs: 102F3F4C

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 6bcdd97f52a339080bb9496fb45577cc9f10a9a970291b254726dfcb723f55ff
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 58E158B4618F4C8FCBA4DF68C4857AAB7E0FB58300F504A2EA59FC7241DF70A5518B89

Function 10432D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

net., xrefs: 10432F44
.dll, xrefs: 10432F2F
S, xrefs: 10433073
M, xrefs: 10433082
kern, xrefs: 10432F5A
dll, xrefs: 10432F4C
wini, xrefs: 10432F72
el32, xrefs: 10432F27
user, xrefs: 10432F03
32.d, xrefs: 10432F0B
ll, xrefs: 10432F13

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: b2ba41262b76aa19d96ca1fdd67800175607f841af6d82589cb2a72df60a5983
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 77E18B74618F588FC7A4DF28C4857AAB7E0FF58305F505A2EA59BCB240DF34A501CB89

Function 102F6792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

ypte, xrefs: 102F68A5
ypte, xrefs: 102F68DA
encr, xrefs: 102F689D
d, xrefs: 102F68F2
dPas, xrefs: 102F68E2
swor, xrefs: 102F68EA
form, xrefs: 102F684D
dUse, xrefs: 102F68AD
user, xrefs: 102F6876
guid, xrefs: 102F67CE
name, xrefs: 102F687D
rnam, xrefs: 102F68B5
encr, xrefs: 102F68D2
itUR, xrefs: 102F685D
Fiel, xrefs: 102F6884
Subm, xrefs: 102F6855
e, xrefs: 102F68BD

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 1dffed5ce5defea93e8b9b7b45c80c49dd4beb6ca0c142ab3a802eec5fd93af5
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: F1B18930518B4C8ADB55EF68C48AAEAB7F1FF98340F50452EE49AC7251EF70A4158B86

Function 10435792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

d, xrefs: 104358F2
dUse, xrefs: 104358AD
encr, xrefs: 1043589D
ypte, xrefs: 104358DA
user, xrefs: 10435876
encr, xrefs: 104358D2
rnam, xrefs: 104358B5
Fiel, xrefs: 10435884
swor, xrefs: 104358EA
dPas, xrefs: 104358E2
guid, xrefs: 104357CE
itUR, xrefs: 1043585D
name, xrefs: 1043587D
form, xrefs: 1043584D
ypte, xrefs: 104358A5
Subm, xrefs: 10435855
e, xrefs: 104358BD

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: bd332326bddaba78518797b2cd4212620bd4e8e1e1c071ddf2d6259e581d1ca4
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 03B19B30518B488EDB58EF68C486AEEB7F1FF98304F40551EE49ACB251EF74A505CB86

Function 102F4622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

w, xrefs: 102F46B3
u, xrefs: 102F4661
t, xrefs: 102F46C8
i, xrefs: 102F469E
2, xrefs: 102F4674
l, xrefs: 102F46D6
l, xrefs: 102F4682
n, xrefs: 102F46C1
e, xrefs: 102F466D
s, xrefs: 102F4689
d, xrefs: 102F467B
c, xrefs: 102F4697
d, xrefs: 102F46CF
n, xrefs: 102F46BA
l, xrefs: 102F46AC
d, xrefs: 102F46A5
p, xrefs: 102F4690

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: fe629a9668759c2fa3110b1a72ed85cddb60506b2062f64dbdcbe1e445e54532
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: E841B070A18B0C8FDB14DF88A8466ADBBE2FB48740F40025EE809D3245DFB5AD458BD6

Function 10433622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

c, xrefs: 10433697
w, xrefs: 104336B3
i, xrefs: 1043369E
n, xrefs: 104336BA
l, xrefs: 104336D6
u, xrefs: 10433661
d, xrefs: 104336CF
s, xrefs: 10433689
p, xrefs: 10433690
l, xrefs: 10433682
2, xrefs: 10433674
n, xrefs: 104336C1
e, xrefs: 1043366D
l, xrefs: 104336AC
t, xrefs: 104336C8
d, xrefs: 104336A5
d, xrefs: 1043367B

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 5878753fbdac5a4b43341a9e4e44d234397d6986774583dafe281e92a39cf2be
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 6741D6B0A18B188FDB14DF88A4856BD7BE2FB48705F00825ED449D7341DB749D458BD6

Function 102FBAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

[, xrefs: 102FBBF6
[, xrefs: 102FBCCD
D, xrefs: 102FBCDA
l, xrefs: 102FBC35
c, xrefs: 102FBC0B
b, xrefs: 102FBC73
l, xrefs: 102FBCE2
[, xrefs: 102FBC90
n, xrefs: 102FBC98
], xrefs: 102FBCA8
[, xrefs: 102FBC2D
e, xrefs: 102FBCA0
[, xrefs: 102FBC66
], xrefs: 102FBC3D

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 8b8788ba61c1b1e0bc29d809ed33b5c937ba8ad92c9ded12b0abb80f8c15f7cc
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 1EC15B75218B0D8FC759EF28C4866EAF3E1FB94344F50462EA59AC7210DF70A525CB86

Function 1043AAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

l, xrefs: 1043ACE2
l, xrefs: 1043AC35
e, xrefs: 1043ACA0
[, xrefs: 1043AC90
[, xrefs: 1043AC66
[, xrefs: 1043ABF6
D, xrefs: 1043ACDA
], xrefs: 1043AC3D
c, xrefs: 1043AC0B
n, xrefs: 1043AC98
b, xrefs: 1043AC73
[, xrefs: 1043ACCD
[, xrefs: 1043AC2D
], xrefs: 1043ACA8

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 6380de297c30e3f3842307f5f14c2f089759b2ac82726585662e87da8cc365f9
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: 53C16A74618B188BC758EF24D4C6A9AF3E1FF98305F40562EA59ACB200DF34B515CB86

Function 102FBF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 102FBF90
r, xrefs: 102FBF98
., xrefs: 102FBF63
r, xrefs: 102FBFA8
r, xrefs: 102FBFA0
r, xrefs: 102FBFB0
c, xrefs: 102FBFC8
n, xrefs: 102FBF6B
r, xrefs: 102FBFB8
r, xrefs: 102FBFC0
0, xrefs: 102FBF5B
r, xrefs: 102FBF88

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: a30cdb8ca67b4c4913050cef7d68c8f1266edf3e18cde8031bd1f7ab029d7a75
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 9351B43551874C8FD709DF18C4816AAB7E5FB85740F601A2EE8CBC7242DBB4A916CB82

Function 1043AF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

0, xrefs: 1043AF5B
r, xrefs: 1043AF88
r, xrefs: 1043AFA8
r, xrefs: 1043AFB0
., xrefs: 1043AF63
r, xrefs: 1043AF90
c, xrefs: 1043AFC8
n, xrefs: 1043AF6B
r, xrefs: 1043AFB8
r, xrefs: 1043AFA0
r, xrefs: 1043AFC0
r, xrefs: 1043AF98

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: b1c6e4efc1dda3c92d28721d9ae42072a88fec7fb2c27c6281bca1129fcbb04c
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: B951C7305187488FD749CF14D4C13AAB7E5FB89705F50292EE9CBCB241DBB8A906CB82

Function 102F52F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 102F5327
dll, xrefs: 102F532E
opera_browser.dll, xrefs: 102F5629
dragon_s.dll, xrefs: 102F5614
sspi, xrefs: 102F5320
4.dl, xrefs: 102F54DB
l, xrefs: 102F54E2
nspr, xrefs: 102F54D4

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 6941e4fba548f136093c86d421e5c8ad6f0e7d431889858be79d478f65e542b3
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 39C17074618A1D4FCB48EF68D496AAAF3E1FB98344F914329E44AC7250DF70EA118BC5

Function 102F52F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

cli., xrefs: 102F5327
dll, xrefs: 102F532E
opera_browser.dll, xrefs: 102F5629
dragon_s.dll, xrefs: 102F5614
sspi, xrefs: 102F5320
4.dl, xrefs: 102F54DB
l, xrefs: 102F54E2
nspr, xrefs: 102F54D4

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: e403a365985bac7b0e692cd57f7d224c0800a11d814116a44c14713e34bf8c25
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 19C17F74618A1D4FCB48EF68D496AAAF3E1FB98344F91432DA44AC7250DF70EA118BC5

Function 104342F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 10434614
l, xrefs: 104344E2
4.dl, xrefs: 104344DB
dll, xrefs: 1043432E
nspr, xrefs: 104344D4
cli., xrefs: 10434327
opera_browser.dll, xrefs: 10434629
sspi, xrefs: 10434320

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: 29623b6d58f26c4aabddb0b76834d8cc421667a3b7e4ea9df024840b57d428ca
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: BBC1A074618A294FC748EF68D496AAAF3E1FF98305F51532DA44ACB211DF38B901CBC5

Function 104342F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

dragon_s.dll, xrefs: 10434614
l, xrefs: 104344E2
4.dl, xrefs: 104344DB
dll, xrefs: 1043432E
nspr, xrefs: 104344D4
cli., xrefs: 10434327
opera_browser.dll, xrefs: 10434629
sspi, xrefs: 10434320

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 47eacaba189f8dd53569c9378c8075dfea150e088b3f0a59eef39a8d52234c7a
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: 07C1A074618A294FC748EF68D496AEAB3E1FF98305F51532DA44ACB211DF38B901CBC5

Function 102F6CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

word, xrefs: 102F6D9E
User, xrefs: 102F6DAB
2, xrefs: 102F6DE1
name, xrefs: 102F6DB2
L: , xrefs: 102F6D66
Pass, xrefs: 102F6D97
UR, xrefs: 102F6D5F

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 7fc8496f653fe3290e3113efafd7d551bfef95a78759f7a6f8ad64787a7fb3ea
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 6EA1CD70618B4C8BDB19DFA8D444BEEB7E1FF88340F40462DE48AD7251EF7099558B89

Function 10435CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 10435DAB
name, xrefs: 10435DB2
2, xrefs: 10435DE1
Pass, xrefs: 10435D97
UR, xrefs: 10435D5F
L: , xrefs: 10435D66
word, xrefs: 10435D9E

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 9f043e9703f8d0185836040df6f55cb4f59ca20d6a2b1564b080ee86a54f2b35
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: C4A1DF706187588BDB18EFA8D4857EEB7F1FF88305F00562DE48ADB241EF3499468789

Function 102F6CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

word, xrefs: 102F6D9E
User, xrefs: 102F6DAB
2, xrefs: 102F6DE1
name, xrefs: 102F6DB2
L: , xrefs: 102F6D66
Pass, xrefs: 102F6D97
UR, xrefs: 102F6D5F

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: e5f1adc773d9230e8538ac8126278c3b21407eac919ae6c9b0a57896b377a12e
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 1191BD70A18B4C8BDB19DFA8D444BEEB7E1FF98340F40462EE48AD7241EF7095558B89

Function 10435CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 10435DAB
name, xrefs: 10435DB2
2, xrefs: 10435DE1
Pass, xrefs: 10435D97
UR, xrefs: 10435D5F
L: , xrefs: 10435D66
word, xrefs: 10435D9E

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 9aa096bc11906aa07292727b978768ec2f269d534f70c782450fd2ce338e711b
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 6C91CE706187588BDB18EFA8D485BEEB7F1FF88305F00562DE48ADB241EB3496458789

Function 102F6352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

e, xrefs: 102F648E
, xrefs: 102F647C
v, xrefs: 102F64A0
n, xrefs: 102F63E7
., xrefs: 102F63B0

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 9e30628b4defd7b1d8d32664229d3fcd82cd229294de88202cd5337f4dac7c00
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 5A71C13161860D8FD758EFA8C4886AAF7F1FF98344F10062EE44AD7221EB70A8158B81

Function 10435352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

n, xrefs: 104353E7
., xrefs: 104353B0
, xrefs: 1043547C
v, xrefs: 104354A0
e, xrefs: 1043548E

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 4c51ef2ba67a6c24c30845804352e1f3e3f79d85bc2df576e1a223ef475aadf2
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 3E71C3316187488FD758EF68C4C57AAB7F1FF58309F00162EE44ACB261EB74E9458B85

Function 102F1C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

l32., xrefs: 102F1C97
2.dl, xrefs: 102F1C64
ole3, xrefs: 102F1C5D
dll, xrefs: 102F1C9E
shel, xrefs: 102F1C90

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 0ff6ff4d0dce74c1fa7db5ec4488bc48533325bba9d41759a8c6ea16137702a8
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 3D513BB4918B4C8BDB54DFA8C045AEEF7F1FF58340F40462EA49AE7214EF70A5518B89

Function 10430C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

2.dl, xrefs: 10430C64
ole3, xrefs: 10430C5D
l32., xrefs: 10430C97
dll, xrefs: 10430C9E
shel, xrefs: 10430C90

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 3886638e9cb3f1eca8bde4bc3d16b7d4cbece20fc17d521954f50d529fef3b3b
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: 69516DB0914B4C8BDB54DF64C0857EEB7F1FF18301F40562EA59AEB214EF34A5408B89

Function 102F286F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

ion., xrefs: 102F28EC
vers, xrefs: 102F28E4
4, xrefs: 102F29E9
\, xrefs: 102F29E0
dll, xrefs: 102F28F4

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 35129b8a0e26393ad98ca9c0c45027f93cdc5cd347ff33a692e5243af0f1899d
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: 7341A334218B4D8FDBB5EF2898457EAB3E4FB99341F50462E984EC7200EF30D9158B82

Function 1043186F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

ion., xrefs: 104318EC
\, xrefs: 104319E0
4, xrefs: 104319E9
vers, xrefs: 104318E4
dll, xrefs: 104318F4

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 0e6e10aab91f325f71ab0b3d00e3c28f005e7ce9bb9b395224c7bbe0ed8fe81c
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: E841B534619B5C8FCBA4EF2498857EA73E0FF98306F50562E995ECB210DF34E5058782

Function 102F44B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

sspi, xrefs: 102F450E
32.d, xrefs: 102F44DA
user, xrefs: 102F44D3
dll, xrefs: 102F451C
cli., xrefs: 102F4515

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: 2ba67834565c9368fa77d9d9aeac185bfb7d84c2757046b8ff920104899afb2c
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 66415170A18E0D8FCF94EF6880957ADB7E1FB68380F51456AE80ED7210DEB0D9518B86

Function 104334B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 104334D3
cli., xrefs: 10433515
32.d, xrefs: 104334DA
sspi, xrefs: 1043350E
dll, xrefs: 1043351C

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: a4c093692bcff30fd000d16a17a9fce5a00e8b79e4ab72a8b4375d5a61d44dc1
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: DB418130A18E1D9FCB84EF6880D63AD73E1FB5C302F41556EA80EDB310DA38D9408B86

Function 102F2432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

h, xrefs: 102F251F
.dll, xrefs: 102F253F
kern, xrefs: 102F252A
el32, xrefs: 102F2537

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: f8866c38be45c0ce9d10d80b8cd9a8cc86d3221853c6f8276cf9c72ec7d37cda
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: C4419270608B4D8FD7A8DF2880943AAF7E1FB99380F604A2E949EC3255DF70D955CB41

Function 10431432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

el32, xrefs: 10431537
kern, xrefs: 1043152A
h, xrefs: 1043151F
.dll, xrefs: 1043153F

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: fbd2b96865967375b7c16a2d5621a3704da6e262de56c9b61e28e729687833b4
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 1341A270608B498FD798CF2980C43AAB7E1FB9C306F105B2E949EC7265DB74D845CB81

Function 102F90B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 102F9146
, xrefs: 102F9184
Snif, xrefs: 102F9154
f fr, xrefs: 102F913D

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 4ee2ed476dd4600866db836616058063f9569479b6c4983f0f2c6a237476d093
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 8231BE7550CB8C6FD71ADB28C4856DAFBD4FB84340F50492EE4ABC7252EE30A54ACE42

Function 104380B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 10438146
, xrefs: 10438184
f fr, xrefs: 1043813D
Snif, xrefs: 10438154

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: a61056b12bddf5a6efa01ed7881414ec94868091feed5811ddc40593ecf52be0
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 1A31F43450CB486FD71ADB28D4C56DAB7D0FB88300F50591EE49BCB252EE38A64ACB43

Function 102F90C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 102F9146
, xrefs: 102F9184
Snif, xrefs: 102F9154
f fr, xrefs: 102F913D

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 986d5218353d3674e83dfef17079dff1c399935e04cd78e1afe69091311e3de5
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: B231E075508B4C6FD71ADB28C485AEAF7D5FB94340F50492EE4ABC3251EE30A506CE42

Function 104380C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 10438146
, xrefs: 10438184
f fr, xrefs: 1043813D
Snif, xrefs: 10438154

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: b0325b1f41a812e7d93bdbb40de8840b0d9c88c05072608a6f1b69217ae0681d
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 4831E175508B486FD759DB28C4C56EAB7D4FB98300F40592EE49BCB252EE38E606CB42

Function 102F4FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

hild, xrefs: 102F4FF6
.dll, xrefs: 102F4FFE
me_c, xrefs: 102F4FEE
chro, xrefs: 102F5023

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: 002645e8e66b330388294675a01509f755483004101e5863cc990c4dbb00f4f3
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 28319E30218B1C4FCB84EF288495BAAB7E1FF98380F94466DA44ACB214DF30D915CB92

Function 10433FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

.dll, xrefs: 10433FFE
hild, xrefs: 10433FF6
me_c, xrefs: 10433FEE
chro, xrefs: 10434023

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: cfc205f64be9430e1ca0cbf8cf31a09c93758a10a35ef90704b64f37916cb9ce
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: FD318174218B284FC784EF6894D57AAB7E1FFD8305F90262DA44ACB215DF34E905C752

Function 102F4FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

hild, xrefs: 102F4FF6
.dll, xrefs: 102F4FFE
me_c, xrefs: 102F4FEE
chro, xrefs: 102F5023

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: e1c18b16962f8a73872dcd09dc787c73bcf5e3d4cb30a8fa1159a12f21b6c5f1
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 26319A70218B1C8FCB84DF688495BAAB7E1FF98380F94466DA44ACB254DF30D915CB92

Function 10433FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

.dll, xrefs: 10433FFE
hild, xrefs: 10433FF6
me_c, xrefs: 10433FEE
chro, xrefs: 10434023

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 4ea7ba54a94ddd04480ef16aa4c712dd7dc6e10e647db3d4c506a98e76836987
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 06319074218B284FC784EF6894D579AB7E1FFD8305F90262DA44ACB215DF34E905C742

Function 102F78C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 102F7935, 102F7948
on.d, xrefs: 102F7902
nt: , xrefs: 102F791E
urlmon.dll, xrefs: 102F7959

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 448cb5470bcc068a9039c83a46c13df726076cb47d98a34e410130a41870a8ec
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 3B31D131614A0D8BCF45EFA8C8857EDBBE1FB58344F40422AE45EE7240DE749645CB99

Function 104368C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10436935, 10436948
nt: , xrefs: 1043691E
urlmon.dll, xrefs: 10436959
on.d, xrefs: 10436902

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: bf1a19ebb2660b937a5bcb957ee75166ef8dd143c8e1f41ad45cb036707feaa0
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: 2F31C071614A1D8BCB44EFA8C8857EDBBF0FF5C209F40522AE45EDB240DE789645C789

Function 102F78BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 102F7935, 102F7948
on.d, xrefs: 102F7902
nt: , xrefs: 102F791E
urlmon.dll, xrefs: 102F7959

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 3c485553fdb83483812e50d7cf0489add5c9cbeb8ccf8ca97c95a983e33d0e3d
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: BD210470A10A0D8BCF05EFA8C8857EDBBE1FF58744F40422AE45AE7240DF749614CB89

Function 104368BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

User-Agent: , xrefs: 10436935, 10436948
nt: , xrefs: 1043691E
urlmon.dll, xrefs: 10436959
on.d, xrefs: 10436902

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 46fc44528f5a2f8d123269b758b52222df154b9a8c061d065d27ae2ad532549c
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 3921C170A10A5D8ACB04EFA8C8857EDBBB0FF5C209F40522EE45ADB240DE789605C789

Function 102F8E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 102F8F03
., xrefs: 102F8F1F
t, xrefs: 102F8EF4
l, xrefs: 102F8F26

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: 348f891cf862e869195e3a472a6fa54b976d586c14166fed1084b736b18ce7bf
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 9B216D74A24A0D9BDB48EFA8D4457EDFBF1FF58304F50462EE009D3600DB75A5658B84

Function 102F8E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 102F8F03
., xrefs: 102F8F1F
t, xrefs: 102F8EF4
l, xrefs: 102F8F26

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: f359094fd4a943dd856f1555537b7ecd5af5adb81bd04c4ad5f244b42dedf299
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: F4217C74A24A0E9BDB48EFA8C0457AEFAF1FF58304F50462EE009D3600DB74A5618B84

Function 10437E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10437F26
l, xrefs: 10437F03
t, xrefs: 10437EF4
., xrefs: 10437F1F

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: 715e6919f0ee254b1f724be51d134c79fadbe0ce3dbad92f483aaf326ab1555d
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: F121AD74A24A0D9FDB48EFA8D0847ADBAF0FF5C305F50562EE049D7600CB78A551CB84

Function 10437E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

l, xrefs: 10437F26
l, xrefs: 10437F03
t, xrefs: 10437EF4
., xrefs: 10437F1F

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: d8a50d5e7f73619f3837d11fb41a4c5a46ffcc6f84651409260046e3f9eb0313
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 99219C74A24A0D9BDB08EFA8D0857E9BBF0FB0C305F50562DE049D7600DB78A551CB84

Function 102F8FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

user, xrefs: 102F9015
pass, xrefs: 102F9022
auth, xrefs: 102F902F
logi, xrefs: 102F903C

Memory Dump Source

Source File: 0000000A.00000002.4535664111.00000000102C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 102C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_102c0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: cb164d646bfd55d0298f6a8746b5ae30b53b726baebb9443423348e88b6470af
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 7021C33061470D4BCB45CF9998816DEB7E5EFC8384F00461AE80ADB344EBB0E9148BC2

Function 10437FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

auth, xrefs: 1043802F
logi, xrefs: 1043803C
pass, xrefs: 10438022
user, xrefs: 10438015

Memory Dump Source

Source File: 0000000A.00000002.4535841353.00000000103A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 103A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_103a0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 3997f0a74e8fc60cf17cc6fe21e8b3202d433c99843598951bf9862a74ee5af2
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: 5C21FD30614B0D8BCB05DF9998812DEB7F1EF88344F01661DE44AEB384D7B4E9048BC2

Analysis Process: xnnxAkrxh.exePID: 1892, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	246
Total number of Limit Nodes:	11

Executed Functions

Function 074129D5 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2128845244.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7410000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6e3acbb0d85a96de2d8541456f69d0a344574450ced76a26d7a044143e1518
Instruction ID: e7e20fcce876cb160c43532057a9cf8abb6d346308d1bf3fc51385201fdda047
Opcode Fuzzy Hash: 5d6e3acbb0d85a96de2d8541456f69d0a344574450ced76a26d7a044143e1518
Instruction Fuzzy Hash: 57A002F4EEE148D58055FC1504000F4C03CB65F004F073C07510AB30122889C292410D

Function 0529D369 Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0529D3F6
GetCurrentThread.KERNEL32 ref: 0529D433
GetCurrentProcess.KERNEL32 ref: 0529D470
GetCurrentThreadId.KERNEL32 ref: 0529D4C9

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 2107d61cb229c2973d8394f0c42fd3c5719171180a4e5c39b14531397f467f0f
Instruction ID: 5cda1816127b30203c4bce7425106bd160239bdcee9526abaa0c372f135ca651
Opcode Fuzzy Hash: 2107d61cb229c2973d8394f0c42fd3c5719171180a4e5c39b14531397f467f0f
Instruction Fuzzy Hash: 9F5147B09107498FDB18DFAAD548B9EBBF5FF48304F208459E009AB360D778A984CF65

Function 0529D378 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 0529D3F6
GetCurrentThread.KERNEL32 ref: 0529D433
GetCurrentProcess.KERNEL32 ref: 0529D470
GetCurrentThreadId.KERNEL32 ref: 0529D4C9

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6be5913c2b9398fbbd1ca63d3f7db544d2c31b0f5941ae7a64946946cedd575e
Instruction ID: 37afaac2a12cbc6dd97fd90ade1ed061ed982d34bab0db7cbd305e5fdf285d72
Opcode Fuzzy Hash: 6be5913c2b9398fbbd1ca63d3f7db544d2c31b0f5941ae7a64946946cedd575e
Instruction Fuzzy Hash: 715136B09107098FDB18DFAAD548B9EBBF5FF48314F208459E009AB360D774A984CF65

Function 058EF6D4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 058EF916

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4c9fdf8c7a1f56ad3d45b2ba5198145fdcd296ace14efec8106b4629d52379a3
Instruction ID: 75c093ab442fb66e287e3bf45cc861319e0d847f412aa4dcce59ddc9418a7857
Opcode Fuzzy Hash: 4c9fdf8c7a1f56ad3d45b2ba5198145fdcd296ace14efec8106b4629d52379a3
Instruction Fuzzy Hash: A8A18A71D002199FEB24DF68C841BAEBBB2BF45310F1481AAE858E7240EB749985CF91

Function 058EF6E0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 058EF916

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ba3b3fd4f300a4db050449ab6dbd541eabcd0dff02fd10eda3738a9d22780e43
Instruction ID: 1880b176b4a769638607d9b95495b830a8ee262e7ce267030956d01807f68116
Opcode Fuzzy Hash: ba3b3fd4f300a4db050449ab6dbd541eabcd0dff02fd10eda3738a9d22780e43
Instruction Fuzzy Hash: BE917971D002299FDF24DF68C841BADBBB2BF45310F1481AAE959E7240EB749985CF91

Function 0529B3B1 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0529B626

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cf08f3ab4990c3bee301c5922ce85bd90340fd6410483340ac6bbad8c0f17005
Instruction ID: d3fd4eadb15d2f87093e0669d1c31662402ee1674fe95ef678bf7ee5e78c7bab
Opcode Fuzzy Hash: cf08f3ab4990c3bee301c5922ce85bd90340fd6410483340ac6bbad8c0f17005
Instruction Fuzzy Hash: 0C8156B0A14B458FDB28DF29E5547AABBF1BF48300F00892ED48AD7B50D774E805CB91

Function 052944F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 052959C9

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3646d542e558123e35dbf1619fa747670db806ee7aac1b87c44579f765d153b8
Instruction ID: 30f1713ae03e68371678347f036a15ecdeefa938ef057c315c4f788b53134858
Opcode Fuzzy Hash: 3646d542e558123e35dbf1619fa747670db806ee7aac1b87c44579f765d153b8
Instruction Fuzzy Hash: 894100B0D0072DCBDB29DFA9C884B8DBBF5BF48304F20806AD408AB255DBB56945CF91

Function 0529590C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 052959C9

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 37d9ca635ffff41b253c793ab616b011627364bb5723b9e9e2bfce49dacf7f1f
Instruction ID: e9ec44ea2ca1cfb394e2f502247e97e83112986acbca4350807782fe7ef0fd87
Opcode Fuzzy Hash: 37d9ca635ffff41b253c793ab616b011627364bb5723b9e9e2bfce49dacf7f1f
Instruction Fuzzy Hash: BA4112B0D00719CBDF29CFA9C98478DBBF6BF48304F20806AD408AB254DB755946CF90

Function 058EF450 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 058EF4E8

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 7bb37152f7709a06f4233cea748d20abd83f38a93ce0336275e04acc80859791
Instruction ID: cad3478f58d9b40a97e650b2c0823095502d3dfa437d497f9de97480f84ac16a
Opcode Fuzzy Hash: 7bb37152f7709a06f4233cea748d20abd83f38a93ce0336275e04acc80859791
Instruction Fuzzy Hash: 4E2127B69003099FCB10DFAAC985BEEBBF5FF48314F108429E919A7340D7789944CBA4

Function 058EF458 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 058EF4E8

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: d79d15090e110132994573d8f23bd8c2216866e29a0b0867b1c5d2acaf802e7a
Instruction ID: 2294a3bc2dbd8161d5c2e084504f5c6a662a8b72f99ef95dc83a872841214002
Opcode Fuzzy Hash: d79d15090e110132994573d8f23bd8c2216866e29a0b0867b1c5d2acaf802e7a
Instruction Fuzzy Hash: 402127B59003099FCB10DFAAC985BEEBBF5FF48314F108429E919A7240D7789944CBA0

Function 058EF540 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058EF5C8

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 5d002fdae3046ca42e7fdd3595cf2d403a03528231a8e121f8538a77ea99cfb3
Instruction ID: 9a5cebe3b7b417f4730dd92b2b4b13266d5e705635896cd1ad0fe6b113509e61
Opcode Fuzzy Hash: 5d002fdae3046ca42e7fdd3595cf2d403a03528231a8e121f8538a77ea99cfb3
Instruction Fuzzy Hash: 28212AB1C003499FCB10DFAAC885AEEFBF5FF48310F108429E919A7250D7789955DBA1

Function 058EF2B8 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058EF33E

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 9b778db0a56f5b28a6c5bf05769d2998f3deba9cea5d8551f2a5059b2d591e3b
Instruction ID: 69ed80ff95e8a942a9021dd6153b47e0095c70e7fadedc5a5b652772a64b09f8
Opcode Fuzzy Hash: 9b778db0a56f5b28a6c5bf05769d2998f3deba9cea5d8551f2a5059b2d591e3b
Instruction Fuzzy Hash: 132134B19002098FDB10DFAAC4857EEFBF4FF89314F14842AD919A7240DB78A945CFA0

Function 058EF548 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 058EF5C8

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 334b5b3ae2c667d5dd32a85be9255131b6a9a9fab7fdc10c645fe2e87c86384e
Instruction ID: b5569654202f9d43d21f2d69813cc622996856ae2c2122820f3527019461c256
Opcode Fuzzy Hash: 334b5b3ae2c667d5dd32a85be9255131b6a9a9fab7fdc10c645fe2e87c86384e
Instruction Fuzzy Hash: D82137B1C003499FCB10DFAAC880AEEFBF5FF48310F10842AE919A7250D7789945CBA0

Function 058EF2C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 058EF33E

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5c48ae0f8e7955e3f695e7e99aa67bda759ec53de367d491ff51ac4654e5541d
Instruction ID: 799a83d6c209337453dec5921c82e1247f979f5369ec319cf23bb5cd1f5c56be
Opcode Fuzzy Hash: 5c48ae0f8e7955e3f695e7e99aa67bda759ec53de367d491ff51ac4654e5541d
Instruction Fuzzy Hash: 762115B19002098FDB10DFAAC4857EEBBF5FF89314F14842AD919A7240DB78A945CFA5

Function 0529D9C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0529DA4F

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: cb01e0a233a93e30fbd2bce6d7ca790fe528680528218fdaaf20a4c178b03fc4
Instruction ID: be4d3349f143aaa705bb8993b16b505c341dbca122ff175846c0d749d8f36fb2
Opcode Fuzzy Hash: cb01e0a233a93e30fbd2bce6d7ca790fe528680528218fdaaf20a4c178b03fc4
Instruction Fuzzy Hash: B721C4B59002499FDB10CFAAD984ADEBBF9FF48310F14841AE918A3350D378A954DFA5

Function 0529D9C1 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0529DA4F

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 47ff3bf677c4bd3b5a07e1946e74b80f5f53ccf908c4427ef36093c98ab3593a
Instruction ID: 3bc65d3ba8f71c69e88e844f07576fd1a1f05363c7c0477db01ae30c2ef856ee
Opcode Fuzzy Hash: 47ff3bf677c4bd3b5a07e1946e74b80f5f53ccf908c4427ef36093c98ab3593a
Instruction Fuzzy Hash: 6821E0B59002089FDB10CFAAD984AEEBBF5FB48310F14841AE918A3310D378A954DFA5

Function 058EF390 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 058EF406

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2632b96884f6ab15a7bd5c748d7d2050214834f0317a043b58532a26c30ef696
Instruction ID: 503422d11961df9b6c814447994c42c21f06c7c6fcb06092abd81ec69257d084
Opcode Fuzzy Hash: 2632b96884f6ab15a7bd5c748d7d2050214834f0317a043b58532a26c30ef696
Instruction Fuzzy Hash: 451156719002489FCB10DFAAC845AEEFFF5FF49310F208419E519A7250CB79A940CFA0

Function 058EF398 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 058EF406

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f68754faf91aeb10ce427508d839f9a6e50a9f4546fa84dcf9e9e8855d75ab6c
Instruction ID: 620f4a887dc103b257c4c1d05dd84e8f4fa00fb5f326c295bf982c59589b50a4
Opcode Fuzzy Hash: f68754faf91aeb10ce427508d839f9a6e50a9f4546fa84dcf9e9e8855d75ab6c
Instruction Fuzzy Hash: 8A1137759002499FCB10DFAAC844AEFBFF5FF49314F208419E519A7250C779A944CFA1

Function 058EF209 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 058EF272

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 64e55df846d8d98fd3266e5a81724a124f3c32456eb8d9450f6137122aa6f277
Instruction ID: b25153238af20d70991ced51da7623b94eebe1ff598925420735288ec9636962
Opcode Fuzzy Hash: 64e55df846d8d98fd3266e5a81724a124f3c32456eb8d9450f6137122aa6f277
Instruction Fuzzy Hash: 2D1125B5D002488FDB20DFAAC4457EEFBF5EF89324F248429D519A7250CB79A944CBA4

Function 058EF210 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 058EF272

Memory Dump Source

Source File: 0000000B.00000002.2128538440.00000000058E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58e0000_xnnxAkrxh.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 758715df0ffb516eac1624d18b31730bcff34f9b31016bc4480c50d1cdcf7459
Instruction ID: d744bc5b48c695f6d2a1a917ad12566f087980d5ebf9863d885bb4e0f3e3b9d2
Opcode Fuzzy Hash: 758715df0ffb516eac1624d18b31730bcff34f9b31016bc4480c50d1cdcf7459
Instruction Fuzzy Hash: B71136B5D002488FCB20DFAAC4457EEFBF5EF89324F208419D519A7250CB79A944CFA4

Function 0529B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0529B626

Memory Dump Source

Source File: 0000000B.00000002.2126642575.0000000005290000.00000040.00000800.00020000.00000000.sdmp, Offset: 05290000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5290000_xnnxAkrxh.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 23b6dfa0d500b646c01f46c0bb4895609bd88d805b22ccef83ce4cde7f7fd305
Instruction ID: 782e914d80dd4c6e8150b0eb18b7d24cd4033fbd1e651fd1daf15eb9001bbeea
Opcode Fuzzy Hash: 23b6dfa0d500b646c01f46c0bb4895609bd88d805b22ccef83ce4cde7f7fd305
Instruction Fuzzy Hash: 2C110FB5C042498FCB14DF9AD444A9EFBF4AF88210F10842AD469B7310D379A545CFA5

Function 0741125C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 074131ED

Memory Dump Source

Source File: 0000000B.00000002.2128845244.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7410000_xnnxAkrxh.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 99e3d7cb423d931fa15382641c1eb427c9d4729ddf2b9c8188d7070f38d5f34b
Instruction ID: cc509d3424932ff00f228bb4e324f63ee91252112c8d44ea801a0e436bebb35d
Opcode Fuzzy Hash: 99e3d7cb423d931fa15382641c1eb427c9d4729ddf2b9c8188d7070f38d5f34b
Instruction Fuzzy Hash: 1811F5B59003499FCB10DF9AD445BDEBBF8EB48310F10845AE518A7200D375A944CFA5

Function 07413189 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 074131ED

Memory Dump Source

Source File: 0000000B.00000002.2128845244.0000000007410000.00000040.00000800.00020000.00000000.sdmp, Offset: 07410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7410000_xnnxAkrxh.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: dcbf7b14852710b250faca1d6f0bcf685dc0562c5046215322f6edef8a07aa59
Instruction ID: 156479bf721c8573124bf02f914e4652b6221f1f14d5df1e58797197742686c0
Opcode Fuzzy Hash: dcbf7b14852710b250faca1d6f0bcf685dc0562c5046215322f6edef8a07aa59
Instruction Fuzzy Hash: 3B1103B58002499FDB10EF99D845BDEFBF4FB48310F20841AD518A7200D379A944CFA0

Function 010BD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121739360.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10bd000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7543467ba1577dcfe60edcfbac8913d01c50522b12a230e9adadfb71c6f52b21
Instruction ID: 6d736999c9aab4c437e99c7257921257bb0a0916cc05aec35e5e99066eb328f1
Opcode Fuzzy Hash: 7543467ba1577dcfe60edcfbac8913d01c50522b12a230e9adadfb71c6f52b21
Instruction Fuzzy Hash: 3821F171500244DFDB05DF58D9C0B6AFFA5FB8831CF20C5A9E9890A256C33AD456CBA2

Function 010BD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121739360.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10bd000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d109a8367a1b75635975b25b858d7e29233fac8f28373862ad4f3338aae941c7
Instruction ID: 4d717d639ea8482af2af1f570f4fed889bfeee44cf1ec4736274bde357782fe2
Opcode Fuzzy Hash: d109a8367a1b75635975b25b858d7e29233fac8f28373862ad4f3338aae941c7
Instruction Fuzzy Hash: A5210671500204DFDB05DF58D9C0B9AFFA5FB98318F20C5A9E9490B256C73EE456C7A2

Function 012AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121914123.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f328b8ea069a6685c16dd6b3326f9054a8cb85c90e775f10d91f2d04fd2c14
Instruction ID: e1cba67611fdcf878388a8f8c64e2e3a82eed47d2918e6634d0c32d516fa2097
Opcode Fuzzy Hash: 51f328b8ea069a6685c16dd6b3326f9054a8cb85c90e775f10d91f2d04fd2c14
Instruction Fuzzy Hash: 12214270294208DFCB15CF68D980B22BF65FB88314F60C56DDA0A0B656C37AD407CA61

Function 012AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121914123.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f03da880647809c9551ba23f32aa683f7e57c174ff2363d8015f57d57ad58b9
Instruction ID: f8b53a4d69889eefd0c34c4ce7ac669c0f0305aa44d44403f2857d8e50cbeb2b
Opcode Fuzzy Hash: 0f03da880647809c9551ba23f32aa683f7e57c174ff2363d8015f57d57ad58b9
Instruction Fuzzy Hash: 0B213471524208EFDB05DFA8C9C0F26BBA5FB88324F60C56DE9094B657C37AD806CA61

Function 012AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121914123.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09639082974e5a2953d3a1c152fb9c0ed93a2755cc700b14b723c9155de40e1
Instruction ID: 8eb21d45d12f511caf1788be9aaa38482a261162f43933a735e7a290b6e6a84d
Opcode Fuzzy Hash: d09639082974e5a2953d3a1c152fb9c0ed93a2755cc700b14b723c9155de40e1
Instruction Fuzzy Hash: 7921B0714483849FCB03CF24D994711BF71EB4A314F28C5DAD9898F6A7C33A980ACB62

Function 010BD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121739360.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10bd000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 1d4c9d975fe4d694b4beb2d1f4a27264c239831c9cc57af1334c3592d67b2229
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 6D11CD72404240CFDB02CF44D5C4B96BFA1FB84324F24C6A9D9490A256C33AE45ACBA2

Function 010BD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121739360.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_10bd000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction ID: 9a112530e650564eedea6565d908a3518e8f78eabe9af42c7605235c7b59f643
Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
Instruction Fuzzy Hash: 0211DF72404280CFCB02CF54D5C4B56FFB1FB88318F24C6A9D9490B256C33AD45ACBA2

Function 012AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2121914123.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_12ad000_xnnxAkrxh.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: a1bbda95abb483ee3fa5c0345378d7f72bd11708e88772c7f7b62f96a268828b
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 4A11BB75504284DFDB02CF54C5C4B15BFA1FB84324F24C6A9D9494B6A7C33AD40ACB62

Analysis Process: MSBuild.exePID: 3552, Parent PID: 1892COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	0%
Total number of Nodes:	548
Total number of Limit Nodes:	72

Executed Functions

Function 0041A3D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A415

Strings

bMA, xrefs: 0041A40D, 0041A414
!JA, xrefs: 0041A3EC, 0041A3F8
bMA, xrefs: 0041A3F2, 0041A400

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 54437c4e75339082d0912fbe7e6c9053912bd6928cda1a9760da43cab1c95c7d
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: C3F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241D630E8518BA4

Function 0041A31B Relevance: 1.5, APIs: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e854bda4c8ffc7a545f0fa1354872165e9ca619cff1b1dff18116eccacdb2e5c
Instruction ID: 843ed695e50a36f3005de0b6640789ce179117e1bd0c38b56b8052d49bf53f0c
Opcode Fuzzy Hash: e854bda4c8ffc7a545f0fa1354872165e9ca619cff1b1dff18116eccacdb2e5c
Instruction Fuzzy Hash: 3001B2B2211108AFCB08DF99DC85EEB77A9AF8C754F158249FA0D97241C630E8518BA4

Function 0041A320 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A36D

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 30690d9e011530b668ed3b4ae7cc5c3fda29d367b226dbf4f68f65ca016a7565
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: FDF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Function 0041A500 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: c35769ceed384df61eeb5fc049e905e887b244236103aac277853e7772ac0dd9
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 75F015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241C630F811CBA4

Function 0041A4FF Relevance: 1.5, APIs: 1, Instructions: 27
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B0F4,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A539

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f45946b05a1dd7d052a3d9b6a11d98c611a3919fd67080911be21ade4fe0f789
Instruction ID: 017ad903feb3531cfc01750c973c23e044ee790ddf7460f9de04a0f8c24ecf1a
Opcode Fuzzy Hash: f45946b05a1dd7d052a3d9b6a11d98c611a3919fd67080911be21ade4fe0f789
Instruction Fuzzy Hash: DAF039B6204149ABCB14DF99DC84CA777A9FF88324B15865AF94997202C634E865CBA0

Function 0041A44B Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d3d262518f34281f0e577afdfc2171d9aadb620eb04ab38b03f22fa21ed5c3ce
Instruction ID: eb9f6bd40963156d82049b5c65ce28109efdb37e11e6bc60a87de4852ffb79c9
Opcode Fuzzy Hash: d3d262518f34281f0e577afdfc2171d9aadb620eb04ab38b03f22fa21ed5c3ce
Instruction Fuzzy Hash: 68E0C276200210ABD721EBA8CC44ED77B68EF44374F05459DB9989B282C230E600C7E0

Function 0041A450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A475

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e48275ca6f7768b9f0fd4fab79f6d7fda959a909e55c262f35bdb2090c9231ed
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E5D01776200214ABD710EB99DC85EE77BADEF48764F15449ABA189B242C530FA1086E0

Function 01702B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702B6A

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 002f0276833cfa497716172d34573b5ac96c60c6ab7050e437dc94e1099b2bb8
Instruction ID: 303c684bc625a8e30155136965f9a11d375cdd934296fd773830e69912d4ea8c
Opcode Fuzzy Hash: 002f0276833cfa497716172d34573b5ac96c60c6ab7050e437dc94e1099b2bb8
Instruction Fuzzy Hash: 14900262256400034305715C4414616900A97E1201B55C031E10145A0DC6258A916226

Function 01702BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702BFA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bcd4b59e7d85b53714d9891ec32aedb34d8285fc3b9febf5621354ccf65fa2c1
Instruction ID: 2fbbb84bfc50d9a46586c02444bf8188db4f86628a23ad2ec7a5a94550fd3a86
Opcode Fuzzy Hash: bcd4b59e7d85b53714d9891ec32aedb34d8285fc3b9febf5621354ccf65fa2c1
Instruction Fuzzy Hash: 0E90023225540803D380715C440464A500597D2301F95C025A0025664DCB158B5977A2

Function 01702AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702ADA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ffa83c17bf96cdcd8caf7f62c7651b07128547e2ff23503e54f6fca278db4d60
Instruction ID: c7d58190b24ebb88390d059c1eb1c50c63ffa6bf811612284f03a48e73ae9161
Opcode Fuzzy Hash: ffa83c17bf96cdcd8caf7f62c7651b07128547e2ff23503e54f6fca278db4d60
Instruction Fuzzy Hash: D8900226265400030305B55C0704507504697D6351355C031F1015560CD7218A615222

Function 01702D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702D3A

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 52e162ce196de31e394ad03b25c8e6f429a6067b54396bd00c60acdbb0c09a61
Instruction ID: 0996331cff4675991108ba82868de8e3640faacd9cb9ebeb1d44caa28efabcc1
Opcode Fuzzy Hash: 52e162ce196de31e394ad03b25c8e6f429a6067b54396bd00c60acdbb0c09a61
Instruction Fuzzy Hash: 3A90022235540003D340715C54186069005E7E2301F55D021E0414564CDA158A565323

Function 01702D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702D1A

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50461956e34b5d64f3b1a0d4c3348e716fdea3174ce585bc0c0d7caa83276780
Instruction ID: 94ace7b92fda22909b40290ea09b5009d15e823add42de2bd9e20087974c7f7d
Opcode Fuzzy Hash: 50461956e34b5d64f3b1a0d4c3348e716fdea3174ce585bc0c0d7caa83276780
Instruction Fuzzy Hash: 2A90022A26740003D380715C540860A500597D2202F95D425A0015568CCA158A695322

Function 01702DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702DFA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76697d5127d853aa67e1929212e28fc58df3fb53277eb54e78f8c7512ff9c705
Instruction ID: 2eee14576784d90666d29e4471d0251e91a2671cb37d16f1c13eb5aa82aa2606
Opcode Fuzzy Hash: 76697d5127d853aa67e1929212e28fc58df3fb53277eb54e78f8c7512ff9c705
Instruction Fuzzy Hash: 2290023225540413D311715C4504707500997D1241F95C422A0424568DD7568B52A222

Function 01702DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702DDA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0387c95ea207988227339718d14c400a21196d5ce14f6c5012f08dccfa2190ae
Instruction ID: d2644afa34436a83b076bf7659654514a26c333e4c2413d859d3386774335516
Opcode Fuzzy Hash: 0387c95ea207988227339718d14c400a21196d5ce14f6c5012f08dccfa2190ae
Instruction Fuzzy Hash: 83900222296441535745B15C44045079006A7E1241795C022A1414960CC6269A56D722

Function 01702C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702C7A

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d07f7c2c80b48dcc8042bf82a2499aba5dc84a080d09d6c6c36b71f5ffa3445d
Instruction ID: df347039c994c2c61539318e00d401e06eaa9a61d124cafbdb757c560c0751d2
Opcode Fuzzy Hash: d07f7c2c80b48dcc8042bf82a2499aba5dc84a080d09d6c6c36b71f5ffa3445d
Instruction Fuzzy Hash: DB90023225548803D310715C840474A500597D1301F59C421A4424668DC7958A917222

Function 01702CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702CAA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f2a5be804a715e59b6c0f965b1852ffbe6309683078da7c987110dc5b16ecbb5
Instruction ID: f8233229b18ddb53a6241a73d91227a2800925c4079bd606384ec5927f2ba0a1
Opcode Fuzzy Hash: f2a5be804a715e59b6c0f965b1852ffbe6309683078da7c987110dc5b16ecbb5
Instruction Fuzzy Hash: 8390023225540403D300759C5408646500597E1301F55D021A5024565EC7658A916232

Function 01702F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702F3A

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e4a0db1f5412393872a63440c82c379f0868f3948d97c3a935a9ce3ae1dd8d5
Instruction ID: c8c4bad9d5f03dbed9cb47b6b4518d2261869cdc911e8a6a66e4ac4caba6466a
Opcode Fuzzy Hash: 8e4a0db1f5412393872a63440c82c379f0868f3948d97c3a935a9ce3ae1dd8d5
Instruction Fuzzy Hash: 2F90026239540443D300715C4414B065005D7E2301F55C025E1064564DC719CE526227

Function 01702FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702FEA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86190d62e70556d19f477efa8a70cc2ebc4ec0bc0aee98ee7e9f6ead66dcc6aa
Instruction ID: 51aaf0483add0b7bedf567272d20fc6436accb0e9b44f612f4d02abb207fc310
Opcode Fuzzy Hash: 86190d62e70556d19f477efa8a70cc2ebc4ec0bc0aee98ee7e9f6ead66dcc6aa
Instruction Fuzzy Hash: EF900222265C0043D300756C4C14B07500597D1303F55C125A0154564CCA158A615622

Function 01702FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702FBA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf8df855816d4ae2e6373534b31680d859f7490a7feb4c3d31bb6283c5053579
Instruction ID: 3759aba5b9981250a4e4783d85c982f8eb85835b193b31114e61efd0a747f5de
Opcode Fuzzy Hash: cf8df855816d4ae2e6373534b31680d859f7490a7feb4c3d31bb6283c5053579
Instruction Fuzzy Hash: 5A900222655400434340716C88449069005BBE2211755C131A0998560DC6598A655766

Function 01702F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702F9A

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 08fcc6c96870c8cd76dbaec2de142ec1af98ae2418995738c3ee95f0a43ff2c7
Instruction ID: f3631c2945548e386a015880297d9384a6d28bed747a3f4c7cfd5031a312b7f2
Opcode Fuzzy Hash: 08fcc6c96870c8cd76dbaec2de142ec1af98ae2418995738c3ee95f0a43ff2c7
Instruction Fuzzy Hash: 0990023225580403D300715C481470B500597D1302F55C021A1164565DC7258A516672

Function 01702EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702EAA

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ee78f4230269b9d28fc7374dcdc055c8b5a895a66c072aa0c35f13112a7b038
Instruction ID: b9f25b53c3a406ba4dc3f81f3d4cd6468b7fe7525cad29fc3a0893b470309144
Opcode Fuzzy Hash: 8ee78f4230269b9d28fc7374dcdc055c8b5a895a66c072aa0c35f13112a7b038
Instruction Fuzzy Hash: 5490027225540403D340715C4404746500597D1301F55C021A5064564EC7598FD56766

Function 01702E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702E8A

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ce70a7ff661a29ef1bb2029b0acfb67e10032779708aef15e5e5b9a702a2cc82
Instruction ID: 1decb71bc1bdf632251ba2c54fb82f22cb2f51c71c1dbb8add2893da12c69c7e
Opcode Fuzzy Hash: ce70a7ff661a29ef1bb2029b0acfb67e10032779708aef15e5e5b9a702a2cc82
Instruction Fuzzy Hash: 2790022265540503D301715C4404616500A97D1241F95C032A1024565ECB258B92A232

Function 0041A5F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A61D

Strings

&EA, xrefs: 0041A612, 0041A61C

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 65e1271fa0e6f293e5ca7d904ec396d69fb6d51de338ced040ab1bfa87458b74
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 1DE012B2200208ABDB14EF99DC41EA777ADAF88668F118559BA085B242C630F9118AB0

Function 00408393 Relevance: 1.7, APIs: 1, Instructions: 179
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6510bad542e569eb83e13c0d7b9af0b646b64ee4fb77eb3f3de6adfb80fb1d36
Instruction ID: 6b7f8bb14e47255658c7646da0852285353572bc77bf5488c402d48e05627252
Opcode Fuzzy Hash: 6510bad542e569eb83e13c0d7b9af0b646b64ee4fb77eb3f3de6adfb80fb1d36
Instruction Fuzzy Hash: C861D6B0900309AFDB24DF64DD85FEB77E8EB48704F10056EF949A7281EB746941CBA9

Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ac2face3a80b81d0fee9304aa7ab5d06d5dde750405c7724cc7e28b99046a3a9
Instruction ID: 716281bf38cec500bb380add113fdd5c594de8bf11c5bee183275e975ed6f696
Opcode Fuzzy Hash: ac2face3a80b81d0fee9304aa7ab5d06d5dde750405c7724cc7e28b99046a3a9
Instruction Fuzzy Hash: F801FC71A8031876EB20A6918D43FFF672C6B41F54F05412EFF04BA1C1D6F8690546F9

Function 0041A662 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: dd6e3777131719cca2a418aa5b3391d70880d811ba777f66e6b8170cca4d0c63
Instruction ID: a69ed1b6dd219986bfb2f5c6a45b3a104f2452afec348c127e88c009e551c76d
Opcode Fuzzy Hash: dd6e3777131719cca2a418aa5b3391d70880d811ba777f66e6b8170cca4d0c63
Instruction Fuzzy Hash: 791103B2201108AFDB14DF98CC85EEB77A9AF8C354F158249BA4DA7241C630E951CBA4

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction ID: a0f03ca10d03d1d5c38d3c187be8154ddc7636efa3ebbcfd239e67dddfad06e3
Opcode Fuzzy Hash: 6793861beeebbadff428f1e0055fcae04fb265a346085d9c044c4ec0df2940a0
Instruction Fuzzy Hash: B4018471A8032877E720A6959C43FFE776C6B40B54F05012AFF04BA1C1E6A8690546EA

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 93036d1b31c8ba6342ae8de3f2893f5930aff37f33252288d1eb8296453bc5b5
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: FF015EB5E0020DABDB10EBA1DC42FDEB3789F14308F0041AAE908A7281F634EB54CB95

Function 0041A623 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c9cede1a70ae172bd288e0e8bf369d21c6bb8e95861d8ebee86d7ece50247bb9
Instruction ID: 126ce3dd669e9c185ab9911fa29305926a5e12aa467f4e619f6b7b26b7caea20
Opcode Fuzzy Hash: c9cede1a70ae172bd288e0e8bf369d21c6bb8e95861d8ebee86d7ece50247bb9
Instruction Fuzzy Hash: 48F0E575200204AFD714DFA4EC45ED737A8FF44360F11465AF81857392C271EA05CFA0

Function 0041A630 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A65D

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: a31e03847b69acb9206512889bce5d114748d47cfafea9ced6338f279cce3475
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 64E04FB12002046BD714DF59DC45EE777ADEF88754F014559FD0857241C630F910CAF0

Function 0041A790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7C0

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b8658252b81b08ed33e4a874e4d8f80b0614426e32f2ee3a7d9107b08e04f012
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 9EE01AB12002086BDB10DF49DC85EE737ADAF88654F018155BA0857241C934E8118BF5

Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A698

Memory Dump Source

Source File: 0000000F.00000002.2134804513.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 94fb8da58e6992106aa2b0ab061ea4c6965e877b66759b154152d16d38dd5c99
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: B9D017726002187BD620EB99DC85FD777ACDF487A4F0180AABA1C6B242C531FA108AE1

Function 01702C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01702C24

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6eb89dcf897c22b7cd4b6cb7a7127af612bcb8998379ad6e66150812ca2be422
Instruction ID: dfc15c05df4d4070d86287a06ab2f98d55d2f4987570a5b24f5a7e673a8a476c
Opcode Fuzzy Hash: 6eb89dcf897c22b7cd4b6cb7a7127af612bcb8998379ad6e66150812ca2be422
Instruction Fuzzy Hash: 45B09B739455C5C6DB12E764460C717B94077D1701F15C075D2030695F8738C1D1E276

Non-executed Functions

Function 01702890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0170293C
___swprintf_l.LIBCMT ref: 0170295E
___swprintf_l.LIBCMT ref: 017029A3
___swprintf_l.LIBCMT ref: 0173A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0173A527
:%u.%u.%u.%u, xrefs: 0173A5B8
::ffff:0:%u.%u.%u.%u, xrefs: 0173A54E
ffff:, xrefs: 0173A504

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 955f6f1da59346620ae9d447e845d6b79abd195be36d5ff6ff33e631b4e8c4fc
Instruction ID: 6874d62ddd5ce998ebf621626c1bd5d31f1485d1a08a5b6ff9dbb5b86028968b
Opcode Fuzzy Hash: 955f6f1da59346620ae9d447e845d6b79abd195be36d5ff6ff33e631b4e8c4fc
Instruction Fuzzy Hash: 0251D6B6A00216BFCB12DBAC889497EFBF8BB482407148269F595D7686D734DE4087A0

Function 01772410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 017724A6
___swprintf_l.LIBCMT ref: 017724E2
___swprintf_l.LIBCMT ref: 0177257D
___swprintf_l.LIBCMT ref: 017725A3
___swprintf_l.LIBCMT ref: 017725C8
___swprintf_l.LIBCMT ref: 01772608

Strings

::ffff:0:%u.%u.%u.%u, xrefs: 017724DA
::%hs%u.%u.%u.%u, xrefs: 0177249E
ffff:, xrefs: 0177247D, 0177249D
:%u.%u.%u.%u, xrefs: 017725FF

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: 19bd2b6a46e5a1fddc99faef9c3577b1a06abce78152c2b75e0dc13df9d5ada0
Instruction ID: 150b02da3da82f2b82a0dd6b01c645f2d848e7ebf7b02fe43275c02282b14c90
Opcode Fuzzy Hash: 19bd2b6a46e5a1fddc99faef9c3577b1a06abce78152c2b75e0dc13df9d5ada0
Instruction Fuzzy Hash: AD51C475B00645AEDF30DE5CCC9097EFBB9AB44200F1488A9F5A6D7646EA74EE408760

Function 016F7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01734742
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01734725
Execute=1, xrefs: 01734713
ExecuteOptions, xrefs: 017346A0
CLIENT(ntdll): Processing section info %ws..., xrefs: 01734787
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 017346FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01734655

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: 2e5850394bbbab5c25150e90dbd98dee192f7c674b622cdeca6a657acafb8bce
Instruction ID: ac56f901d319606220db6d082155a99ca93998af69881b5b11a7a97336148deb
Opcode Fuzzy Hash: 2e5850394bbbab5c25150e90dbd98dee192f7c674b622cdeca6a657acafb8bce
Instruction Fuzzy Hash: D1510A31600229ABEF11ABA9DC89FBDB7A8EF59301F04009DD706A72D1E7719E458F50

Function 01796940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction ID: c29bcbe0718652c6e5ac80aa970863b7a729cd1a9d5bf21eb33232c2b4d57f8f
Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
Instruction Fuzzy Hash: 0A021571508342AFDB09CF18D494A6BFBE5FFC8700F148A2DB9995B264DB31E949CB42

Function 0170B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0170B6BF

Strings

+, xrefs: 0170B65A
0, xrefs: 0170B695
-, xrefs: 0170B650
0, xrefs: 0170B66F

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: c5f609524d5e498246a13f15ffc72ef49d589222d33b9f8983ad9fdca10618ba
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: E181BF78E45349CEEF2A8E6CC8907BEFBF1AF85320F18455AD861A72D1C7309B408B51

Function 017720E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0177214F
___swprintf_l.LIBCMT ref: 01772172

Strings

[, xrefs: 0177212B
%%%u, xrefs: 01772146
]:%u, xrefs: 01772169

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$[$]:%u
API String ID: 48624451-2819853543
Opcode ID: 19e8d5b0035e121cfdaebfa8aed0d65bafa506f3881f034882b0716a4b6419be
Instruction ID: 473af2c7c57747b052bfdb9703f5bdc90c15e39f11b6412adcbea89fb2708da8
Opcode Fuzzy Hash: 19e8d5b0035e121cfdaebfa8aed0d65bafa506f3881f034882b0716a4b6419be
Instruction Fuzzy Hash: 3A21B27AA00219ABDB11DF79DC44AFEFBF9FF54640F040126EA55E3245E730DA018BA0

Function 016EF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 0173031E
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 017302E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 017302BD

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: c4a59b6437c5e4f2b1c2909e73c7e556da1c0ab23fcd6b9f0f7231fb3f13a26e
Instruction ID: a852074abdf8ffe8f14eaaebff7a0e38b7772d0f34e8c9ad57c8e443e950b85a
Opcode Fuzzy Hash: c4a59b6437c5e4f2b1c2909e73c7e556da1c0ab23fcd6b9f0f7231fb3f13a26e
Instruction Fuzzy Hash: 98E1BE71609741DFEB25CF28C888B2ABBE0BB84314F140AADF5A58B3D2D775D945CB42

Function 016FBED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Re-Waiting, xrefs: 01737BAC
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01737B7F
RTL: Resource at %p, xrefs: 01737B8E

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: 8fbab266f5b8db24f684fdefdfa4d1c88ec998851670641924f570898246d96f
Instruction ID: 819643b69559d5590baea031d3a9404e2c489cbf2cd211e265e0f87c5df52929
Opcode Fuzzy Hash: 8fbab266f5b8db24f684fdefdfa4d1c88ec998851670641924f570898246d96f
Instruction Fuzzy Hash: 5041E0757057029FD725CE2DCC40B6AB7E5EF89720F000A2DFA5A9B781DB31E8058B91

Function 016FB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0173728C

Strings

RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01737294
RTL: Re-Waiting, xrefs: 017372C1
RTL: Resource at %p, xrefs: 017372A3

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: 50bc2dd5042359406d4b78c83f01758878650ace5c014d45087f56d28e08d959
Instruction ID: ccf52d0a4e73937e22cdafc7c1b2da4588c7973885c981dc3e3b4b4b1cc261ce
Opcode Fuzzy Hash: 50bc2dd5042359406d4b78c83f01758878650ace5c014d45087f56d28e08d959
Instruction Fuzzy Hash: D0410072709202ABD725CE29CC41F6AF7B5FF94710F10061DFA55AB281DB31E8428BD1

Function 01772300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0177238D
___swprintf_l.LIBCMT ref: 017723B3

Strings

]:%u, xrefs: 017723AA
%%%u, xrefs: 01772384

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: %%%u$]:%u
API String ID: 48624451-3050659472
Opcode ID: 933612243e7b11f7edb8dd297be237ec9f617b8f7a411d644c0d6d571654d073
Instruction ID: 6d22ab17c36a3d28d673b65f9dd0d7160203964a9768f16a98efe98034aa5ae0
Opcode Fuzzy Hash: 933612243e7b11f7edb8dd297be237ec9f617b8f7a411d644c0d6d571654d073
Instruction Fuzzy Hash: 55319372A00219AFDF20DF2DCC44BEEF7F8EF44610F55455AE959E3245EB30AA448BA0

Function 01707D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01707E8B

Strings

+, xrefs: 01707DE8
-, xrefs: 01707DDD

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: 92b71c898f17da89726addf7c14ccb59ba85954e1ead106bc8604a7326433081
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 60919071E00316DAEB2ADF6DC881ABEFBE5AF44320F54451EE995A72C4D630BD818B11

Function 016C9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

$, xrefs: 016C9191
@, xrefs: 016C9175

Memory Dump Source

Source File: 0000000F.00000002.2136029769.0000000001690000.00000040.00001000.00020000.00000000.sdmp, Offset: 01690000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_1690000_MSBuild.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 72c6f29c4ad3643ef488bf497312b91d94dec1e4d7810e389c0dc1ef28023bdd
Instruction ID: 72ad9e140748aef742ada4f952e076c689b7f664231b5fb6b5a51e03885ddd43
Opcode Fuzzy Hash: 72c6f29c4ad3643ef488bf497312b91d94dec1e4d7810e389c0dc1ef28023bdd
Instruction Fuzzy Hash: 59812C72D002699BDB31CB54CC45BEEBBB4AF48714F0041DAEA19B7640D7709E85CFA4

Analysis Process: systray.exePID: 2272, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	0%
Total number of Nodes:	625
Total number of Limit Nodes:	81

Executed Functions

Function 045FA036 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 481
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 045FA19F

Strings

0, xrefs: 045FA227

Memory Dump Source

Source File: 00000010.00000002.4521677791.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_45f0000_systray.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction ID: 33ae886027e849364dda5a9edb1d3222dd10799f3d62a2b0bbe5bf63e26d8c23
Opcode Fuzzy Hash: 7bc916a415ef614ffafa7f75d0ec115445e44d1b24a8fe03bb76e065ae57333e
Instruction Fuzzy Hash: F7F15E70918A8D8FDBA5EF68CC94AEEB7E0FB98304F40462AD54EC7250DF30A545DB42

Function 045F9BB2 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL ref: 045F9C93
NtMapViewOfSection.NTDLL ref: 045F9CFF

Strings

@, xrefs: 045F9D0C
@, xrefs: 045F9C8B

Memory Dump Source

Source File: 00000010.00000002.4521677791.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_45f0000_systray.jbxd

Similarity

API ID: Section$CreateView
String ID: @$@
API String ID: 1585966358-149943524
Opcode ID: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction ID: 707265f9978be459294db1c80c73bab486fdc349b903c6fb284ddf227229a3d3
Opcode Fuzzy Hash: d19581801156352ea8c1368f03ac477e7143ca4b49b2be0ea58d8e64d299f740
Instruction Fuzzy Hash: 965170B0618B098FD758DF18D8956AABBE0FF88314F50062EE58EC3651DF35E441CB86

Function 045FA042 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL ref: 045FA19F

Strings

0, xrefs: 045FA0CD

Memory Dump Source

Source File: 00000010.00000002.4521677791.00000000045F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_45f0000_systray.jbxd

Similarity

API ID: InformationProcessQuery
String ID: 0
API String ID: 1778838933-4108050209
Opcode ID: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction ID: 0faabf85e83762374e49dad7dc729517873c666bc2e986726fb2136fc6a69d66
Opcode Fuzzy Hash: 4a13b2017a61ababd9bba988d9a9b5b8b8f576b3da72e298de5122239bed11ad
Instruction Fuzzy Hash: 73512B70914A8C8FDB69EF68C8946EEB7F4FB98304F40462AD54AD7210DF30A645DB42

Function 008CA31B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,008C4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,008C4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 008CA36D

Strings

.z`, xrefs: 008CA35D, 008CA368

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 2f80f5caa9f3d8108891b6fc9b28f8d424f244563abe564edb4ceac9657a8d92
Instruction ID: 301d2f0fa67d40ea9ccfb8dfb86cc800242327ab9be6102df4bd72dddf9a8ef0
Opcode Fuzzy Hash: 2f80f5caa9f3d8108891b6fc9b28f8d424f244563abe564edb4ceac9657a8d92
Instruction Fuzzy Hash: AA01B2B2210108AFCB08DF98DC85EEB77A9BF8C754F158248FA0DD7241C630E8118BA0

Function 008CA320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,008C4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,008C4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 008CA36D

Strings

.z`, xrefs: 008CA35D, 008CA368

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 572ee3b85b173b4f0661fd9d77a885dc869bc72840bf84c6810d2eddc0d1eb95
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 0DF0B2B2210208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4

Function 008CA3D0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(008C4D62,5EB65239,FFFFFFFF,008C4A21,?,?,008C4D62,?,008C4A21,FFFFFFFF,5EB65239,008C4D62,?,00000000), ref: 008CA415

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: a91de42ccf7e940c8dacdb6faee0befc5433b15774e95c04e319b2da6be5f0c8
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 41F0A9B2210108ABCB14DF89DC81EEB77ADEF8C754F158248BA1D97241D630E8118BA1

Function 008CA500 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,008B2D11,00002000,00003000,00000004), ref: 008CA539

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 7f35a2eded1413a74fb53248c16199b80810c2eee4e3d9fbf4cdeb469571ade6
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 27F015B2210208ABCB18DF89DC81EAB77ADEF88754F118248BE0897241C630F810CBA0

Function 008CA4FF Relevance: 1.5, APIs: 1, Instructions: 27memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,008B2D11,00002000,00003000,00000004), ref: 008CA539

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 37557fe2353b59e51411f2817f3e6e191abaa42c7772784f4064689e54665e97
Instruction ID: 132c345099ff94b1e58f0f49b15ff09164158d5a198c7e83f1d4938d8a35beb2
Opcode Fuzzy Hash: 37557fe2353b59e51411f2817f3e6e191abaa42c7772784f4064689e54665e97
Instruction Fuzzy Hash: 08F039B6214149ABCB18DF98EC84CA777A8FF88314B15865DF94997202C634E815CBA1

Function 008CA44B Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(008C4D40,?,?,008C4D40,00000000,FFFFFFFF), ref: 008CA475

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 43b5efe709a1404f5f45a57f1dd1a1a146ca18b9ccafd2fb1ad105db25ba55bf
Instruction ID: 0f6f654fef444dbef0b57c8e4e2f666586b95a5bb627cd494e0df4a09ca888ce
Opcode Fuzzy Hash: 43b5efe709a1404f5f45a57f1dd1a1a146ca18b9ccafd2fb1ad105db25ba55bf
Instruction Fuzzy Hash: FDE0C276200214ABD721EBA8DC44FD77B68EF44370F05469CB9989B282C630E600C7E0

Function 008CA450 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(008C4D40,?,?,008C4D40,00000000,FFFFFFFF), ref: 008CA475

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 39040953fe8bf6c5bfcb22960a609a4f7ae7d5ba4a279f6878978799288a9572
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: D0D01776200218ABD714EB98DC85FA77BACEF48764F154599BA189B242C930FA0086E1

Function 048C2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2CAA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 938b276660738ddb9a189a64b8506fef6a648ebcdf31b8c4fa15dded292e21d9
Instruction ID: d5b96f0c02d213be763939eab8500157f726693cfd2998d477cbfc9b7b93ecac
Opcode Fuzzy Hash: 938b276660738ddb9a189a64b8506fef6a648ebcdf31b8c4fa15dded292e21d9
Instruction Fuzzy Hash: 6390023520241406F1007598540864601158BE0305F55D511A6129555EC665D9D56132

Function 048C2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2C6A

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 83bcc76116c067f0d93bba1d46bd79eca1ce5e4569c9c73ac35b01a140e721f8
Instruction ID: f3eaa8181c3fd58534cc2cd2021d4d4f48ea28786b394ba71ece179dd6a200d0
Opcode Fuzzy Hash: 83bcc76116c067f0d93bba1d46bd79eca1ce5e4569c9c73ac35b01a140e721f8
Instruction Fuzzy Hash: 2390023520241846F10071584404B4601158BE0305F55C516A1229654D8615D9957522

Function 048C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2C7A

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de0b2a3baa165bd381e4d464c0491e8a83b4a62d71e6ea8b006c0be1d31ee8fa
Instruction ID: 42733fc250c9602250939d78447b8f5f9a541ab29016955d8b010334ddcd0d0d
Opcode Fuzzy Hash: de0b2a3baa165bd381e4d464c0491e8a83b4a62d71e6ea8b006c0be1d31ee8fa
Instruction Fuzzy Hash: F890023520249806F1107158840474A01158BD0305F59C911A5529658D8695D9D57122

Function 048C2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2DDA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5147b8cf0b2334579114688ef2e0744c31052760b7dc2baf045815813175e839
Instruction ID: 8361c8cb372c5faf517a5614863b70ac8f8efb7866d731f5b6105f58859832f4
Opcode Fuzzy Hash: 5147b8cf0b2334579114688ef2e0744c31052760b7dc2baf045815813175e839
Instruction Fuzzy Hash: 69900225243451567545B158440450741169BE0245795C512A2519950C8526E99AD622

Function 048C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2DFA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1ab36b9b1722ec2da1d80574566ba511967e420528651bd7ec5312d72589c96
Instruction ID: f48ee5d14c6de728ff7a35817066dff2a0010aa9da58750b2f54f17704437562
Opcode Fuzzy Hash: e1ab36b9b1722ec2da1d80574566ba511967e420528651bd7ec5312d72589c96
Instruction Fuzzy Hash: F490023520241417F1117158450470701198BD0245F95C912A1529558D9656DA96A122

Function 048C2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2D1A

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9cfd510c071ac9faf3a0a49e7cc791315e827f02265dcf9d9d962f26e3d6b411
Instruction ID: 62d589d46b73cb14bb8f72de3ae07318d3f53853e34ce27b9f44d99dccb37030
Opcode Fuzzy Hash: 9cfd510c071ac9faf3a0a49e7cc791315e827f02265dcf9d9d962f26e3d6b411
Instruction Fuzzy Hash: 1490022D21341006F1807158540860A01158BD1206F95D915A111A558CC915D9AD5322

Function 048C2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2EAA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb2fc1ce5450d865ba68121d163f6b046da8734c4800ded821f835157966d0c0
Instruction ID: 1192684e2fb5cfe64c677aed988832bda43fadbe53777302711a3f050372aa12
Opcode Fuzzy Hash: cb2fc1ce5450d865ba68121d163f6b046da8734c4800ded821f835157966d0c0
Instruction Fuzzy Hash: AA90027520241406F1407158440474601158BD0305F55C511A6169554E8659DED96666

Function 048C2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2FEA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c79c7735682f562a5ca7fb6761eeb6d2dcc72fc657ade4004cbf4681b1115e5f
Instruction ID: bc70aa3c6991262369418a96f0bb450a3e478e71040a27031acf7b2d5e9eca31
Opcode Fuzzy Hash: c79c7735682f562a5ca7fb6761eeb6d2dcc72fc657ade4004cbf4681b1115e5f
Instruction Fuzzy Hash: E1900225212C1046F20075684C14B0701158BD0307F55C615A1259554CC915D9A55522

Function 048C2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2F3A

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c9226359fe54e6219b788eb4d90a65a506401801bb34408b9adf11c69d6e0644
Instruction ID: 78e74b578cd5779fc6b1aebba17cd4604dd39279906cfd487155dc474356866a
Opcode Fuzzy Hash: c9226359fe54e6219b788eb4d90a65a506401801bb34408b9adf11c69d6e0644
Instruction Fuzzy Hash: F990026534241446F10071584414B060115CBE1305F55C515E2169554D8619DD966127

Function 048C2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2ADA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c34f1c3ee2fed31728eacbb08373cb9082c62116cd3477ffcf8b7a791a60a05
Instruction ID: 6212e4f62a961e0a42a246c44f8d11beacf3b783b5da3abd383846ecd88ea469
Opcode Fuzzy Hash: 7c34f1c3ee2fed31728eacbb08373cb9082c62116cd3477ffcf8b7a791a60a05
Instruction Fuzzy Hash: 98900229212410072105B558070450701568BD5355355C521F211A550CD621D9A55122

Function 048C2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2BEA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 364ac2cea10cd833c6e690758abb0e1c8f81f7d6f434ac92670f8988ebdfd72f
Instruction ID: 0340f4ac0aad147c4fd9d5278b4a6600721a641aae3514ec10de2abc2ae401d1
Opcode Fuzzy Hash: 364ac2cea10cd833c6e690758abb0e1c8f81f7d6f434ac92670f8988ebdfd72f
Instruction Fuzzy Hash: 4A90023520645846F14071584404A4601258BD0309F55C511A1169694D9625DE99B662

Function 048C2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2BFA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25ce52d59ad0b0a8aef2274fdb8fa310db2f25f0d43c37084b69360d653d97a4
Instruction ID: 170f0701720591c643ef5c016a8302a8800fc284dd950022c9db091d4e538c62
Opcode Fuzzy Hash: 25ce52d59ad0b0a8aef2274fdb8fa310db2f25f0d43c37084b69360d653d97a4
Instruction Fuzzy Hash: C090023520241806F1807158440464A01158BD1305F95C515A112A654DCA15DB9D77A2

Function 048C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2B6A

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5f4f3ef8e6d7b10cc3a311755431017c56a388d2c2a64d7f571992bdf163c1c
Instruction ID: d7399a82b47a5b5cc70948eb1a7d5c434496d813cd35a7441c750caeafd48101
Opcode Fuzzy Hash: e5f4f3ef8e6d7b10cc3a311755431017c56a388d2c2a64d7f571992bdf163c1c
Instruction Fuzzy Hash: 9590026520341007610571584414616411A8BE0205B55C521E2119590DC525D9D56126

Function 048C35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C35CA

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97dd95e60a99a79f25f8cab2209779bcc3d2b2d288e357bb8f97f4b6d3d20669
Instruction ID: 7feeccf3c5fd32ff3719cfbcd07e506eb6177d7191d69fefd5f80f4b1a95743c
Opcode Fuzzy Hash: 97dd95e60a99a79f25f8cab2209779bcc3d2b2d288e357bb8f97f4b6d3d20669
Instruction Fuzzy Hash: 5E90023560651406F1007158451470611158BD0205F65C911A1529568D8795DA9565A3

Function 008C9040 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 008C90E8

Strings

net.dll, xrefs: 008C90B1, 008C9137, 008C910F, 008C911B, 008C9143
wininet.dll, xrefs: 008C909E, 008C90A7

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 6e25cc11c298e0c6e33d58b4d7554b274f23ce584901056816f50eaa88125858
Instruction ID: 543d80a452680acabd8b766cdb06e076d01516cf95cedc91a71037b12116aa30
Opcode Fuzzy Hash: 6e25cc11c298e0c6e33d58b4d7554b274f23ce584901056816f50eaa88125858
Instruction Fuzzy Hash: EC31C1B2500745BBC724DF68C88AF67B7B8FB48B00F00801DF66A9B245DA34F510CBA9

Function 008C9036 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 008C90E8

Strings

net.dll, xrefs: 008C90B1, 008C910F, 008C911B
wininet.dll, xrefs: 008C909E, 008C90A7

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 60e30ab705b3ff596dcc6e11902470d4bf408ce709d8cd191e09c345516d2d13
Instruction ID: 45637507a0462c76f39328b053edf6f991df720a964cb6b1bddbcc6f5cf762e1
Opcode Fuzzy Hash: 60e30ab705b3ff596dcc6e11902470d4bf408ce709d8cd191e09c345516d2d13
Instruction Fuzzy Hash: 2421F2B2500745BBC724DF68C88AFA7B7B8FB48B00F00805DF659AB245D674E550CBA5

Function 008CA623 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,008B3AF8), ref: 008CA65D

Strings

.z`, xrefs: 008CA64C, 008CA658

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 1f6b426db6c1ac10e604e0f4f3919ceb2500cb049f157a7d30d5f3324e47cdda
Instruction ID: e0895c2c1a9a65c950bcb72e58cc5cf72aa616c46d99ec4fbe6ba3c3e5b8ce1a
Opcode Fuzzy Hash: 1f6b426db6c1ac10e604e0f4f3919ceb2500cb049f157a7d30d5f3324e47cdda
Instruction Fuzzy Hash: 4BF0E575200204AFD714DFA8EC45ED737A8FF44350F114659F81897392C271EA05CFA0

Function 008CA630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,008B3AF8), ref: 008CA65D

Strings

.z`, xrefs: 008CA64C, 008CA658

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 350c05002ca440412659213a18cc1a04dc023e76cc481d15055a584d020a4b35
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 4FE04FB12102086BD718DF59DC45EA777ACEF88754F014558FD0857241C630F910CAF1

Function 008B8393 Relevance: 3.2, APIs: 2, Instructions: 179
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008B836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008B838B

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b079938b09286abe5aff7b0c92db0b7e1f6f5a5aa04b53ee339adbd8fed7b4d4
Instruction ID: ae3f11049f27b662eab34f11ddde4ad40612b7db6889e37c108bc878665ca24c
Opcode Fuzzy Hash: b079938b09286abe5aff7b0c92db0b7e1f6f5a5aa04b53ee339adbd8fed7b4d4
Instruction Fuzzy Hash: B9615BB1900209AFDB24DF68D886BEB77BCFB48704F10456DF949D7341DA70AA41CBA6

Function 008B8308 Relevance: 3.1, APIs: 2, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008B836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008B838B

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f37a90ff6fd6125fd02d1551306ff9cb4d2266bbd4c4288f79e932340fc986c4
Instruction ID: 796dc628a7cfbd1864dd4b5bc4d43618fbe119b9794dc3bbebf4af4fb38615ea
Opcode Fuzzy Hash: f37a90ff6fd6125fd02d1551306ff9cb4d2266bbd4c4288f79e932340fc986c4
Instruction Fuzzy Hash: 1C01FC71A4021876EB24A6D48D43FFE676CFB40F50F054118FB04FA2C2D6A4690547F7

Function 008B8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008B836A
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008B838B

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
Instruction ID: 764926b7ec6d2ce65a35ec5ff25d0c7ecdd4862edb62f2a79ce114ff884f84cf
Opcode Fuzzy Hash: f2c01e1818d052739ee633fa7746fb4f3ba52e36b8bad28e88873d1147d52be0
Instruction Fuzzy Hash: D4018431A8022877E724A6989C03FFE776CBB40F50F050118FB04FA2C2E6A4690647F7

Function 008CA662 Relevance: 1.6, APIs: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 008CA6F4

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: db99a69145e08b2666b9218f3fb975d36b5acb01ddb34801670b2848c0242f31
Instruction ID: 120565790b267b62db6ff0596c7737dbe1f7d5ee8b682dbccafebf3281f66436
Opcode Fuzzy Hash: db99a69145e08b2666b9218f3fb975d36b5acb01ddb34801670b2848c0242f31
Instruction Fuzzy Hash: 2811F2B2210108AFDB18DF98DC85EEB77A9EF8C354F158259FA0DA7241C630E9118BA1

Function 008BACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 008BAD52

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction ID: 8cdc433f9b958f22e68fc4d66c4be888e2c50e16e5335afb47aaa4fce45b32fc
Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
Instruction Fuzzy Hash: A9011EB5D0020DABDB14EBA4DC42FDDB378EB54308F1445A9E909D7241F671EB58CB92

Function 008CA69D Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 008CA6F4

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: b3b597229b8d92792ea137d3ff56284b9b06a5429be170f16656211bd8c45834
Instruction ID: e7446bd55f7e96e04181db8bcfd8a04b8f4d1ca2cb2015015247c0adcbee134a
Opcode Fuzzy Hash: b3b597229b8d92792ea137d3ff56284b9b06a5429be170f16656211bd8c45834
Instruction Fuzzy Hash: 1A01AFB2210108BFCB58DF89DC81EEB77ADAF8C754F158258BA0DA7241C630E851CBA5

Function 008CA6A0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 008CA6F4

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: cdfd0dc4b23607d2c1f900d100479e8c1dc34290640b8f0d1a1f04a713ea10f3
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: F701AFB2210108ABCB58DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA5

Function 008C9170 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,008BF040,?,?,00000000), ref: 008C91AC

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: ef03dda2e7c4748bdfb854a49f17f27151344c06790c02711def29353c22eb8a
Instruction ID: 5508429809e5227d01ffb02528d0c79874440506dd7dc3f5cf9939f321674212
Opcode Fuzzy Hash: ef03dda2e7c4748bdfb854a49f17f27151344c06790c02711def29353c22eb8a
Instruction Fuzzy Hash: B7E06D733802043AE220659DAC03FA7B3ADEB91B30F19002AFB4DEB2C1D5A5F80142A5

Function 008C9164 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,008BF040,?,?,00000000), ref: 008C91AC

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 41e169384dc3a1e7f4befc5af066a34ad597185c29f7abeb4f1f956eba7bb542
Instruction ID: 7673fda6263795dde956d27d37cb19a660e77840cb40e164e979ab2934847331
Opcode Fuzzy Hash: 41e169384dc3a1e7f4befc5af066a34ad597185c29f7abeb4f1f956eba7bb542
Instruction Fuzzy Hash: BEF0E5366843003AE320655C9C03FE737A9DB91B20F24002AFB49EB2C2D5A5F80182A5

Function 008CA5F0 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(008C4526,?,008C4C9F,008C4C9F,?,008C4526,?,?,?,?,?,00000000,00000000,?), ref: 008CA61D

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: b7f68373ffc048fbd5c2661ff0a7ab34a52c5c0795d7525fd0a77ea89467dc77
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: D4E01AB1210208ABD714DF59DC41EA777ACEF88654F114558BA085B241C530F9108AB1

Function 008CA790 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,008BF1C2,008BF1C2,?,00000000,?,?), ref: 008CA7C0

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: fc2c95a38e721649fcbc84a586b0b06ba83fc102c67501719ed3b1ba665c011a
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 48E01AB12002086BDB14DF49DC85EE737ADEF88654F018158BA0857241C930E8108BF5

Function 008BF6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,008B8D14,?), ref: 008BF6EB

Memory Dump Source

Source File: 00000010.00000002.4520816496.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_8b0000_systray.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction ID: 786aca16fc24ddda2de0cfdcd5bd2fb1ac5570418821224ff226f7fa28312690
Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
Instruction Fuzzy Hash: 09D05E726503042BEA10BAA89C03F663398AB55B10F490074FA48D73C3D964E4004565

Function 048C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048C2C24

Memory Dump Source

Source File: 00000010.00000002.4521860378.0000000004850000.00000040.00001000.00020000.00000000.sdmp, Offset: 04850000, based on PE: true

Associated: 00000010.00000002.4521860378.0000000004979000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.000000000497D000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000010.00000002.4521860378.00000000049EE000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_4850000_systray.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3793aab6cfec5df40058fb3c456537cacd0168ee9f483d538e8b203fa757d494
Instruction ID: 124d4d4f2c544f14e7bc49a7e7e1b0e377b8314701bcbc838e796d7a7bfe6089
Opcode Fuzzy Hash: 3793aab6cfec5df40058fb3c456537cacd0168ee9f483d538e8b203fa757d494
Instruction Fuzzy Hash: F4B09B75D025D5C9FB11F76046087177A106BD0705F15C565D3134645E4738D1D5E176

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Receipt.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Receipt.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xnnxAkrxh.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1j21oyo0.dkf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vmk3dhn.gku.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ikplznr0.pdh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_javjnqpk.nnt.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvvo4gcn.bdj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltq14tk4.eeu.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m4lu2k10.121.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mftjzgvy.aqw.ps1

C:\Users\user\AppData\Local\Temp\tmpC62F.tmp

Windows Analysis Report
Payment Receipt.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre